Page 15 - Privacy

Page 15 - Privacy_Program

P. 15

All Employees with DP101.19 Investigation of Alleged Privacy Violations
Access to PRPI
The Director of Information Technology, Privacy and Data Security will
investigate (and document the investigation of) alleged privacy violations. Asset
Protection and the Privacy and Data Security Officer will coordinate
investigations involving facilities or assets, and Asset Protection will involve law
enforcement where appropriate. The Director of Information Technology,
Privacy and Data Security will inform the Chief Services and Programs Officer
and CFO, and Asset Protection will inform the Director of Sales immediately of
investigations that have been initiated and will provide updates as requested.
All reports of alleged violations will be examined impartially without prejudice
and without malice toward the reporting party regardless of the status of the
person accused. Information provided will be released only on a need to know
basis.

After an investigation of the allegations, a determination will be made and
recommended action will be made by the Director of Information Technology,
Privacy and Data Security to the Chief Services and Programs Officer and the
Director of Finance, who will in return report back to the Exec Team as needed.
The CFO will determine if insurance needs to be contacted as well. All
determinations of recommended actions will be made on an individual basis
according to DP281.C – NON‐MEDICAL BREACH NOTIFICATION PLAN –
Procedures related to electronic PRPI, and DP281.B – HIPAA/HITECH BREACH
NOTIFICATION PLAN – Procedures for all PHI.

All Employees with DP101.20 Employee Sanctions for Privacy Violations
Access to PRPI
The organization (the employee’s manager in conjunction with the Director of
Information Technology, Privacy and Data Security and Human Resources if
consequences include more than counseling the offending employee and with
Legal if the consequences include sanctions 4. or 5. below) will apply any
consequences or a combination of consequences to eliminate any unlawful
conduct and remedy the impact of any violation. These could include:
1. Counseling the offending employee.
2. Transferring the employee to another position.
3. Placing the employee on probation, with a warning of suspension or
discharge for continuing or recurring offenses.
4. Suspending the employee with or without pay.
5. Discharging the employee.

The Director of Information Technology, Privacy and Data Security will not
take action other than counseling the offending employee without discussing
the matter with the employee’s Manager, Human Resources and Legal as
appropriate.

GES CONFIDENTIAL 15

10 11 12 13 14 15 16 17 18 19 20