The policy claims to be designed for the protection of the PFI of
members and employees; saying "resident" is confusing to the point
of being harmful, actually. I'm glad you agree it should be
replaced. Also, the use of SS number or other US-centric elements
excludes non-US members from the intended protective umbrella -- but
if OASIS does not record any PFI on members, then the word members
should not appear in the first paragraph. To make the whole thing
less US-centric the data elements could be specified as "(a) local,
statal, provincial, national and/or regional identification numbers
or codes or (b) [copy and paste here what (c) in the original says]"
My whole point in all this is that this policy should be as
internally consistent as possible, that's all. If the reality is
that half of it refers to situations that will never arise, then
that half should be deleted. If compliance with local laws prevents
that half from being deleted then make it congruent with the
On 12/09/2010 12:58 PM, Scott McGrath wrote:
type="cite">copying board-comment list and replying to Eduardo's
message--which is not being forwarded to board-agenda...
I agree with replacing "resident" with "person or individual". I
understand that you see that as helpful, I see it as harmless.
It is worth noting that the original language used was based on
the need to comply with Massachusetts state law. (thus the word
"resident") Operating in MA means we must comply with MA law.
This policy didn't attempt to address all potential issues
globally-- it seems very murky how any other foreign local
regulations would impact us, or if we could ever find all the
words necessary to be in compliance with all jurisdictions.
Lastly, it might be worth considering if we are exposed to PFI
from non-US residents. As a matter of practice the only situations
that allow us to capture the data types typically defined as
Personal Financial Information is for employees-- we do not record
any PFI on members. We only employ folks in the US. People who
look like employees outside the US are actually contractors, who
are not required to provide any Personal Financial Information.
We do capture enough bank account information necessary for us to
wire payments -- but we believe most/all use a business shell or
business account, therefore exempting themselves from any PFI
definition of Personal Information seems to be limited to
persons residing in the United States, thus excluding both
some employees and many members of OASIS -- which according
to the "Objective" section should be covered by it. Also it
would appear that the word "resident" in the first sentence
of the Personal Information section is inappropriate in this
context and should be replaced by "person" or "individual".
On 12/08/2010 12:44 PM, Jim Hughes (LCA) wrote:
Posting the new Information Security Program/Policy for approval at next week's board meeting - agenda item 6.