5320.2 RESPONSIBILITY OF OWNERS OF INFORMATION
(Revised 12/08)
The responsibilities of an agency unit that is the designated owner of records (paper or electronic, including automated files, or databases) consist of:
- Eliminating the unnecessary collection, use and maintenance of personal information in agency records.
- Providing proper notice with the collection of personal information, as required by Civil Code Section 1798.17.
- Classifying each record, file, or database for which it has ownership responsibility in accordance with the need for precautions in controlling access to and preserving the security and integrity of the record, file, or data base.
- Defining precautions for controlling access to and preserving the security and integrity of records, files, and data bases that have been classified as requiring such precautions.
- Authorizing access to the information in accordance with the classification of the information and the need for access to the information.
- Monitoring and ensuring compliance with all applicable laws, and agency and state security policies and procedures affecting the information.
- Identifying for each record, file or data base the level of acceptable risk.
- Reporting security incidents and filing Information Security Incident Reports with the Office of Information Security and Privacy Protection (Office). See SAM Section 5360.
- Submitting a breach notification to the Office for review and approval prior to its dissemination or release to any individuals.
- Monitoring and ensuring authorized users and custodians are aware of and comply with these responsibilities.
The ownership responsibilities must be performed throughout the life cycle of the record, file, or database, until its proper disposal. Program units that have been designated owners of records, files, and data bases must coordinate these responsibilities with the agency Information Security Officer.
AUTHORITY STANDARDS GUIDANCE FORMS TOOLS
