1. No member of the Current Diary is permitted to electronically store or maintain record of clients, clients data in any way relating to Current Diary - sponsored activities. Information Technology Services (ITS) must approve the use of any system or application that electronically processes, stores, or transmits data.
Paper documents containing client data should be secured in a locked office and stored in a cabinet. In an open office environment paper documents should be stored in locked cabinets. Paper documents should not be left in an unsecured office after work hours.

2. The following Confidential data types can only be electronically stored on an ITS managed server and can only be accessed from an ITS managed computer.
Name Father Name Mother Name Contact Number Address
In the event that an exception is necessary in order to carry out the business of the Company, the user must get written approval from both Company as well as the Information Security Officer.

3. It is recommended that all other Confidential data and Restricted data types be electronically stored or accessed from the one of the following list of devices, in order of preference: ITS managed server, ITS managed desktop computer, encrypted laptop, encrypted mobile storage device. Any encrypted device must be encrypted using a process documented and approved by ITS and the administrator of such system must report to the Information Security Officer on system security related matters.
When handling physical documents containing any Confidential and/or Restricted data types, the documents must be in your possession at all times; otherwise they should be stored in a secure location (e.g. room, file cabinet, etc.) to which only specifically-approved individuals have access through lock and key. When the information is no longer needed, the physical documents must be shredded using a company-approved device prior to being discarded; or destroyed by a companyapproved facility.
Confidential data and Restricted data should not be taken or stored off-campus unless the user is specifically authorized to do so by company and notification of the authorization is sent to the Information Security Officer.

4. Current Diary reserves the right to electronically scan all company-owned resources and resources connected to the company network for Confidential data. In event that Confidential data is found in unauthorized locations, the Information Security Officer will follow-up with the responsible member to remedy the situation.

5. Confidential data cannot be transmitted through any electronic messaging (i.e. email, instant messaging, text messaging) even to other authorized users. Confidential data in a physical format cannot be transmitted through untracked delivery methods.

6. All employees, and staff account passwords must be complex. A complex password is defined as follows:
At least eight characters long
Cannot contain three or more characters from the user's account name
Must contain 3 of the following categories
Uppercase English letter (A to Z)
Lowercase English letter (a to z)
Number 0 to 9
Non-alphanumeric character (!, #, $, & , =, etc…)
Unicode character

7. Users who are authorized to access or maintain Confidential data or Restricted data must ensure that it is protected to the extent required by Company policy or law after they obtain it. All data users are expected to:
Access data only in their conduct of Company business.
Request only the minimum Confidential data or Restricted data necessary to perform their Company business.
Respect the confidentiality and privacy of individuals whose records they may access.
Observe any ethical restrictions that apply to data to which they have access.
Know and abide by applicable laws or policies with respect to access, use, or disclosure of data.

8. Compliance with these data protection policies is the responsibility of all members of the Current Diary community. Violations of these policies will be dealt with seriously and will include sanctions, up to and including termination of employment. Users suspected of violating these policies may be temporarily denied access to the data as well as Company information technology resources during investigation of an alleged abuse. Violations may also be subject to prosecution by state and federal authorities. Suspected violations of Company's data protection policies must be reported to the Information Security Officer.