The Privacy Office is responsible for the security of paper documents and works with the Department’s Information Security Officer (ISO) to ensure the privacy and security of all electronic data. It is CDPH policy to employ security measures that preserve the privacy of confidential, personal, or sensitive information and prevent the release or destruction of information through theft, loss, damage, unauthorized destruction or modification, unintentional or inappropriate release, misuse, accident, sabotage or other criminal activity, or natural disaster.
The Privacy Office is responsible for receiving notice of and investigating (in cooperation with the Department Information Security Officer) all alleged breaches of information security reported by Department employees, staff of its business associates, other government agency partners, individual program beneficiaries or other persons or entities and will work to resolve the issues raised in order to safeguard the privacy and security of information and improve the CDPH business systems and practices. The Privacy Officer determines the appropriate level of response to mitigate potential harm and corrective action necessary when the Privacy Office is made aware of a breach incident. If the breach involves electronic, unencrypted confidential information, the state breach notification law may also be triggered.
State policy requires CDPH to follow specified notification and reporting processes when information security incidents occur. CDPH shall adhere to the Information Security Reporting Requirements set forth in State Administrative Manual Section 4845 AGENCY INFORMATION SECURITY REPORTING REQUIREMENTS (Revised 12/06).
CDPH employees must provide immediate notice to the CDPH Privacy Officer and the CDPH Information Security Officer of any suspected or actual breach of security or unauthorized disclosure in violation of any applicable federal and state laws or regulations.
Note: Business Associates must also notify CDPH of security breaches.