This policy establishes Gail Borden Public Library District’s (GBPLD) internal controls to safeguard Personally Identifiable Information (PII) and other sensitive information. GBPLD complies with the provisions of the Identity Protection Act (5 ILCS 179/1 et seq.), the Library Records Confidentiality Act (75 ILCS 70/), as well as relevant federal regulations including 2 CFR 200.303(e). This policy applies to all employees, officers, and contractors doing business with GBPLD.
Definitions
- Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.
- Protected Personally Identifiable Information (Protected PII): PII that is not required to be disclosed by law.
- Sensitive Information: Information that GBPLD has determined should be treated with a higher standard of care.
Identifying PII and Sensitive Information
PII is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. It requires a case-by-case assessment of the specific risk that an individual can be identified. Further, PII is defined as information:
- That directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or
- By which specific individuals can be identified in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors).
Additionally, information permitting the physical or online contacting of a specific individual is the same as PII. This information may be in the form of paper, electronic, or other media. Examples of PII include, but are not limited to: names, addresses, social security numbers, credit card numbers, bank numbers, biometrics, date and place of birth, mother's maiden name, criminal, medical, and financial records, and educational transcripts.
GBPLD may designate any information as sensitive or confidential even if it does not fall into the category of PII.
Requirements
GBPLD must take reasonable cybersecurity and other measures to safeguard information including protected PII. This also includes information a federal awarding agency or pass-through entity designates as sensitive or other information GBPLD considers sensitive and is consistent with applicable Federal, State, local, and tribal laws regarding privacy and responsibility over confidentiality.
GBPLD Safeguards PII and other sensitive information by:
- Educating Staff about Risks and Responsibilities: GBPLD personnel who have access to PII or sensitive information receive training about the risks of disclosure and their responsibilities for protection of this type information.
- Limiting Collection and Access: GPLD collects the minimum information that is necessary to fulfill its objectives and avoids collection of unnecessary PII. Only employees who are required to use or handle PII or sensitive information will have access to such information. GBPLD has established administrative, technical, and physical safeguards to protect PII commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss, destruction, dissemination, or disclosure. Physical files with PII or sensitive information are secured in filing cabinets, locked offices, and secured buildings as appropriate. Sensitive electronic files are protected through security mechanisms including the use of multi-factor authentication and encryption as appropriate.
- Appropriately Maintaining Records: GBPLD follows all applicable records management laws, regulations, and policies. Records are not maintained longer than required. Records containing PII or other sensitive information are disposed of appropriately.
- Redacting Protected PII from Records Subject to Release: As a public organization and a recipient of federal funds, certain GBPLD records may be subject to release under the Freedom of Information Act (FOIA). Protected PII will be redacted from documents prior to release.
Incident Response
A data breach occurs when PII or other sensitive information is viewed, leaked, or accessed by anyone who is not the individual, or someone authorized to have access to this information as part of his/her official duties. Staff must promptly report all suspected compromises of PII or sensitive information to their immediate supervisor or Department Director. Violations of GBPLD’s information security policies will be referred to the Chief Executive Officer and personnel may be disciplined for security violations or irresponsible use.
Responsibilities
- Department Directors will ensure personnel receive appropriate training on the protection of PII and sensitive information related to their duties.
- The Chief Executive Officer will oversee the implementation and enforcement of this policy to ensure compliance.
Review of this Policy
The GBPLD Board of Trustees will review this policy annually to maintain best practices.
Related Policies
Identity Protection
Personnel Records and Confidentiality
(8/2025)