General Security and Email Policies
All users of archdiocese and Location communication systems and devices should use care in creating email, text, video, still images, instant or voicemail messages, or any postings on any social networking site. Even when a message has been deleted, it may still exist on a backup system; it may be restored, downloaded, recorded, or printed; or it may have been forwarded to someone else without its creator's knowledge. The contents of email and text messages are the same as other written documentation and cannot be considered private or confidential.
As with paper records, proper care should be taken in creating and retaining electronic records for future use, reference, and disclosure, as applicable. See Document Retention.
Postings to groups such as "All Employees," "All Parents/Guardians," "All Seminarians," "All Parishioners," and the like on intranets or the Internet must be approved by the person in charge of the Location before the postings are sent out.
Archdiocese and Location systems, devices, and materials are not private and security cannot be guaranteed. User IDs and passwords are intended to enhance system security, not to provide users with personal privacy. User account passwords for systems that are not controlled by a centralized user directory or authentication system must be on record with the person in charge of the Location.
Do not disclose User IDs and passwords to unauthorized parties or share with other employees, students, or volunteers. User accounts are intended to be used only by the assigned party.
Change passwords to user accounts regularly. Avoid using the same password for user accounts with different providers.
All information systems that create, store, transmit, or otherwise publish data or information (e.g., a website) must have authentication (ability to verify the identity of the user) and authorization systems (e.g., individualized user accounts) to prevent unauthorized use, access, and modification of data and applications.
Any electronic medium that is intended for use by the general public may allow access as long as the medium does not allow unauthorized posting and modification of the official information.
All files downloaded from the Internet, all data received from outside sources, and all content downloaded from portable memory devices must be scanned with current virus detection software. Immediately report any viruses, malware, tampering, or other system breaches to the person in charge of the Location.
Back up critical information periodically onto backup storage. Store backed-up information in a safe place that is available for recovery in case of a loss of the original information. Depending on the complexity of a Location's information systems, a detailed disaster recovery plan may need to be developed.
Protect computer networks and physical hardware from unauthorized use. Both local physical access and remote access must be controlled.
Complete archdiocesan information is accessible exclusively through the Archdiocesan Community Email Services (ACES) and all employees, clergy, and similar users are encouraged to obtain and use an ACES account as their preferred business account.
10.3.4.1 Electronic or Digital Signatures
Locations wishing to reduce their use of paper forms may choose to rely on electronic forms for applications, registrations, acknowledgments of receipt, contractual agreements, etc. When deciding to use electronic forms, locations should keep in mind that editing software can enable users to make changes, which may compromise the integrity of the documents. Furthermore, although electronic communication devices have individual identifiers, those identifiers do not necessarily identify the person using the device.
Nonetheless, documents created and stored electronically, and "signed" electronic documents such as email messages may be legally binding, if the parties' communications demonstrate an intent to be bound. However, locations should exercise great caution in relying on electronic or digital signatures for documents that are intended to be binding, such as tuition agreements, employment contracts, health authorizations, or liability waivers. For such documents, locations must heed the following guidelines:
- An electronic or digital signature can have the same force and effect as a handwritten signature provided that it is:
- Unique to the person using it
- Capable of verification
- Under the sole control of the person using it
- Linked to data in such a manner that if the data are changed, the digital signature is invalidated, and
- Uses either Public Key Cryptography (PKC) or Signature Dynamics to encrypt the data.
- All five requirements must be met for the electronic or digital signature to be considered authentic and legally binding by California courts. Commercial services are available that offer electronic/digital signature authentication.
- Webmasters for locations must ensure that the "socket" used for linking to a signature portal is appropriately secure.
- The use or acceptance of an electronic or digital signature is at the option of the parties to the transaction; in other words, one party or the other can insist on a "wet" handwritten signature.
For documents that do not call for binding legal effect, such as sign-ups for Eucharistic adoration, co-curricular activity registrations or parent volunteer assignments, locations may choose simple accept and click "signatures" or email or other electronic responses, with the understanding that the authenticity and validity of such signatures can be challenged.