Data Privacy & Protection Policy

1. Purpose

The purpose of this policy is to ensure that all personal, sensitive, and confidential information handled by Crime Trackers Massachusetts (CTM) personnel is protected, secured, and used in compliance with legal requirements. This includes data related to victims, juveniles, sealed records, and operational intelligence.

2. Scope

This policy applies to:

  • All full-time, part-time, and contract personnel
  • Operational volunteers
  • Supervisors and managers responsible for data management
  • Any personnel with access to personal, juvenile, or sensitive operational records

3. Policy Statement

  • CTM is committed to protecting the privacy and security of all sensitive information collected, stored, or shared in the course of operations.
  • Access to sensitive information is limited to personnel with a legitimate need-to-know.
  • Unauthorized access, use, or disclosure of personal or confidential data is strictly prohibited.

4. Types of Protected Data

Personnel must exercise heightened protection for:

  • Personal Identifiable Information (PII): Names, addresses, phone numbers, emails, and other identifying information
  • Juvenile Information: Any data regarding minors involved in incidents or investigations
  • Victim Identities: Protecting the privacy and safety of victims is mandatory
  • Sealed or Restricted Records: Court-sealed documents, expunged records, or legally restricted information
  • Operational Intelligence: Incident reports, tips, investigative notes, and internal analysis

5. Data Handling Procedures

A. Collection & Access

  • Collect only information necessary for operational purposes
  • Verify the legitimacy of the requestor before sharing sensitive data
  • Maintain access logs for all data systems

B. Storage & Security

  • Store digital information on secure, encrypted systems
  • Physical records must be stored in locked, controlled-access areas
  • Do not leave sensitive data unattended or unsecured

C. Data Sharing & Distribution

  • Share sensitive data only with authorized personnel or agencies
  • Redact or anonymize information when possible to protect identities
  • Ensure data-sharing agreements are in place with external partners

D. Disposal & Retention

  • Retain records according to organizational and legal retention schedules
  • Securely dispose of data that is no longer required
  • Shred physical documents and permanently delete electronic files

6. Confidentiality Agreements

  • All personnel must sign confidentiality agreements as a condition of employment or engagement
  • Agreements reaffirm obligations to protect personal and sensitive data, including post-separation obligations

7. Breach Reporting

  • Any suspected or confirmed data breach must be reported immediately to supervisors or the compliance officer
  • Follow the organization’s Incident Reporting & After-Action Policy for documenting and addressing breaches
  • Personnel involved in breaches may be subject to disciplinary action or legal liability

8. Training

  • All personnel must receive mandatory training on:
    • Data privacy laws and regulations
    • Handling juvenile and victim information
    • Secure storage, access, and disposal procedures
  • Refresher training is required annually or whenever policies or systems are updated

9. Supervisor Responsibilities

  • Monitor personnel compliance with data privacy procedures
  • Review access logs and ensure only authorized use of sensitive information
  • Investigate potential violations and implement corrective actions

10. Policy Review

  • This policy shall be reviewed annually to ensure compliance with legal standards, best practices, and operational requirements
  • Updates must be documented and communicated to all personnel