Commercial Vehicle Training Association (CVTA) Privacy and Acceptable Use Policy

Table of Contents

  1. Introduction
  2. Definitions
    1. User
    2. CVTA’s Information Technology Resources
      1. Desktop and portable computer systems
      2. Computer systems, including databases
      3. Fax machines and scanners
      4. Internet, Intranet and Extranet access (including WWW browsing and FTP)
      5. E-mail and instant messaging
      6. Telephones and voice mail
      7. Smart phones, tablets, cellular telephones, and other similar mobile devices
      8. Document management systems
      9. Operating systems and software
      10. Storage media
  3. Principles
    1. Authority and Purpose
    2. Accountability, Auditing and Risk Management
    3. Audit
    4. Training
    5. Consequences of Non-compliance
    6. Data Quality and Integrity
    7. Data Minimization and Retention
    8. Individual Participation and Redress
    9. Security
    10. Transparency
    11. Use Limitation
  4. Policy
    1. Risk Prevention
    2. CVTA’s Information Technology Resources
    3. Scope
      1. Resources
      2. Accounts and Subscriptions
    4. Information Submitted by CVTA Members
    5. Disclosure of Member-Provided Information
    6. Prohibited Activities
      1. Illegal Acts
      2. Electronic Communication – Blogging, Community Sites
      3. Electronic Communication – CVTA E-mail
      4. Information Security
    7. Service Providers
      1. Privacy of Information Provided to Service Providers
      2. Security of Information Provided to Service Providers

1. Introduction

The Commercial Vehicle Training Association (CVTA) provides its employees, members and service providers with access to certain confidential information relating to CVTA, member organizations or individuals. It is important that this information be used in an acceptable, productive, and prudent manner, and that guidelines be in place so that both CVTA and its employees, members and individuals are protected from improper usage, including anything of an illegal or unethical nature.

Effective protection of privacy and security is a team effort involving the participation and support of all who deal with CVTA information and/or information systems. It is the responsibility of every user to know this Privacy and Acceptable Use Policy (Policy), and to conduct their activities accordingly.

2. Definitions

2.1 User

Any individual authorized to use CVTA’s Information Technology resources or information, including employees, contractors, business partners and service providers.

2.2 CVTA’s Information Technology Resources

CVTA’s Information Technology resources, referred to hereafter as IT resources, include, but are not limited to:

2.2.1 Desktop and portable computer systems 2.2.2 Computer systems, including databases 2.2.3 Fax machines and scanners Internet, Intranet and Extranet access (including WWW browsing and FTP) 2.2.4 E-mail and instant messaging 2.2.5 Telephones and voice mail 2.2.6 Smart phones, tablets, cellular telephones, and other similar mobile devices 2.2.7 Document management systems 2.2.8 Operating systems and software 2.2.9 Storage media

3. Principles

CVTA’s commitment to privacy is built around the Fair Information Practice Principles (“FIPPs”)1which have historically formed the basis for U.S. privacy laws. The FIPPs include:

  1. Authority and Purpose
  2. Accountability, Audit and Risk Management
  3. Data Quality and Integrity
  4. Data Minimization and Retention
  5. Individual
  6. Participation and Redress Security
  7. Transparency
  8. Use Limitation

The FIPPs outlined in this Policy inform CVTA’s treatment of all personal information. Using the guiding principles of the FIPPs, it is CVTA’s policy to protect the privacy and confidentiality of personal information and meet its compliance obligations as set forth below.

1The FIPPs are a long-standing and internationally recognized set of privacy principles that originated with the Department of Health, Education & Welfare in the 1970’s. U.S. and international governmental entities continue to issue updated versions of the FIPPs, including the 2013 release of the National Institute of Standards and Technology, Special Publication 800-53, Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53), a document used by governmental and non-governmental entities as a resource in drafting privacy and security controls for information systems. The version of FIPPs included in Appendix J to SP 800-53 is utilized in this Policy.

3.1 Authority and Purpose

Where required by applicable legal standards, consumers will be notified regarding the purposes for which CVTA intends to use personal information.

3.2 Accountability, Auditing and Risk Management

The management of CVTA bears ultimate responsibility for the use of personal or confidential information, but may delegate tasks relating to information and systems management.

3.3 Audit

CVTA will periodically conduct monitoring for compliance with this Policy.

3.4 Training

Employees, third-party service providers and independent contractors with access to personal information will receive training regarding the collection, use and handling of such information. Additional training regarding privacy requirements will be provided where needed.

3.5 Consequences of Non-compliance

Failure to comply with this Policy regarding safeguarding of personal or confidential information may result in disciplinary action, up to and including termination of employment or contracts, or dismissal.

3.6 Data Quality and Integrity

CVTA will maintain appropriate levels of accuracy, relevance, timeliness and completeness of personal information for the intended use of the data.

3.7 Data Minimization and Retention

CVTA will limit the collection of personal information to information reasonably required to meet legitimate business purposes and will limit access to personal information to those employees, third-party service providers, independent contractors and members with a need for such information to perform business functions. Where appropriate and feasible, CVTA may de-identify data in order to minimize risk to the company and individual consumers.

3.8 Individual Participation and Redress

If required for compliance with applicable requirements, CVTA will provide consumers with an appropriate opportunity to exercise choices regarding the sharing of personal information and opportunity to request amendment or correction of such information. Where such consumer choices are provided, consumers’ preferences will be tracked and respected by CVTA as required by the applicable law.

3.9 Security

Personal or confidential information will be secured in compliance with applicable information security policies and in compliance with applicable legal requirements.

3.10 Transparency

Materials provided to and made available to consumers will accurately describe the types of personal information collected by CVTA and the use and sharing of such information in accordance with legal and contractual obligations relating to the collection, use and disclosure of personal information.

3.11 Use Limitation

Use of personal information will be limited to purposes permitted by applicable law and restrictions imposed on CVTA by contracts and other terms on which data is received. Use of personal information will be commensurate with the choices made by consumers where such choices are made available and consistent with applicable legal limitations on the reuse of personal information.

4. Policy

This Policy establishes the minimum standards for the acceptable use of CVTA’s Information Technology resources and information stored on or transmitted through those resources.

4.1 Risk Prevention

This Policy is subject to change based on the risks that technology, and its use, presents to CVTA. CVTA, in its absolute discretion, may implement technology solutions or processes that prevent areas of use of CVTA’s Information Technology resources and information without notification.

4.2 CVTA’s Information Technology Resources

CVTA’s systems and information are to be used for business purposes in serving the interests of CVTA, and of its members in the course of normal operations.

4.3 Scope

4.3.1 Resources

This Policy applies to all CVTA IT resources that are:

  • Owned or leased by CVTA
  • Used to access CVTA networks or cloud based technology services

4.3.2 Accounts and Subscriptions

This Policy applies to all activities using any CVTA-paid accounts, subscriptions or other IT services, such as Internet access, voice mail and

4.4 Information Submitted by CVTA Members

CVTA members may submit information to CVTA under an agreement. The collection sharing and use of such data is governed by the agreement and this Policy. CVTA may use member submitted information as permitted or required by applicable law, for the administration of CVTA, and for the benefit of members. Permissible uses of member-submitted information include:

  • To review compliance with CVTA standards
  • For the protection of information to be used in CVTA publications

4.5 Disclosure of Member-Provided Information

CVTA may publicly disclose information provided be members, but only where such information does not identify a particular member or individual. This restriction does not limit the ability of CVTA to disclose information where required under applicable legal or regulatory requirements.

4.6 Prohibited Activities

CVTA employees and members may not use CVTA resources or information for prohibited activities. The list of prohibited activities below is by no means exhaustive; it provides a framework for activities which fall into the category of prohibited activities.

4.6.1 Illegal Acts

The following activities are prohibited:

4.6.1.1Using IT resources to engage in any activity that is illegal under local, state, federal or international law.

4.6.1.2Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which CVTA or the user does not have an active license.

4.6.1.3Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by CVTA.

4.6.1.4Using a CVTA IT resource to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws or which violates CVTA’s sexual harassment policy.

4.6.1.5Making fraudulent offers of products, items, or services originating from any CVTA account.

4.6.2 Electronic Communication – Blogging, Community Sites

The following activities are prohibited:

4.6.2.1Posting the same or similar non-business-related messages to large numbers of Usenet news groups (newsgroup spam).

4.6.2.2Unauthorized use of CVTA’s trademark, logos, and any other CVTA intellectual property.

4.6.3 Electronic Communication – CVTA E-mail

The following activities are prohibited:

4.6.3.1Reading or accessing another workforce member’s e-mail without his/her knowledge or proper approval.

4.6.3.2Sending e-mail or other communications that either masks the user’s identity or indicates that someone else sent the e-mail or communication.

4.6.3.3Configuring e-mail systems to automatically forward e-mails to an external destination without approval from both the workforce member’s manager and from Information Security.

4.6.3.4Forwarding confidential information, via any means, unless that e-mail is critical to business and is encrypted.

4.6.3.5Any form of harassment via e-mail, whether through language, frequency, or size of message.

4.6.3.6Unauthorized use, or forging, of e-mail header information.

4.6.3.7Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.

4.6.3.8Using e-mail to solicit for personal gain or to conduct non-CVTA commercial business.

4.6.3.9Using e-mail to solicit on the behalf of religious or political causes.

4.6.4 Information Security

The following activities are prohibited:

4.6.4.1Intentional introduction of malicious programs into the network, servers or computer systems (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).

4.6.4.2Installing any software on any CVTA IT resource without express prior documented permission from Information Security or other designated leadership within the Information Technology Department. Software installations will be monitored and subject to restriction at the discretion of leadership.

4.6.4.3Accessing any IT resource by means of another User’s unique ID and/or password.

4.6.4.4Revealing to anyone, any system password used as a unique identifier for system access.

4.6.4.5Circumventing user authentication or security of any host, network or account.

4.6.4.6Unauthorized reviewing, duplication, dissemination, removal, installation, damage or alteration of files, passwords, computer systems or programs, or other CVTA property, or improper use of CVTA data obtained by any means.

4.6.4.7Intentional acts that cause potential security issues or disruptions of network communications.

  • For purposes of this section, “security issues” include, but are not limited to, accessing data of which the workforce member is not an intended recipient or logging into a server or account that the workforce member is not authorized to access.
  • For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.

4.6.4.8Connecting external media devices to CVTA’s IT resources for the purpose of copying files or data unless otherwise properly encrypted and authorized for use by Information Security. This includes, but is not limited to: USB thumb-drives, flash drives, external hard-drives, CD Burners, cell-phones, and media players.

4.6.4.9Transmitting and/or storing CVTA data via personal or otherwise unapproved means such as cloud storage (One Drive, Google Drive, Google Docs, DropBox, etc), personal email (Gmail, Yahoo mail, etc) or file transfer solutions (Bittorrent, FTP, etc).

4.7 Service Providers

As a term of any retention of an entity by CVTA to perform services, the entity must agree to follow the terms of this policy.

4.7.1 Privacy of Information Provided to Service Providers

A service provider must agree to use and disclose information provided by or on behalf of CVTA or CVTA members solely for the purpose of providing services to CVTA or the CVTA member. Any use or disclosure of information provided by or on behalf of CVTA or CVTA members, including aggregated or anonymized data, for purposes of than providing services to CVTA or CVTA members must be approved in writing by CVTA

4.7.2 Security of Information Provided to Service Providers

Any information provided to service providers must be secured by the service provider using industry standard controls to protect against unauthorized access, acquisition or use of the information. Controls must be based on assessed risks to the information provided and the sensitivity of the information.