top of page
Screenshot 2025-08-18 at 8.56.04 AM.png
Screenshot 2025-09-22 at 3.32.01 PM.png

Personally Identifiable Information (PII) Data Retention and Protection Policy

Internal Policy Document
Effective Date: January 9, 2026

 

1. Purpose

This policy establishes guidelines for the collection, use, retention, and protection of Personally Identifiable Information (PII) collected by Bozeman Film Festival, Inc.

 

2. Definitions

PII includes but is not limited to:

  • Names and contact information

  • Social Security Numbers (donors only, for tax purposes)

  • Payment card information

  • Date of birth

  • Driver's license numbers

  • IP addresses

  • Photographs and videos

 

3. Data Minimization Principles

  • Collect only information necessary for stated purposes

  • Avoid collecting sensitive information unless required

  • Regularly review and purge unnecessary data

  • Use anonymization when possible

 

4. Retention Schedules

Screenshot 2026-01-14 at 11.18.30 PM.png

5. Access Controls

Physical Security

  • Locked filing cabinets for paper records

  • Restricted access to records storage areas

  • Clean desk policy for sensitive information

  • Secure disposal/shredding procedures

 

Digital Security

  • Password requirements (minimum 12 characters, complexity)

  • Multi-factor authentication for sensitive systems

  • Role-based access controls

  • Regular access reviews and updates

  • Encryption for sensitive data at rest and in transit

 

6. Data Sharing Restrictions

  • No sharing of PII without explicit consent or legal requirement

  • Written agreements required for third-party processors

  • Due diligence on third-party security practices

  • Limit sharing to minimum necessary

 

7. Data Breach Response Plan

Immediate Actions (Within 24 hours)

  1. Contain the breach

  2. Assess the scope and impact

  3. Notify IT security team

  4. Document all actions taken

 

Within 72 hours

  1. Notify affected individuals if required

  2. Notify law enforcement if criminal activity suspected

  3. Notify insurance carrier

  4. Begin forensic investigation

 

Follow-up Actions

  1. Complete investigation

  2. Implement remediation measures

  3. Review and update security policies

  4. Conduct staff training on lessons learned

 

8. International Data Considerations

For EU residents (GDPR compliance):

  • Obtain explicit consent for data collection

  • Honor data subject rights (access, correction, deletion)

  • Maintain processing records

  • Implement privacy by design principles

 

For California residents (CCPA compliance):

  • Provide notice at collection

  • Honor consumer rights requests

  • Maintain request records

  • Do not discriminate based on rights exercise

 

9. Staff Training Requirements

  • Annual privacy and security training for all staff

  • Role-specific training for those handling sensitive data

  • New employee orientation includes data protection

  • Regular security awareness updates

 

10. Compliance Monitoring

  • Quarterly reviews of data handling practices

  • Annual privacy impact assessments

  • Regular security vulnerability assessments

  • Documentation of all compliance activities

 

11. Penalties for Non-Compliance

Violations of this policy may result in:

  • Verbal or written warnings

  • Additional training requirements

  • Suspension of system access

  • Termination of employment

  • Legal action if warranted

 

12. Policy Review and Updates

  • Annual review by Board of Directors

  • Updates as required by law changes

  • Staff notification of any changes

  • Version control and change documentation

bottom of page