PII Collection, Use, and Sharing
TFP provides professional services to procure and manage federal, state and local workforce development grants and incentives from various funding agencies. In order to meet the reporting needs of the various funding agencies and secure funding for its clients, TFP must collect and manage client employee PII for purposes of meeting the reporting requirements of the agencies.
The type of PII that may be provided by a client to TFP during the course of business (“client employee PII”) includes employee first and last names, identification numbers (including SSNs), job-related information, payroll/wage information, and demographic information such as ethnicity, gender, age, and education. Other client employee PII such as credit card information, driver’s license numbers, bank account numbers, and employee medical information is NOT required by the various funding agencies and therefore will NOT be collected by TFP.
Client employee PII data is not shared with any third parties beyond the funding agency as authorized by TFP’s client. TFP does not sell or rent this information to any third parties.
Cloud Service Provider Usage
TFP may contract with cloud service providers for purposes of hosting training related data, hosting its email, and managing client data and records as may be required based on the business and agency need. All client employee PII is encrypted while in transit to/from these cloud services providers or while client employee PII is stored at rest on their servers. These cloud service providers have been chosen due to their data centers being SSAE 16 and ISO 27001 accredited.
TFP consults with all its cloud service providers so that its clients’ sensitive information and activities are protected to the same degree of security that TFP would intend to provide its employees’ PII. Security and auditing is requested from TFP’s cloud service providers as applicable to TFP’s needs and concerns. Service level agreements (“SLA’s”) are reviewed by TFP periodically for system restoration and reconstitution time.
TFP uses commercially reasonable physical, electronic, and administrative safeguards to protect our client employee PII from loss, misuse, unauthorized access, alteration, disclosure, and destruction. When clients upload sensitive information, technical measures and security controls are utilized to ensure that client employee PII is encrypted while in transit and while at rest using regular credential, password and authentication updating protocols including two-factor authentication.
Wherever TFP collects client employee PII, that information is encrypted and must be transmitted to TFP in a secure way. This security can be verified by looking for a lock icon in the address bar and looking for “https” at the beginning of the address of the Secure Client Login page at the bottom of TFP’s main website at www.tfpgroup.com. Simple password protection on an email attachment is not a secure transfer method and therefore is not an allowable method for transferring PII.
Only TFP employees who need the information to perform a specific job are granted access to client employee PII. The computers/servers/databases in which TFP stores client employee PII are kept in a secure environment. Critical patches are installed immediately when software security vulnerabilities are identified. Also, TFP performs regular internal security reviews and provides security training to its employees on an annual basis.
TFP immediately destroys client employee PII after its business need or relevance has expired. Electronic PII is shredded by a software tool that will overwrite the files before deletion. Hard copy PII, if any, is destroyed via a licensed shredding company. End-of-lifecycle hard drives are first shredded and then physically destroyed on site (in the presence of a TFP employee) by a certified destruction company.
Breach and Breach Notification
If TFP becomes aware of a security breach which TFP believes has resulted in unauthorized access or otherwise misuse of client employee PII, TFP will promptly investigate the matter and notify the applicable agencies of such breach. TFP’s investigation will be without delay to determine the scope of the breach and identify the client employees affected. If client employee PII have been compromised, TFP will be responsible for notifying key client contacts within 24 hours of the suspected breach.
This website, www.tfpgroup.com, contains links to other sites. Please be aware that TFP is not responsible for the content or privacy practices of such other sites. TFP encourages its users to be aware when they leave TFP’s site to read the privacy statements of any other site that collects PII.
Enforcement and Dispute Resolution
If you have any questions or concerns regarding TFP’s Policy, please contact TFP using the contact information below. Upon receipt of your questions or concerns, TFP will reply to your questions or concerns as quickly as possible.
Attention: Information Security Officer
TFP Group, Inc.
10221 Slater Ave
Fountain Valley, CA 92708
At TFP’s discretion, TFP may modify its Policy at any time and such modifications will be effective immediately upon posting to its main website at www.tfpgroup.com.
Date Last Revised
February 22, 2018