University of Connecticut

Procedures for Handling Confidential and Registered Confidential Data

IT Policies, Standards, and Guidelines

Best Practice

This document is intended to provide guidance to individuals (including faculty, staff, graduate assistants, student employees, and others) and departments dealing with data that the University classifies as “confidential” or “registered confidential”. See the Policy on Data Classification for definitions of “confidential” and “registered confidential”.

Computers, Fax Machines and Printers:

  • When possible, computers, fax machines and printers that might be used for confidential data should be placed in secure areas where access is restricted to only those individuals with permission to access confidential information.
  • Verify correct FAX numbers when sending confidential information, and always use a confidentiality cover sheet. If you receive an unintended FAX that contains confidential information, immediately inform the sender and either secure or destroy the information.
  • Stand at public FAX machines or printers or have documents containing confidential information retrieved immediately so that unauthorized individuals have no opportunity to see the information.
  • All faxes should state the confidential nature of the contents of the communication and have instructions should the fax be misdirected.

Computer Display:

  • Remove confidential data from screens where it is not required.
  • Be aware of the position of computer screens. Unauthorized individuals should not be able to read screens containing confidential information. Use a monitor visor or hood in service areas.
  • Be sure to log off from applications that show confidential data so that no data is accessible after you are finished.
  • Computers that are used to access confidential data should have screen savers so that unauthorized people cannot read the information if they happen to wander into a restricted area.
  • Computers that are used to access confidential data should have a time-out feature so that when a staff person steps away from his/her computer for a period of time, the staff person is required to re-enter his or her password.
  • The use of a password protected monitor is highly recommended.

Telephone, Internet (email) and Other Communications:

  • Limit information that is to be provided to others to what is required/needed/requested. Do not use a general form that contains additional confidential information not required to satisfy a request. For example, if another office needs to verify name and address information, and that information appears on a form that also contain other confidential information (such as social security number, etc.) either black out the unnecessary information on the form or else use another means for providing the requested information.
  • Do not verify attendance, graduation, or other “Directory Information” using the Social Security Number.
  • Conversations (between staff members and/or staff and other individuals) containing confidential information must be restricted to ‘private’ and non-traffic areas where the conversations cannot be overheard by others. When reasonable, move to a private room, move to a corner of a room, keep voices low, etc.
  • Avoid discussing confidential information in public spaces such as elevators or cafeterias.
  • Never ask an individual to speak confidential information in a public setting. Ask the individual to write it on scrap paper (which is then returned to the individual) or to key it on a keypad for input to the computer.
  • When acquiring confidential data via telephone, ask “Are you in a private location where you can give me your confidential information verbally”? Also, never repeat information provided so that others can identify the individual with whom you are speaking and hear details of their information.
  • Verify the identity of individuals to whom you are providing confidential information. Do not disclose confidential information to unauthorized individuals (including family members and friends) unless the affected person has given permission. Follow any additional procedures established by the data custodian for that data.
  • Never leave voice mail messages containing confidential data.
  • On voice mail boxes that may be accessed by more than one individual, leave instructions on the voice mail that instructs the caller not to leave confidential information as part of their message.
  • All faxes should state the confidential nature of the contents of the communication and have instructions should the fax be misdirected.
  • Follow procedures developed by your departments for accepting confidential information from outside your department and ensuring the confidentiality of that information that is received by your department. These procedures should include handling of email messages containing confidential information.

Paper:

  • Do not use sign-in sheets that contain confidential information. In some cases even having full names on a sheet that is available to others might be considered breaching confidentiality. Limit sign-in sheets to first name only
  • Do not post lists containing confidential information, nor have such lists in a place which can be viewed by others.
  • Remove confidential data from reports where it is not required.
  • Paper records and reports containing confidential and sensitive information must never be left in locations where non-staff individuals (or others without authority to view the information) have access to that information such as printers or unattended on a desktop in open view. Reports which are no longer needed and which contain confidential and/or sensitive data, must be shredded or stored securely until it can be shredded or processed for recycling.
  • Account for any lists, records and reports containing confidential information that are used during conferences or other meetings. Do not leave materials in meeting rooms.

Labeling:

  • All confidential documents should be labeled appropriately with the highest classification level that pertains to the document (registered confidential, confidential, internal use only). All draft documents should be clearly labeled as such. Disposing of Materials containing Confidential Information:
  • Observe retention guidelines in selecting documents to be destroyed. Information on State of Connecticut regulations regarding student records retention may be found at http://www.cslib.org/stateducation.pdf.
  • Records transferred to the archives which are considered confidential should be accompanied by a statement specifying: (1) the persons or administrators allowed to use the records, and (2) the length of time the records should be treated as confidential.
  • Confidential information not subject to records retention policies that is no longer required for business reasons should be discarded in a secure manner. Paper should be shredded (preferably using a cross-cut shredder) prior to disposal and shredding bins should be emptied on a regular basis. Microfiche copies should be shredded or burned. Electronic information (hard disk, floppy disks, tapes, etc.) must be destroyed, either by re-initializing (for Macs), or use of the data wipe software, or by using a degausser, or by physically destroying the media on which it is maintained. (See http://itpolicy.uconn.edu/policydocs/datawipe.html).
  • Erase recording tapes (from Dictaphones or recorders); not just writing over them.
  • Never dispose of printed confidential information in a regular trash container.

Passwords:

  • Computers that are used to access confidential data must be password protected.
  • Employee should only be given access to those computers and information to which they are entitled. Each employee must use his/her own password to access computers containing confidential data and the password should conform to the Password Guidelines (http://itpolicy.uconn.edu/uconngsr/pswd2004.html). Passwords need to be kept confidential (not shared with anyone else) and need to be changed on a regular basis to ensure security. Passwords must never be left on “Post-it” notes next to the computer.

Laptops and PDAs:

  • Unless given approval by a department head or other designated authority, laptops or other portable devices (PDA’s, etc.) should not be used to store confidential information.
  • Laptops and other portable equipment (PDAs, travel drives, floppy disks, etc.) that contain confidential information must be kept secure and able to be accessed only by authorized individuals.
  • Delete confidential information from laptops and personal devices as soon as it is no longer needed on those devices.
  • Refer to Laptop/Portable Computer Security Guidelines (http://itpolicy.uconn.edu/uconngsr/laptop04.html ) for additional best practices.

Personal (Home) Computers:

  • Home computers that can be accessed by other individuals (family members and/or friends) should never be used to store confidential University information. Even when the computer is not used by others, prior approval must be granted by the Custodian of the data before downloading and/or storing confidential University information. Where approval is granted, the same security standards used for work machines must be used with the home computer.

Storage of confidential information:

  • Store copies of confidential information, such as microfiche and printouts, in locked file cabinets or desks.
  • Store non-reproducible confidential information in areas designed to safeguard it from unauthorized viewing and damage from natural cause.
  • Store floppy disks in a locked file cabinet or desk. Disks with sensitive information must be locked in a cabinet with a non-standard key lock.
  • Administrative data should be stored on the network drive rather than physical drive on your PC. Caution should be used when storing administrative information on portable computers.
  • Regularly back up locally maintained confidential information stored on disk to ensure that information is not lost in the event of disk failure and store backups in a locked facility with limited access.
  • Protect electronic records containing confidential data, including backups, during storage by encrypting the confidential data.
  • Place confidential data stored on a hard disk in a segment that is protected by an approved security program requiring an access password.
  • Keys and access cards that permit entry into storage facilities where confidential data is stored must not be loaned or left where others could use them to access the secure areas.
  • All confidential information must be protected from cleaning staff, maintenance staff and others who may have a need to access the facility where confidential information is located.
  • Records and reports (paper and electronic) containing confidential information should be stored in locked rooms, cabinets and/or desks when not in use. Access to these rooms, cabinets and desks must be limited to those who are authorized to access the confidential information.
  • Employees should ‘clean’ their desks of all materials containing confidential information prior to leaving at the end of the day, and store the materials securely.

Access

  • Ensure that all keys and other items that allow access to confidential information, both physical access and computer access, are returned when the individual’s access to the information is no longer appropriate.
  • Do not look up confidential information pertaining to yourself or anyone else unless you are authorized to do so.
  • Limit access to confidential information to the minimum need to do the job.
  • Implement electronic audit trail procedures to monitor who is accessing what.
  • Use logs or electronic audit trails to monitor employees’ access to records with confidential data.
  • If you are required to share confidential data with other (third-party) organizations, including contractors, use written agreements to protect their confidentiality. Such agreements should prohibit such third parties from re-disclosing the confidential data, except as required by law; require such third parties to use effective security controls on record systems containing confidential data; require the return or secure disposal of the data when the agreement ends, and hold such third parties accountable for compliance with the restrictions you impose, including monitoring or auditing their practices.

Security Incidents

  • The System Administrator and Data Custodian should be notified immediately of any known or suspected security breach involving confidential data.
  • If confidential data is disclosed inappropriately and the individuals whose confidential data was disclosed are put at risk of identity theft or other harm, initiate a security response that promptly notifies the individuals potentially affected.

Additional Information

  • Any employee, who is faced with a situation involving confidential data and is unsure how to proceed, should contact his/her supervisor for instructions. Any member of the University community who has questions about confidentiality or privacy issues may also contact the University Privacy Officer at (860) 486-5256.
Updated: 06.30.2009:ldg