Sensitive Data Guide
For More Information:
Security
Sensitive Data Guide
Care and Handling of Sensitive Data
When handling data of a sensitive nature, there are ways to help reduce the risk of improperly or inadvertently disclosing that information to unauthorized people. How we should handle data often depends on what form it takes. Here are some methods to help safeguard sensitive data:
Storage and Physical Security:
Data with sensitive components should be segregated from common information. If a spreadsheet or other digital file contains protected content, you need to treat the entire document as sensitive and maintain it in a secure location such as a protected server instead of on your desktop or laptop computer. Speak with HIS Support Services staff about using network storage space or, if necessary, establishing a secure storage location on your computer for sensitive data.
Ensuring physical security is important for paper copies containing sensitive information as well as for your computer. This is usually as simple as keeping your office locked when you are not in it and securing sensitive documents in a drawer or file cabinet. Notebook computers require a more concerted effort on your part while not in secured areas. To prevent theft, use anti-theft locks for physical security and drive encryption for virtual security. For more information contact HIS Support Services.
Printing:
Many find it easier to work with paper copies than to work from a computer screen. When these printed copies contain sensitive data, we must handle them carefully to protect that information. Before printing an email, spreadsheet, or other digital file with protected data, make sure you have a way to limit the number of people who could possibly read or accidentally pick up the printout. You should also scrub any sensitive information not absolutely necessary. Remove items such as Social Security numbers, or if that is not possible, remove all but the last four digits. Consider printing to a printer in a private office or meet the printout as it exits the printer. Files that must be copied should be controlled and disposed of just as strictly as the originals. Whenever possible it is preferable not to print or duplicate documents containing sensitive data.
Display:
Display of sensitive data can qualify as an exposure requiring notification and punitive investigation or fines. Display includes printing documents with controlled information and posting it in a public space where unauthorized persons can view it or using data in a presentation without removing or neutralizing the information to make it safe. For example, you should not post students grades with their Social Security numbers or names. Also, make sure not to leave sensitive data displayed on your computer screen in an unsecured location.
Remote Access:
In the Digital Age, how you access sensitive data is often as important as where and how that data is secured. Employees (including Graduate Assistants) with access to sensitive information should not use personal computers to store sensitive data in any form. Data accessed via a remote connection is still the responsibility of the college, the department, the employee accessing the data, and the person that owns the data. Work with HIS Support Services staff to ensure that employees who need access to sensitive information from home or other locations outside the college are using secure methods, such as encryption and strong passwords, to do so.
Archiving Documents With Sensitive Data:
It is sometimes necessary to keep documents that contain sensitive data for extended periods of time. Whenever possible you should "sanitize" the document to remove any unnecessary sensitive data. Removing Social Security numbers from class rosters or blacking out the pertinent sections of printed forms will greatly reduce your risk of exposure. When receiving a computer upgrade or moving offices, consider disposing of unneeded sensitive data. This will help you catch files that predate these laws. These older files are still subject to current laws and the notification requirements they impose in most cases.
