Departments throughout USM are responsible for collecting, storing and distributing voluminous amounts of information. Some of the information is federally legislated as private and must be protected in accordance with laws such as Gramm-Leach-Bliley (GLB) for personal financial information, and Family Education Rights and Privacy Act (FERPA) for student records. Other information should be safeguarded because it is considered private or confidential by the commonly understood definition of the words.
The following is a checklist that may be helpful to all University employees who have access to confidential/private information that should be safeguarded.
Information Communicated Orally
Make it a practice not to discuss confidential information outside of the workplace or with anyone who does not have a specific need to know it.
Be aware of the potential of others to overhear communications about sensitive information in offices, on the telephones, and in public places like hallways, restrooms, elevators and restaurants.
Information Stored on Paper
Documents that include confidential information need to be secured during printing, transmission, storage and disposal. Examples include but are not limited to: social security numbers, student education records, loan or financial aid data, scholarship information, medical information, tax information and credit card numbers.
Do not leave paper documents containing sensitive information unattended; protect them from the view of passers-by or office visitors.
When offices are closed store paper documents containing sensitive information in locked files and/or locked work areas.
Keys to locked files should not be left in unlocked desk drawers or other areas accessible to unauthorized personnel.
Credit card slips should not be sent through the regular intercampus mail service.
Paper checks, sent through intercampus mail, should be placed in sealed envelopes.
Shred confidential paper documents that are no longer needed, and secure such documents until such shredding occurs. Confetti shredders are recommended. If Facilities Management is needed to provide shredding services, ensure that clearly defined security measures are adhered to.
Documents containing confidential information should be retrieved immediately from copy machines, faxes and printers.
When faxing sensitive information double check the recipients fax number before hitting “start”. Do not send a fax to an office that is not open for business.
Include only necessary sensitive information on all outgoing correspondence.
Information Stored Electronically
Computer screens in public areas should be oriented away from the view of people passing by. Screen savers should be set to activate in a reasonably short period of time.
When working with a student, be sure that only sensitive information belonging to that student is visible on the computer screen.
All computers are to be turned off at the end of the workday; e.g. the computer at your desk should be shut down and turned off.
Secure passwords and restrict access to them. Passwords written on a post-it in a work area, placed under a keyboard, or stored in an unlocked drawer are not safe from unauthorized access.
Passwords should not be shared.
When prompted by UCT, make password changes promptly even if your privileges allow you to bypass change policies.
System updates should be done regularly. If the system sends a cue to update a file, respond promptly.
Follow all UCT and University System IT policies and procedures regarding information technology security.
Immediately advise a UCT supervisor of any suspicious activity on University computers.
E-mail / Voice Mail / Phone/Cellular Device Cautions
Understand that e-mail transmission outside of our in-house Groupwise system is not secure. Information can be opened or read by someone other than the intended recipient. USM e-mail transmissions are NOT encrypted.
Privacy and confidentiality of e-mail messages is not guaranteed. Users should exercise caution in using e-mail to communicate confidential or sensitive matters.
Limit the use of student social security numbers in e-mail messages. Never put the number in the subject line of the e-mail.
When inviting callers to leave messages on voice mail, limit the requested account information to a full name and last four digits of a student account number.
If it is necessary to take credit card information over the phone in a public area, use caution in verifying the numbers back to the caller.
Be aware that information stored on laptops, cell phones and other mobile devices is susceptible to equipment failure, damage, or theft. Information transmitted via wireless connections is not always secure.
Protect and secure mobile devices from theft at all times.
If you deal with vendors or other outside parties who handle USM information that must be safeguarded, be sure that the necessary clauses pertinent to safeguarding responsibilities (available from the USM GLB Coordinator) are included in USM’s contracts with them.
Where to Go for Help
If you are in doubt about certain financial information is considered private, contact the GLB Coordinator at USM, Cindy Quinn, at 780-4888; if you have questions about safeguarding the privacy of student records contact Steve Rand, Registrar, at 780-5107; you may call the USM Computing Technologies Help Desk at 780-4029 for questions regarding the safeguarding of electronic information.