Best Practices

  • Apply privacy principles to everyday work.
  • Determine whether information is necessary and relevant to document/process.
  • Adopt "clean desk" practices: secure documents in locked cabinets; lock computer when unattended (even temporarily).
  • Do not include information classified as Protection Level 3 or 4 (P3 or P4) on payment documents (post travel, direct pay, etc).
  • P3 and P4 information should not be included in email. What to do if P3 or P4 information ends up in email.
  • Please note the University's email servers are not encrypted/secure.
  • Ensure data is encrypted if electronic systems are unsecure and do not use unsecure email to transmit.
  • When SSN is requested to confirm identity, use last four digits only.
  • Inform vendors SSN is not required on invoices.
  • Establish password access to databases containing personal and restricted information.
  • Do not scan documents containing restricted information using unsecure scanner.
  • Do not store documents containing restricted information if not 'Office of Record'.
  • Follow disposition policies -- Personal information must be disposed of in a secure manner, e.g. by shredding or via secure service -- do not recycle or place in trash receptacle.
  • Ensure personal information is removed from computers, hard drives, USB devices, etc. prior to equipment reuse/disposal.
  • Report suspected information security breach immediately to supervisor, Information Practices, and ITS (hard copy and electronic).
  • Avoid "shoulder surfers".