- Apply privacy principles to everyday work.
- Determine whether information is necessary and relevant to document/process.
- Adopt “clean desk” practices: secure documents in locked cabinets; lock computer when unattended (even temporarily).
- Do not include information classified as Protection Level 3 or 4 (P3 or P4) on payment documents (post travel, direct pay, etc).
- P3 and P4 information should not be included in email. What to do if P3 or P4 information ends up in email.
- Please note the University’s email servers are not encrypted/secure.
- Ensure data is encrypted if electronic systems are unsecure and do not use unsecure email to transmit.
- When SSN is requested to confirm identity, use last four digits only.
- Inform vendors SSN is not required on invoices.
- Establish password access to databases containing personal and restricted information.
- Do not scan documents containing restricted information using unsecure scanner.
- Do not store documents containing restricted information if not ‘Office of Record’.
- Follow disposition policies — Personal information must be disposed of in a secure manner, e.g. by shredding or via secure service — do not recycle or place in trash receptacle.
- Ensure personal information is removed from computers, hard drives, USB devices, etc. prior to equipment reuse/disposal.
- Report suspected information security breach immediately to supervisor, Information Practices, and ITS (hard copy and electronic).
- Avoid “shoulder surfers”.