Best Practices

• Apply privacy principles to everyday work.
• Determine whether information is necessary and relevant to document/process.
• Adopt "clean desk" practices: secure documents in locked cabinets; lock computer when unattended (even temporarily).
• Do not include information classified as Protection Level 3 or 4 (P3 or P4) on payment documents (post travel, direct pay, etc).
• P3 and P4 information should not be included in email. What to do if P3 or P4 information ends up in email.
• Please note the University's email servers are not encrypted/secure.
• Ensure data is encrypted if electronic systems are unsecure and do not use unsecure email to transmit.
• When SSN is requested to confirm identity, use last four digits only.
• Inform vendors SSN is not required on invoices.
• Establish password access to databases containing personal and restricted information.
• Do not scan documents containing restricted information using unsecure scanner.
• Do not store documents containing restricted information if not 'Office of Record'.
• Follow disposition policies -- Personal information must be disposed of in a secure manner, e.g. by shredding or via secure service -- do not recycle or place in trash receptacle.
• Ensure personal information is removed from computers, hard drives, USB devices, etc. prior to equipment reuse/disposal.
• Report suspected information security breach immediately to supervisor, Information Practices, and ITS (hard copy and electronic).
• Avoid "shoulder surfers".