Confidential/Protected Information Handling Guidelines
Information is one of UConn University’s most valuable resources and as such requires responsible management by all members of the UConn community. This document establishes guidelines for the proper protection of these valuable resources and promotes UConn’s maintenance of strict confidentiality in compliance with applicable policies as well as state and federal regulations.
These guidelines address the handling of confidential/sensitive data – whether communicated orally, in hard copy or electronic format; stored on desktop machines or mobile devices; or moved to media such as CD, tape, flash memory, or paper – for all members of the UConn community, including staff, faculty, students, affiliates, volunteers, and vendors.
Particular emphasis is placed on UConn Restricted Information, defined as information that should not be made public and which should only be disclosed under limited circumstances.
Access to information should be limited to those who need the information in order to fulfill professional responsibilities. All members of the UConn community who have been granted such access should exercise care and judgment to ensure adequate protection of information by following the practices delineated in the document UConn Checklist for Protecting Information.
Individuals should not disclose any UConn confidential or protected data that they obtain as a result of their employment at UConn to unauthorized persons. Employee obligations related to the appropriate handling of data are outlined document Policy on responsibility for maintaining currency of legal obligations with respect to university data.
UConn confidential and protected data should be protected whether it is being stored (on various media), transmitted (via network or email) or archived.
UConn confidential or protected data should never be transmitted over the network “in the clear.” It should always be transmitted using an Information Security Office approved encryption mechanism. The University does currently have an enterprise encryption solution, McAfee Endpoint Encryption. Specific information on how to get your computer(s) encrypted can be found at http://encryption.uconn.edu/. Other types of encryptions that the security office can assist you with, on a case-by-case basis, include VPN transmission, secure FTP, and file encryption.
All UConn confidential or protected nformation should have identified Data/Records Owners, who are responsible for implementing the following good managerial controls:
- Creating and reviewing audit trails of access to restricted data
- Regularly reviewing who has access to what data
- Monitoring preventive controls for compliance in their departments
- Educating end users regarding protection standards – set expectations
- Ensuring that there is appropriate training of staff on proper handling of restricted information
Specific information related to Data Ownership responsibilities can be found in the document ‘Roles and responsibilities with respect to University data’
Strict control should be maintained over access to work locations, records, computer information, cash and other items of value. Individuals who are assigned keys, given special access or assigned job responsibilities in connection with the safety, security or confidentiality of such records, materials, equipment, or items of monetary value should use sound judgment and discretion in carrying out their duties and will be held accountable for any wrongdoing or acts of indiscretion. Furthermore, information may not be divulged, copied, released, sold, loaned, reviewed, altered or destroyed except as properly authorized within the scope of applicable federal or state laws.
At the conclusion of their employment or affiliation with UConn, individuals shall relinquish ownership of all University documents and records. They shall also maintain the confidentiality of University information even after they leave the University
All restricted information should be disposed of in a confidential manner. To dispose of such records departments and offices must:
- If you think you may have, or had, access to confidential or protected information on your computer follow the Procedures for locating and removing sensitive data stored on computer hard drives.
- Take extra measures to wipe clean the hard drive of any machine or device that may contain restricted information before discarding, sending to surplus, or transferring it to another individual or department. (see Procedures for Removing (Wiping) Data from a Computer Prior to Re-Deployment, Surplus or Disposal)
- Shred restricted paper documents that are no longer needed and secure such documents until shredding occurs. If a shredding service is employed, ensure that the service provider has clearly defined procedures in the contractual agreement that protect discarded information and that the provider is legally accountable for those procedures, with penalties in place for breach of contract.