Data privacy - Protecting sensitive information
Sensitive data is private information about companies, organizations, projects or people. It includes personal and financial data as well as intellectual property and proprietary business information. It is found everywhere from printed documents, physical files, portable storage media (CDs/DVDs/USB), laptops/computers, mobile devices, printers, online accounts and cloud services (ie Google drive), It is important that this information is properly shared, stored and protected throughout its lifecycle as well as properly destroyed so it is unreadable when it is no longer needed.
Data privacy best practices
- Ensure that only those who need to see the information have access to it
- When sharing information, how it is handled must match the level of its sensitivity
- Securely store physical files, portable media and mobile devices
- Avoid sending sensitive information via email or using other electronic forms
- When sensitive information must be sent using electronic forms, it should be protected by encryption and a password
- Destroy sensitive materials in physical and electronic form when they are no longer needed or are out of date
- Shred paper documents, CDs and DVDs
- Dismantle and destroy flash drives, memory cards and back up tapes
- The more copies there are, the greater the exposure.
- If you don't need to download a report from Argos/FAST/Banner etc. to get the information you need, don't download it.
- Limit what you download from secure services. Only download what you need.
- For mass distribution emails, ensure that student and parent/guardian email addresses are in the Bcc field and not the CC field (which is viewable by other recipients).
- Use the Bcc field if sending to several third parties such as students, parents or guardians. Employee email addresses acting in their official capacity, as part of conducting University business, can go in the To field.
- Use the Bcc field when sending an email to several employees if it contains a notification that may cause embarrassment for the recipients such as overdue training notifications, not following policy etc.
- Ensure the email content does not inadvertently contain personal information (e.g. forms or attachments that were intended to be blank but instead contain personal information).
- Be especially attentive before sending an email at the end of the day on a long weekend or before an upcoming holiday. Most accidental privacy breaches occur during these times.
- Encrypt mobile storage devices such as USB drives and SD cards
- Protect your laptop and mobile devices with a strong, unique password
- Limit how much information is on your mobile device when crossing the border. You may be required to hand over your device and give border agents access to it.
- Deleting data or re formatting the device will not destroy the data stored on the device. The device must be sanitized or wiped properly.
- Contact the IT Service Desk to find out how.