Working with personal and confidential information out of the office or in home offices increases the risk of the information being lost or compromised.
As Athabasca University (AU) is covered by the Freedom of Information and Protection of Privacy Act, AU must make reasonable security arrangements to protect personal information against such risks as unauthorized access, collection, use, disclosure and destruction. AU could be held legally liable if it fails to meet these requirements. As employees of AU, it is everyone’s responsibility to assist the organization in meeting these requirements. These best practices have been prepared to provide guidance on meeting these requirements.
Physical loss or theft of devices;
Inappropriate access by unauthorized individuals;
Communication of protected information through unprotected channels;
Printing information without appropriate disposal options;
Accessing or loading information on unprotected home devices;
There are a number of records management and security areas that will be addressed in these best practices: Electronic and physical records management and security of personal information, Faxing and Email.
Physical records may include correspondence, documents, hand-written notes, daytimers, faxes, and paper files. Electronic records may include email, electronic calendars or word processing files.
Never travel outside of the office with personal information unless you absolutely have to. If you have to take the information with you, take the least amount you need. Take copies instead of originals.
While you are away from your office or home, all personal and confidential information should be stored in a locked storage container or in a location reasonably secure from theft (locked office or desk drawer).
All computers, PDAs and other electronic devices must be password protected.
All electronic records of personal information must be encrypted.
Always log off your computer when you step away. Set the automatic logoff on your computer or device. Shut down your computer or device if you plan to be away for a longer length of time.
Use security locks to secure computers and electronic devices containing personal and confidential information.
Do not share a computer or electronic device with others if it contains personal and/or confidential information.
Avoid accessing personal or confidential files while traveling. If you must, take precautions to prevent unauthorized access. Be aware of your surroundings and who is in the vicinity.
Avoid using cell phones to discuss personal or confidential business where it can be easily overheard or intercepted. This also includes conversations.
Always be in control of any personal or confidential information in your possession.
Do not leave records in plain sight. Always store records securely.
When working at home, personal or confidential information should be stored in a locked drawer or cabinet. The drawer or cabinet should contain only work related records and no one else should have access to it.
Never store personal or confidential information on the hard drive of your computer or electronic device. AU has alternative solutions of storage available.
Your home computer should have effective Internet security measures such as anti-virus software, encryption software and firewalls.
Use the email and phone lines provided by AU for AU related business.
Avoid emailing or faxing personal or confidential information from public locations.
Do not ask someone else to photocopy or fax personal or confidential information.
Destroy transitory documents regularly and “housekeep” your documents on a regular basis.
If personal or confidential information is stolen or lost immediately notify the FOIP/ Policy Coordinator and the Computing Services Help Desk.
Be aware of existing records management practices. Contact your supervisor or the Manager, Institutional Records/University Archivist for direction.
Incorporate the highest level of security appropriate for the information. Example: Lock your briefcase in the trunk of your car when transporting personal or confidential information.
Destroy copies and drafts of information when no longer needed.
If a portion of a file is required to do the work, remove only that portion not the entire file.
Records containing personal or confidential information must be destroyed in the appropriate method – not just thrown in the trash or recycling bin.
Don’t save electronic files with the full name, student id or a combination. Keep file names as anonymous as possible.
Computers or electronic devices containing or used to access personal or confidential information need to be password protected.
Change password regularly.
Do not share memory sticks or other external devices that contain personal or confidential information.
Position computer monitors/screens for maximum privacy.
Never leave your computer with work displayed on the screen.
Have a designated work space which will ensure adequate privacy to complete your work.
Protected information should not be submitted by email or via the internet without being appropriately secured via encryption, password-protected attachments or other effective methods.
Peer-to-peer file sharing applications should not be used in connection with records containing protected information.
Any physical records that are no longer required need to be returned to the appropriate department or destroyed as required by the appropriate retention and destruction schedules.
A “clean-desk” method of working should be adopted.
Do not make or store more copies than you need.
Faxes containing protected information must be removed from the fax machine as soon as possible to prevent unauthorized access.
Always use a fax cover sheet that contains a confidentiality clause along with the sender’s name, telephone and fax numbers, the recipient’s name, telephone and fax numbers and the number of pages sent.
Mark protected information confidential.
If a fax contains protected information, confirm when the fax will be sent and that the appropriate recipient has received it.
Confirm correct fax numbers or email addresses before sending.
Avoid using pre-programmed numbers if faxing protected information. If you do use a pre-programmed number, confirm that it is correct.
When faxing or emailing protected information, consider using unique identifiers or codes to protect identities, etc.
If you receive a fax or email in error, notify the sender and promptly return or destroy the fax, as requested by the sender.
When receiving a fax always check the number of pages against the number indicated on the cover sheet.
Check the send report or confirmation sheet to confirm fax numbers and to confirm the number of pages that went through.
If you use computer faxing, create appropriate folders and directories with password access so that only authorized people can see the files.
If someone asks you to send protected information by fax or email, explain the possible risks involved and have them consent before emailing or faxing.
If protected information is mistakenly faxed or emailed to the wrong person or is otherwise compromised, immediately contact the FOIP/Policy Coordinator.
Never use an email alias to email protected information.
Always remember that an email may be read during transmission. If you must email protected information, it should always be encrypted.
Email mailboxes that are used to send protected information should have a secure password know only to the employee using it. However, in the case of a common mailbox, only those employees who have authority to view the contents should have the password.
Clean the emails off your computer as often as you can. Do not retain anything that is considered transitory and do not keep emails on your computer that would be more securely stored within your centre or department.
Office of the University Secretariat, July 2006