Standard for Handling Institutional Information - 6. Special Handling Instructions
The special handling instructions referenced in the requirements above are provided in the following sections.
Documents that must be labeled “Confidential”
If a document is concealed in an envelope, then "Confidential" is only needed on the envelope. If the envelope is being sent via campus mail or external carrier, it should be enclosed in a second, outer envelope that does not bear any label. If a document is not concealed in an envelope, then the document itself must be labeled "Confidential."
Documents/envelopes that must be labeled "Confidential" include (but are not limited to) those that contain:
- Americans with Disabilities Act (ADA) records
- Background/credit checks of employees and applicants
- Bank account/direct deposit/wire transfer information for individuals
- Benefits selection information (including beneficiary selections)
- Controlled Unclassified Information
- Credit/debit card numbers and other Cardholder Data
- Employee Assistance Program records
- Employee disability information
- Employee disciplinary information
- Equal Employment Opportunity case records
- Family Medical Leave Act documents
- Financial and/or tax information for students and/or parents
- Grievance cases and related investigative information
- Information Classified at Protection Level PL-4
- Information disclosed to or created by the University Ombuds
- Medical and/or psychological diagnoses
- N-numbers of students or employees
- Personal Data / Personally Identifiable Information of students or employees
- Social Security Numbers or Individual Taxpayer Identification Numbers
- Student disability information
- Student disciplinary information
- Subpoenas for student records
Generally, when documents that must be labeled "Confidential" are collected together (e.g., as part of a student’s or employee’s file), it is sufficient to label the folder or other container that holds the entire collection, without labeling the individual documents, so long as those documents are not circulated outside the department where they are kept. However, if a document is removed from the container to be sent outside the department (by mail, fax, or otherwise), it should be labeled prior to sending.
Hard copy disposal guidelines
Paper documents containing Sensitive Institutional Information must be disposed of by placing them in secure, locked recycling bins designed for confidential materials (available from Facilities Management) or by shredding them in a crosscut or micro cut shredder (strip cut shredders are not acceptable). See the Standard for Disposing of Institutional Information for details on acceptable shredder parameters.
Documents containing Sensitive Institutional Information must not be placed in normal office trash cans or non-secure waste paper / recycling bins.
Microforms (microfilm, microfiche, or other reduced image photo negatives) must be destroyed by burning. See the Standard for Disposing of Institutional Information for details.
Mobile device security guidelines
- Mobile devices must not be left unattended and must be stored in a Secured location (described below) when not in use.
- Mobile devices should be protected by a secure password (PIN or pattern are also acceptable) and auto lockout should be enabled.
- If the device has a “remote wipe” feature, that feature should be enabled. This also includes features that delete data stored on the device if a password or other security code is not entered correctly after a certain number of tries.
- If the device has a remote location feature (“Find My Phone” or similar), that feature should be enabled.
- Mobile devices should be wiped and/or data should be securely deleted from them prior to disposal or reuse (see Disposal of electronic media and electronic devices).
- If a device containing Sensitive Institutional Information is lost, stolen, or misplaced, the Information Security and Privacy Office and the Data Owner(s) should be notified immediately.
Sealed
Sealed means that an envelope is secured in such a way that tampering would be evident upon receipt of the envelope. For example, using tape across the envelope flap, sealing a self-adhesive envelope, placing a stamp or other sealing object across the envelope closure, etc. An information user who receives a document containing Sensitive information in an envelope that appears to have been tampered with should immediately notify the sender of the document.
Secured location
A secured location means placing information in locked office furniture (desk drawers, file cabinets, etc.), locked offices, and other locations specifically dedicated to secure storage of university records and other Institutional Information (such as a departmental safe).
Note that a locked office, by itself, may not be sufficiently secure if personnel not authorized to access the information, such as maintenance and custodial staff, have access to the office. In this situation, the information should also be put away in a desk drawer or file cabinet, rather than left out in plain sight.
Unattended printing
Unattended printing is permitted for Sensitive Institutional Information so long as controls are in place to prevent unauthorized viewing or pick-up of the printouts. Printouts containing information Classified at Protection Level PL-4 should be picked up immediately. Access controls for unattended printing or faxing include:
- delayed output of printing and faxing until the recipient “releases” the printout or fax,
- utilization of a lock box for storage of unattended printouts and faxes, and
- purchase and utilization of a fax server to queue fax printouts.
For example, an acceptable practice is to send documents to a shared printer where a small group of people has access to the printer. A best practice would be to send documents to a shared printer that requires users to enter a PIN/password or swipe their ID card to release the printout (initiate printing).
TIP: All New School Konica-Minolta multifunction office printers offer secure printing by accessing Printer Properties > Basic > User Settings > Secure Print.