1 / 28

Legal Issues for Supervisors 401

Legal Issues for Supervisors 401. How to Protect the Confidentiality and Security of Private Information on W&L and its Constituents. What’s this all about?. Three separate issues: What is PRIVATE (personally identifiable information protected by law, policy, or common civility);

nolan-copeland
Download Presentation

Legal Issues for Supervisors 401

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Legal Issues for Supervisors 401 How to Protect the Confidentiality and Security of Private Information on W&L and its Constituents (C) Washington & Lee University 2007

  2. What’s this all about? • Three separate issues: • What is PRIVATE (personally identifiable information protected by law, policy, or common civility); • How to keep PRIVATE information CONFIDENTIAL (seen/heard by only those with a legitimate need to know); and • How to keep such information SECURE (so that it cannot be improperly altered, removed, or destroyed). (C) Washington & Lee University 2007

  3. Private information under law • Student education records (FERPA); • Financial account/loan records (Gramm Leach Bliley) [student loans, employee home loans]; • Personally identifiable employee information kept by covered health plans (HIPAA) [health, dental, flex, EAP] (C) Washington & Lee University 2007

  4. Private information under law • Records related to employee disability (Americans with Disabilities Act) [kept separate from rest of personnel file]; • Medical records related to family and medical leave (FMLA) and workers’ compensation; • Background Check results (disposal) (FACTA) • Student medical treatment / counseling records (private under Virginia law) • Human Subjects Research (surveys, etc.) (C) Washington & Lee University 2007

  5. Private information under policy • Social security numbers and credit card numbers are included in W&L’s Information Security Program. (C) Washington & Lee University 2007

  6. Other private W&L information • Personally identifiable information re: donors, alumni and alumnae. • Proprietary W&L information (internal operations, financial/investments, research and institutional data not intended for public disclosure) (C) Washington & Lee University 2007

  7. Risks to private information • Unauthorized access or transfer • Disclosure beyond authorized request • Improper disclosure based on unauthorized request • Physical loss or destruction • Alteration/corruption • Improper interception • Other security compromise (C) Washington & Lee University 2007

  8. For example . . . (C) Washington & Lee University 2007

  9. Responsibilities of all W&L employees • All university faculty, staff, student workers, and volunteers are expected to comply with university policies and procedures on privacy, confidentiality and security. • New employees (faculty & staff) sign confidentiality and technology use agreements. Extend to all, including student workers? (C) Washington & Lee University 2007

  10. What should supervisors do to protect the confidentiality and security of private information? • Stress importance of sound information confidentiality and security practices to all employees. • Practice what you preach - - if you have no legitimate work-related or educational reason to access, disclose, or maintain information, don’t. (C) Washington & Lee University 2007

  11. What should supervisors do to protect the confidentiality and security of private information? • See that your staff receives training and resources on policies, procedures, and best practices for handling private information (use OGC as resource). • Be sure that only those in your department with a legitimate, work-related need to know have authority and access to private information. (C) Washington & Lee University 2007

  12. What should supervisors do to protect the confidentiality and security of private information? • Pay attention to provisions on confidentiality/security in vendor contracts where relevant (see OGC - - contract policy in development). • Notify University Computing of lost or stolen laptops, flash drives, etc. and Telecommunications Manager for stolen phones, blackberries, etc., and coordinate in advance with HR in the event of a termination. (C) Washington & Lee University 2007

  13. How to protect the confidentiality of private information - - general employee guidance • When in doubt, ask / confirm first before disclosing or accessing private information. • Don’t assume that just because you can access/disclose information, you should. • Disposal of documents with private information - - internal or external shredding - - other? (C) Washington & Lee University 2007

  14. How to protect the confidentiality of private information • Don’t leave private information in plain view when leaving your work area. • Lock file cabinets containing private information. • Keep your office locked when you, or other authorized employees, are not present. • Avoid multiple copies of private information unless needed. (C) Washington & Lee University 2007

  15. How to protect the confidentiality of private information • Don’t discuss private or sensitive information with open doors or in hallways, etc. • Treat private information as if it were about you. • Taking files home - - handle with care. (C) Washington & Lee University 2007

  16. Protecting electronic information • Password security: • 8 characters, alphanumeric • Change it often • Don’t share it with anyone • Don’t write it down and tape it close by • Give proxy to e-mail or calendar, not password to the account (C) Washington & Lee University 2007

  17. Protecting electronic information • Lock your workstation each time you leave it unattended (Ctrl/Alt/Delete) • Shut down your computer each evening (allows patches and updates to apply AND keeps others off the computer) • Keep anti-virus/firewalls, etc. up to date on home computers if you work at home • Have multiple user names/pws (C) Washington & Lee University 2007

  18. Protecting electronic information • Safe e-mail practices: • Don’t open attachments if you aren’t expecting them • Don’t click on links in emails • Safe internet browsing: • Don’t click on it if you didn’t ask for it • Don’t allow random downloads • Safe instant messaging (AOL viruses): • Only communicate with known buddies (C) Washington & Lee University 2007

  19. Protecting electronic information • Consider placement of screen / visibility to office visitors • Use screen blockers • Be careful with flash drives, memory keys, diskettes, CDs, etc. (C) Washington & Lee University 2007

  20. What about when traveling? • Assume NOTHING is secure!!! • Wired is more secure than wireless • Always look for the encrypted (lock or equivalent) symbol to be sure communication is secure • Wireless off campus - - don’t do log ins to other sites unless encrypted (C) Washington & Lee University 2007

  21. What about while traveling? • Never user hotel lobby computers for anything sensitive or private - - only map quest type inquiries, etc. • Why? Keystroke loggers . . . Scary . . . (C) Washington & Lee University 2007

  22. Specific private information • Student educational records (FERPA) • Know policy / guidance • http://registrar.wlu.edu/policies/ferpa.htm • Consent, unless school official with legitimate educational interest, subpoena, emergency, few other exceptions • Directory information – unless opt out • Resources – Registrar, counsel.wlu.edu (C) Washington & Lee University 2007

  23. Specific private information • HIPAA • Records kept by W&L health plans on employee medicals, claims, etc. • Group health, Flex, Dental, EAP • Deborah Stoner and Steven McClure are authorized officials (HR) • http://humanresources.wlu.edu/other/Benefit%20Plan%20Privacy%20Practices.htm (C) Washington & Lee University 2007

  24. Specific private information • Background check information (FACTA) • Disposal of such information • ADA/FMLA • Faculty staff medical information related to disability accommodations or family/medical leave - - should be kept separate from personnel file (HR Office - - avoid duplicates in department) (C) Washington & Lee University 2007

  25. Specific private information • Personally identifiable financial information (finances, social security number, credit card) (GLB + W&L policy) • Treasurer’s office • HR • Financial Aid • Business Office • Bookstore, Alumni Office, Special Programs, Development, etc. (C) Washington & Lee University 2007

  26. Information Security Program • Internal inventory of department information security practices to identify and address any potential security concerns. FEDERAL LAW MANDATE. • Will begin with Financial Aid, Treasurer’s Office, Business Office, HR, and other offices maintaining social security numbers or credit card numbers. (C) Washington & Lee University 2007

  27. Required Information Security Program risk assessment • Interactive web-based risk asessment tool: http://law.wlu.edu/administration/surveys/financial.asp • Supervisor or knowledgeable designee should complete. Questions? Contact Jennifer Kirkland, Associate General Counsel (x8929). • If you have no financial information, or SSN#s or credit card #s, just say no. (C) Washington & Lee University 2007

  28. What to do in case of improper disclosure or other security breach • Notify Office of General Counsel, Ruth Floyd (University Computing) (if IT-related), and Scott Dittman (Chair, Information Security Program Committee) (C) Washington & Lee University 2007

More Related