Guidelines for Handling Sensitive Information
Mishandling of sensitive information is a significant risk to the University, and may cause considerable
financial or reputational harm. It is the responsibility of all UGA personnel, regardless of position, to
protect sensitive information by being aware of any sensitive
information they may be handling, retaining, or transmitting. It is also the responsibility of UGA system
administrators to keep track of which of their systems contain or use sensitive information. Please use
the guideline below as recommendations for how to best protect sensitive information.
A definition of sensitive information can be found on the
University's Information
Classification Standard, while more technical recommendations for securing systems that store or process
sensitive information can be found in the
University Guidelines for Trusted Computing.
Click any statement to reveal the official text and commentary where available.
Expand All
View Printable Version
Guidelines
Employees are expected to have a sufficient understanding of "sensitive" information.
The first step in protecting sensitive information is understanding it. We all need a least a general
knowledge of what makes certain records sensitive and under what contexts information should be protected.
The University's Information
Classification Standard is helpful for determining whether the information you handle is sensitive.
Sensitive information may only be collected, stored, or processed if a need to do so exists, and if
that need cannot be satisfied in any other way.
In many cases, there are lower risk alternatives to sensitive information. The CAN (810) Number, for
instance, can be used instead of a social security number to identify students. In cases where
there is no viable alternative, it's important to ask: Is the need for handling this information
outweighed by the risk? If so, rethink your approach.
Employees are expected to be aware of the sensitive information for which they are responsible
and the purpose of its use.
Employees that handle sensitive information have a responsibility to the individuals to
which it pertains. Make sure you know what information is in your possession or on your systems
and why you must keep it. Take time to search your systems for sensitive information that you
may have inadvertently retained.
The SSN Replacement Initiative, CAN the SSN,
provides links to tools and resources in searching for SSNs, which can be adapted to other forms of sensitive information.
Access to sensitive information should be kept on a "need to know" basis.
As stated before, ensure that you have a legitimate need to have access to sensitive information
in the course of your official responsibility. If not, dispose of it properly. If you share
sensitive information with others, ensure that you are authorized to do so and that they have a
legitimate need for access. If others do not have a "need to know" do not share
sensitive information with them.
Access to sensitive information should only be allowed to "trusted" individuals.
An individual's "need to know" does not imply that he or she can be trusted
with sensitive information. Ensure that all parties with whom you share information with are
bound to maintain information confidentiality. In the case of coworkers, confirm with management
that they are authorized to access the information. In the case of 3rd parties, ensure that proper
contractual agreements are in place and that they adequately provide for the protection of sensitive information.
Employees should not access or seek to access sensitive information without authorization.
The ability to access information does not imply the authority to do so. Only use the sensitive
information you are entrusted with for the purpose it was intended. Using sensitive information for
purposes outside of its intended scope is a violation of ethical practice and in some cases may be a
violation of law.
Sensitive information must be stored securely.
Sensitive information should always be kept in a secure environment, for example in a locked filing
cabinet in an office which is always either staffed or locked. Electronic documents pose a high risk.
If you must store sensitive data in electronic documents, make sure you use an encryption method to protect
the document. Systems that contain sensitive data must have appropriate security safeguards in place to protect
this information. These systems should comply with the University Guidelines for Trusted Computing.
When transmission of sensitive data is required, use only secure methods.
Great care should be taken when sensitive data is being sent to other staff members. Secure means of
communication should be used and care taken to address the information correctly and mark it confidential.
E-mail or other unsecure methods should not be used.
Sensitive information must be destroyed when it is no longer needed.
Sensitive information that has outlived its purpose still poses a risk. This information should be
properly destroyed. When you dispose of an old computer, or throw away a used or defective storage
media such as a hard disk or a floppy disk, make sure that nothing sensitive was left in that computer
or storage media. This guide to
sanitizing data outlines how to properly dispose of sensitive information. It is also
important to know the legal requirements to retain records. The
USG Records Retention Schedule is a
comprehensive list of record types and retention rules.
When loss of or unauthorized access to information has been detected, or if it is suspected, the Office of Information Security must be notified.
The Office of Information Security Incident Response Team is here to help minimize the impact of a security
event. Making them aware of an incident as soon as possible will help protect the interests of the institution,
our students, and your organization. Reporting incidents is mandatory under Board of Reagents policy. To report
an incident, either call the EITS Help Desk at (706) 542-3106, or submit an online request.
