Safeguarding Confidential Information

Integrity in action:
Safeguarding confidential information

We conduct business in a complicated, fast-paced, and service-oriented culture. Requests for information pour in through e-mail, error reports, telephone inquiries, surveys, drop-in visits, and other means of communication too numerous to mention.

In response, we gather, store, retrieve, and analyze a wide range of data. Ready access to data is essential for good customer service, but an easy and quick reporting culture has given rise to concerns for privacy.

What?s all the fuss about?

Focusing attention on this issue is important for a couple of reasons. First, Purdue?s culture values integrity. We take this seriously. A formalized Statement of Integrity actually spells out our responsibilities to act ethically and in a manner that builds trust. Confidentiality is an integral part of integrity.

Another reason is risk. The list of laws enacted to safeguard information is growing. Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley (GLB) privacy rules are the most recent additions to the protections already in place from Americans with Disability Act (ADA), Family Educational Rights and Privacy Act (FERPA), Worker?s Compensation (WC) and various other laws that have shaped the way we do business. Improper disclosure of private information is harmful and damages reputations. In addition to resources required for investigating and correcting problems, the law allows for civil penalties against individuals and/or institutions found to be in violation of the law.

It makes good business sense to raise awareness and offer guidelines to members of the Purdue community to help them deal with information thoughtfully and carefully.

What is confidential?

Purdue is a large, decentralized, and diverse organization; we are subject to many overlapping rules and regulations. It?s simply not possible to define every situation and every data element that might be considered confidential. However, some categories of information clearly require cautious and discrete use. All supervisors and business office staff should be careful about sharing the following kinds of information:

* Age * Gender

* Disability status * Social Security number

* Home address and telephone * Salary history

* Benefits enrollment choices * Medical claims, diagnosis, or injury reports

* Performance issues * Deduction amounts taken from pay

* Termination reasons * Credit card transaction data

* Student records

Some departments at the University require special training if the primary function of one of its units is receiving and transmitting protected information. Specialized training has been developed for these areas.

Shhhhh. It?s not just confidential at your desk.

Integrity requires congruence between your professional life and your personal habits. Conversations overheard, chats by the coffee pot, and information that comes to you incidentally need to be treated with the same caution as a letter or e-mail correspondence that lands on your desk.

After you move to another position, private information remains confidential. Reporting to another department or organization does not relieve you of the responsibility of safeguarding protected information.

Tips, techniques, and best practices

Here are ways you can help protect confidential information.

Telephone:

Check out your surrounding while you are on the telephone. Who can overhear? Discuss confidential information quietly.

If you cannot speak directly to the person you need to reach, leave generic messages.

Fax Machine:

Use fax machines located in the most confidential location possible.

Call ahead to alert the receiver so that they might retrieve the info. Double check the fax number with the receiver.

Use a cover sheet with a confidentiality notice printed on it.

If you accidentally send the report to the wrong person, attempt to retrieve it.

If you know confidential info is coming to you, retrieve the transmission promptly.

Check the fax machine at the end of the day to retrieve and deliver all confidential material.

If you receive a fax in error, call the sender and report the error. Destroy the misdirected document.

Copy Machines and Shared Printers

Remain at the machine if confidential info is being copied or printed.

Retrieve the originals. Scout the area around the machine for confidential documents before leaving the area.

Press ?reset? to clear the copier?s memory.

If the copier or printer jams, stay with the machine until all the paper is removed from inside. Destroy the bad copies.

E-mail Procedures

If responding to an individual who requests sensitive information about herself or himself, reply first by confirming the person?s approval to correspond via unsecured e-mail.

Computer Security:

Guard your password.

Lock your workstation (password protect) when you are away.

Position your computer screen so that visitors can?t see sensitive information.

Discontinue system access when an employee leaves a position with rights to databases containing confidential information.

Records, Files, and Paper:

When the office is unattended, lock files containing legally protected information.

Keep confidential information in your workspace out of sight (in folders, face down) from passersby and visitors.

Shred or confidentially destroy sensitive information. Don?t throw this paperwork in the trash.

Customer Service:

Confirm the identity of your caller.

If you are uneasy about disclosing information, here are some techniques:

- Offer to send the information in writing directly to the employee or student

- Offer to speak directly to the employee or student

- Politely refuse to provide the information

Where to get guidance?

This topic brings up many issues and questions. If you need assistance in sorting out a business practice in your area or answering a specific request for information, you can contact Employee Relations at 49-41679.

While we are expected to guard some kinds of information, Purdue is a public institution subject to the Public Records Act. Some information must be shared. If someone refers to the Public Records Act and asks for information about another person, the University?s Public Records Officer (Lucia Anderson) can provide guidance. Subpoenas are also directed to the University?s Public Records Officer.

- Susan Davis
HRIS Manager

Go to LeadingEdition Home Page.

E-mail us.

Visit the LeadingEdition index of articles and past issues.

LeadingEdition is an electronic newsletter for Purdue University supervisors. It is produced and distributed by Purdue University Human Resources four times annually. If you have questions, comments or suggestions relating to the newsletter, please call 49-41679 or email us. Thank you.