Inventory all file storage and electronic equipment. Know where your dept stores sensitive data.
Talk to your employees and outside service providers to determine who sends personal information to your department and how it is sent.
Consider all the ways you collect personal information and what kind of information you collect.
Review where you keep information you collect and who has access to it.
Scale Down
Use social security numbers only for required and lawful purposes. Don’t use social security numbers as employee/student identifiers. Review any forms that you use to gather data and revise them to eliminate requests for information that you don’t need.
Keep credit card information only if your department has a business need for it. Make certain that your department is PCI (Payment Card Industry) Compliant in accepting credit card information. Visit https://cashier.rice.edu/payment-card-handling-guidelines for more information.
Truncate account information on electronically printed credit or debit card receipts that you give to customers. Do not include more than the last 5 digits of the card number and do not include the expiration date.
Develop a written records retention policy, especially if you must keep information for business reasons or to comply with the law.
Lock It
Put documents and other materials containing personally identifiable information in a locked room or file cabinet. Review access controls to your departmental office. Modify controls as needed to make certain that the office is secure. Remind employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day.
Encrypt sensitive information if you must send it over public networks. Regularly run up-to-date anti-virus and anti-spyware scans on individual computers.
Require employees use strong passwords and passphrase, and caution employees against transmitting personal information via email. Continue to educate employees on how to avoid phishing and other internet scams that could cause a data breach. Create a laptop security policy for within your office and when your employees are traveling. Create a procedure to make sure that workers who exit the University no longer have access to sensitive information within your department.
Dispose of paper records by cross cut shredding. Make shredders available throughout the workplace including next to the photocopier.
Make sure that your staff is separating documents that are safe to trash from the sensitive data documents that need to be shredded.
Contact the OIT Help Desk in order to coordinate the wiping of computer hard drives from old computers that your department may wish to sell or dispose of.
Give traveling employees and those who work from home a list of procedures for disposing of sensitive documents, old computers and portable devices.
