Safeguarding Confidential Information

Williamson College of the Trades is committed to safeguarding confidential information for its students and employees. College policy implements administrative, technical, and physical safeguards designed to:

  • Ensure the security of any confidential information in the college’s custody in all forms, no matter if that information is contained electronically, written, or in any other format.
  • Protect confidential information against any threats or hazards of integrity, unauthorized access, or unauthorized use.

Definitions

Confidential Information

Confidential information means any information not exempted in specific legislation and identified as personal, sensitive, or confidential such as personally identifiable information, individually identifiable health information, education records, and non-public information as specified in all applicable federal or state laws, plus Williamson College policies. Confidential information includes, but is not limited to, the following examples:

  • Social Security number
  • Physical description
  • Home address
  • Home telephone number
  • Ethnicity
  • Gender
  • Education (except student records which are exempted by FERPA)
  • Financial matters
  • Performance evaluations
  • Verbal or written statements made by or attributed to the individual
  • Medical and employment history
  • Driver’s license number
  • Account number, e.g., identification number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Confidential information may include individually identifiable health information. This includes any information, including demographic information collected from an individual, created or received by a health care provider, health plan, employer, or health care clearinghouse. This includes information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to the individual, or the identification of the individual.

In addition, electronic confidential information is defined as any electronic format which includes an individual’s first name or first initial and last name or education in combination with any one or more of the following data elements, when either the individual’s name or the data elements are not encrypted:

  • Social Security number
  • Driver’s license number
  • Account number, e.g., identification number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Unauthorized Disclosure

Unauthorized disclosure means to disclose, release, transfer, disseminate, or otherwise communicate all or any part of any record orally, in writing, or by electronic or any other means to any person or entity.

College Practices in Safeguarding Confidential Information

All confidential information must be cared for with the appropriate level of physical and electronic (logical) security. When working with confidential information the college takes on the custodial responsibilities for that information. Thus each person who accesses this information also has the responsibility to:

  • Identify
  • Protect
  • Communicate
  • Maintain

These terms are defined below. Note: These lists are not exhaustive. Each of them is provided to serve as examples. As technology develops, each of these lists should be expanded to cover additional techniques and devices as appropriate.

Identify

Identify and inventory where confidential information is stored, processed, or transmitted. Here are some examples:

Confidential Information

  • Emails
  • Electronic documents
  • Printed information (paper)

Computer Information Systems

  • Desktop computers
  • Laptops / notebook computers
  • Mobile devices

Local Storage Device

  • Hard drive
  • Internal memory sticks/cards

Removable Media

  • External hard drives
  • CD or DVD (optical)
  • USB-devices

Remote Storage Device

  • Shared/mapped drive
  • Network Attached Storage (NAS)
  • Storage Attached Network (SAN)

Protect

Protect confidential information against unauthorized access, unauthorized use, loss, or damage. The college maintains a custodial partnership with each individual who accesses its network. Following specific policies and procedures in exercising this partnership is the responsibility of both the institution and individual to include:

The Individual:

  • Do not share or disclose personal authentication credentials, such as user-IDs and passwords or other forms of electronic authentication with other individuals.
  • Do not use personal credentials for authentication to provide other individuals with access to any information systems containing confidential information.
  • Do not leave computer equipment or portable storage devices unattended.
  • Use caution when accessing email, and do not trust any unexpected emails. Never open an attachment without first verifying its type and checking it with an antivirus program. If in doubt, delete it, and/or contact the sender first.
  • Position monitors and printers so that others cannot see or obtain confidential or sensitive data.
  • Log out, shut down, or lock the system when leaving your computer unattended at any time.
  • Keep portable equipment and storage devices such as CD, DVD, USB drives, or other removable storage media in an appropriately access limited location.

The College:

  • Maintains up to date, and installs all appropriate, security software updates in all computer workstations and laptops and software applications.
  • Installs and maintains antivirus software in all computer workstations and laptops and sets them to auto-update to install the latest antivirus signatures.
  • Uses boot-up (BIOS) passwords for appropriate computer systems and sets strong authentication for all user accounts, including any accounts with administrative rights.
  • Enables screen savers with authentication (locking passwords) for all computer systems.
  • Uses physical safeguards (keys, cipher locks, passwords, etc.), to secure confidential information, which are changed regularly, including every time someone who formerly had authorized access either leaves college employment, no longer has job requirements which require access, or a key securing such access is lost, stolen, or unaccounted for.

Communicate

Individuals accessing the college’s network have a responsibility to communicate with care to include

  • Promptly report any possible unauthorized access, use, or loss of information or an information system to your immediate supervisor.
  • Never send confidential information using non-secure applications such as IM, chat programs, or regular email.
  • Never send sensitive information to email accounts other than on-campus accounts. Use an authenticated method of distribution when on-campus accounts are not available.
  • Always use an authenticated and approved protocol for remote communication when accessing critical servers or resources containing personal or confidential information. Use the campus VPN when accessing any critical servers such as CMS or SIS from off campus.
  • Get appropriate authorization before taking college equipment off site.

Maintain

The college and individual must work in partnership to

  • Maintain confidentiality, integrity, and keep access measures up-to-date.
  • Securely dispose of unnecessary confidential information in an approved manner.
  • Remove any confidential and private information that is no longer needed. This will minimize the liability in case the computer becomes infected or compromised.
  • Ensure that confidential, sensitive, or personal data is properly cleansed from internal disks or removable media prior to disposal or transfer to others. Seek authoritative advice on disposing of equipment and data.