Protecting Confidential Information

Protecting Confidential Information is the responsibility of every employee at Texas A&M University.  We understand that some of the rules and best practices surrounding Confidential Information can be confusing. This guide explains Confidential Information and related topics in a way that will hopefully provide you with a better understanding.

What is Confidential Information?

Confidential Information is data that must be protected from unauthorized disclosure or public release based on state or federal law. Examples of Confidential Information data may include but are not limited to the following:

  • Personally Identifiable Information, such as name, address, phone number, email address
  • Social Security numbers (SSNs)
  • Credit Card numbers
  • Financial Account Numbers
  • Student Education Records (including schedules)
  • Medical Records
  • Passwords

What Am I Supposed to Do With Confidential Information?

The short answer to this question is that you must protect Confidential Information from un-authorized or un-intentional disclosure. Here is a list of your main responsibilities:

  • Keep it confidential
  • Keep it secure
  • Do not distribute
  • Do not keep unless absolutely necessary
  • Follow encryption rules
  • Do not store/carry on portable devices (laptops, mobile phones, USB drives, etc.)
  • Remove information that has outlived its usefulness
  • Follow retention policies

Keeping Information Confidential

Your number one responsibility is to keep Confidential Information confidential. That means keeping it out of the hands of anyone who is not authorized to have it. Confidential Information should not be shared with anyone unless they are specifically authorized to have it.

Under the Family Educational Rights and Privacy Act (FERPA), educational records may be shared with other university officials only when there is a legitimate educational interest.

Some types of information may be covered under other laws such as the Health Insurance Portability and Accountability Act (HIPAA) which covers releases of medical information.

Keeping Information Secure

Protecting information from accidental release is what information security is all about. Following password procedures, using secured network resources, locking workstations, cabinets, and offices go a long way toward securing information. In general, information that you access on your workstation or through the network will be secure.

Portable computing devices have special requirements. Since they are portable by nature, devices such as CD/DVDs, laptops, PDAs, and USB drives can be stolen or lost. If these devices have Confidential Information on them, theft and loss can cause significant problems.

If you do release or suspect loss of Confidential Information, report it to your supervisor and the IT group immediately.

Encryption

University rules REQUIRE encryption and password protection of Confidential Information that is stored and transmitted electronically. This means Confidential Information that is stored on hard drives, CD/DVDs, USB drives, in applications, databases, or other portable devices, or that is transmitted via the Web, Email, or FTP must be encrypted.

Encrypting files is not as difficult as you may suspect.  There is a small utility that can be purchased to encrypt and protect files. If you need the ability to encrypt files, please contact our HelpDesk at 458-2984, or send an email to vpfnhelp@tamu.edu and request the PGP Encryption software.

Keeping Old Information

Are you keeping files that contain Confidential Information when you don’t need to?  Retaining Confidential Information that is no longer necessary increases your risk.  If you have files that contain Confidential Information and have completed the project, remember to delete the files containing confidential data?

One of the best things you can do to prevent unintended disclosure of Confidential Information is to not have it!

Record retention is the responsibility of the data owner and the university publishes guidelines for how long records are retained based upon their classification and use.