Sensitive and Non Public Information Policy
Delta State University adopts a sensitive and non public information policy to help protect employees, customers, contractors, and the university from damages related to loss or misuse of sensitive information.
Sensitive information includes the following items whether stored in electronic or printed format:
1. Personal Information
- Credit Card Information: credit card number (in part or whole), expiration date, cardholder name and/or address and security code
- Tax Identification Numbers: social security number, insurance card number and business/employer identification number
- Payroll Information: paychecks, pay stubs and pay rates
- Cafeteria plan check requests and associated paperwork
- Medical information for any employees or customers including but not limited to: doctor names and claims, insurance claims, prescriptions and any related personal medical information
- Other personal information belonging to customers, employees and contractors: Examples include name, date of birth, address, phone number, maiden name and customer name.
2. University Information
- Employee, customer, vendor, supplier confidential information, proprietary information or trade secrets.
- Proprietary and/or confidential information, among other things, includes: business methods, customer utilization information, retention information, sales information, marketing and other University strategy, computer codes, screens, forms, information about or received from, University’s current, former and prospective students, sales associates or suppliers or any other non-public information. Proprietary and/or confidential information also includes the name and identity of any customer or vendor and the specifics of any relationship between and among them and the University.
3. Any document marked “Confidential”, “Sensitive”, “Proprietary”, or any document similarly labeled.
Encryption is the translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, employees must have access to a secret key or password that enables them to decrypt it. Unencrypted data is called plain text.
A printout of data stored in a computer. A printout is considered “hard” because it exists physically on paper, whereas a “soft” copy exists only electronically.
Every employee and contractor performing work for Delta State University will comply with the following policies and procedures for hard copy distribution:
- File cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with sensitive information will be locked when not in use.
- Storage rooms containing documents with sensitive information and record retention areas will be locked at the end of each workday.
- Desks, workstations, work areas, printers and fax machines, and common shared work areas will be cleared of all documents containing sensitive information when not in use.
- Whiteboards, dry-erase boards, writing tablets, etc. in common shared work areas will be erased, removed, or shredded when not in use.
- When documents containing sensitive information are discarded they should be immediately shredded using a mechanical shredder.
Every employee and contractor performing work for Delta State University will comply with the following policies and procedures for electronic distribution:
- Any sensitive information submitted internally is encrypted and may be transmitted using approved company e-mail.
- Any sensitive information submitted externally by e-mail may be transmitted using approved company e-mail and should contain a statement such as:
“This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.”
The University’s personnel are encouraged to use common sense judgement in securing the University’s Confidential Information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, the employee should contact their supervisor, manager and/or the Security Information Officer.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
· Fair and Accurate Credit Transactions Act (FACTA) – Red Flag Rule
· HIPAA Security Rule
· Gramm, Leach, Bliley Safeguard Rule