Data Privacy and Security

Research papers. . . confidential plans. . . personnel files. . .  student data. . . a broad range of information is found in and around workspaces, computer networks, personal electronic devices, and file systems.  Our success and reputation often depend on how we protect this information.  Individual privacy rights are at stake, too.  The proper handling of all university-related data is important.  To achieve the necessary level of data privacy and security, everyone must do their part by treating university-related data and information with care.

Information and data are the life blood of an institution.  If data is lost, misused, or disclosed improperly, either on purpose or accidently, the consequences can be highly impactful.  Time, money, and energy will be spent dealing with the situation, the news media may report on it, trust in our institution may erode, and our reputation can be tarnished; even individual careers can be derailed.  When sensitive financial, personal, or healthcare information is involved, identities can be stolen and there may even be legal consequences, including heavy fines.

From our marketing and branding teams to professors and researchers and from staff all the way up to the president, all members of our campus community, including interns, contractors, part-time staff, and students, play key roles in ensuring data privacy and security.  We may not always appreciate how the data or information we work with relates to the “big picture,” but whatever our job is, we work with and supply restricted and highly restricted information. For example, we share our address, national identity numbers like SSNs, and other information to allow for the processing of paychecks or to help us obtain benefits.  We do not intend for this information to be provided to a casual guest visiting the university or some sales organization.  We also don’t intend for our information to be made available to a computer hacker or persons who do not need to access it.  Limited access preserves our privacy, restricts unauthorized use and unwanted attention, and serves other interests that only we may be aware.

Keeping information secure involves more than how we use our computers or personal electronic devices.  What we talk about and where we talk about it, along with who we allow to see such information plays a part, too.  By safeguarding all non-public university-related information, we can help insure data privacy and security.  You do not have to be a computer wizard or work in IT to make a difference. Here’s what you can do.

When discussing non-public, confidential, restricted, or highly restricted data:

• • • Do not have your conversation in a public place. Be cautious when talking in restaurants, breakrooms, hallways, or elevators.  If people are nearby, there is a likelihood you will be overheard.
    • Know who you are speaking with. If an unknown person contacts you for information, confirm their identity and right to receive it before providing them the information.

Workspace security:

• • • Do not leave confidential or sensitive materials in view when visitors are present or when you leave your workspace. Turn document hard copies upside down or place them in a drawer or cabinet, particularly when leaving for an extended period. If locks have been supplied for your desk drawer, file cabinets or office, use them when you leave work for the day.
    • Position your computer screen away from others. Share your work with people having a reason to see it, not with friends, uninvolved co-workers, or strangers dropping by your workspace.
    • When visitors are permitted in the workplace, do not allow them to roam or wander through unattended. Report suspicious activity appropriately and rapidly.
    • Limit copying of confidential and sensitive materials and avoid leaving printed copies on copy machines. Copies left on a printer or laying near a copy machine are available to anyone with access to the printer regardless of what they are authorized to see.
    • When sending a fax, unless being sent to a dedicated machine, arrange for someone to be ready to pick up the fax as soon as it comes through. As with photocopies, a confidential or sensitive fax that lays around unnecessarily can be read by anyone with access to the machine.
    • Follow our university’s policies on document retention and properly dispose of sensitive or confidential (highly restricted or restricted) information. Shred or place papers in the appropriate disposal bins. Break or destroy DVDs or CDs. Ask your manager for assistance getting rid of surplus or outdated documents, materials, or equipment.

Computers and electronic devices:

• • • Password protect or use another authorized form of authentication for your computer and electronic devices. Do not share your password and do not write it on a note that you leave on or around your desk area.  IT Support can help reset your password if it is forgotten.  No one needs to know your password.  Do not let anyone watch you type in your password.
    • Encrypt and password protect confidential or sensitive information provided via email or stored on a disk or an external drive. When providing a password for an attachment to an email, do not send the password and the encrypted message in the same message.
    • Stay alert and avoid falling for phishing schemes. Do not trust unsolicited emails or click on suspicious links. Be willing to check whether a request for information or transfer of funds is authorized and appropriate.  Look closely at the message, are there any spelling errors?  It is always better to verify, especially when requests are unusual or out of the ordinary. Rather than hitting the link or automatically hitting “reply”, visit an official website, call a known number, and gather information before responding. When in doubt, check it out.
    • Limit use of “reply all”. Make sure your messages go only to persons with a need to know.
    • Obtain approval to use data remotely or on a personal device. Depending on the sensitivity or confidential nature of information, you may be asked to use certain equipment or take special precautions.
    • Do not download or install computer applications or programs without approval or when obtained from an unapproved store or source. This helps protect the university against computer viruses and malware.
    • Make sure the websites and online portals you are using are legitimate. The wrong website could deliver malware.
    • Secure laptops and other electronic devices when not in use. Do not leave them in view and unattended.  It is easy to smash a car window and grab a computer or cell phone left on a car seat.  Put your laptop, mobile phone, and other electronic devices in the trunk of your car if you aren’t taking them with you.  Use similar precautions in airports, hotels, and at home.
    • If your university-owned computer or electronic device is lost or stolen, report the loss as soon as you are able to do so. It may be possible to disable the device or limit access to the information it contains or even trace the location of the equipment. Depending on the circumstances, and more specifically what was stored on the device, UCF may be under a legal obligation to quickly report the loss to a government agency or persons whose sensitive information has gone missing.
    • Limit use of public WIFI and do not use it to send sensitive information.

If you work with or have access to personal information about students, staff, faculty, or others, laws may regulate how that information is to be collected, processed, or stored.  Worldwide, these laws are becoming common and they may apply to the data and information you work with. Failing to operate within the bounds of the law can result in litigation, enforcement actions, fines, and penalties. Know that these laws often limit the amount of data collected to what is reasonably necessary, limit the sharing of data only to persons with a need to know, require certain operational and technical safeguards, and a level of transparency. If you have questions about your data privacy and security obligations, please contact privacy@ucf.edu for assistance.

Everyone affiliated with UCF has a role in keeping non-public, confidential or sensitive information, which we term Restricted and Highly Restricted data, private and secure.  Stay alert and treat university information responsibly.  It takes a village, as they say, to protect and secure data appropriately.  One or two teams is not enough, so thanks for doing your part and requesting assistance whenever needed.