Best Practices for Protecting PPI
As a member of the University community, you may have access to private, personal information (PPI) for employees, students, patients, etc. Any time PPI is exposed to those who don't have a business need to see it, it is at risk.
Who should have access to PPI, and how should that access be protected?
- Access should be limited to authorized users with a strict business need to know.
- Access only the PPI you need to perform your job.
- Use a robust password.
- Do not share your password with others or use another person's password.
- Lock your computer when you leave your desk.
How do I handle PPI securely?
- Follow University and departmental policies for data access and protection.
- Don't use PPI in casual conversations in your office or with other employees who do not need to know the information to do their jobs.
- Remove printed PPI documents from a printer or fax machine promptly.
- Do not share PPI with individuals without a business need to know the information.
- If you are sharing information with authorized individuals make certain they understand how to protect PPI.
How do I store PPI securely?
- Store PPI only on secure workstations where it is required for business purposes.
- Do not save unnecessary files or documents of PPI (e.g., draft copies, reports, spreadsheets, intermediate files, etc.).
- Do not save copies of PPI where unauthorized access could occur.
- Do not store data on portable or non-secure systems such as laptops, PDAs, personal computers, or removable media such as thumb drives, CDs, or floppy disks. If you must store PPI for business purposes, ensure it is encrypted.