Best Practices

Avoid using personal names in the subject line of email messages.
When appropriate, and in order to ensure privacy, when sending a group email, ensure that all recipient email addresses are contained in the “bcc” (blind copy) section so they cannot be seen/shared by recipients.
Email sensitive information, such as medical or financial information, only if it is absolutely necessary.
When forwarding an email with a long string of messages, delete all but the top message.

When faxing/copying sensitive personal information, stay by the machine at all times.
Delete phone messages.
You should only fax personal information that you would feel comfortable discussing over the telephone if it were your own personal information. Email sensitive information, such as medical or financial information, only if it is absolutely necessary.
When faxing sensitive personal information, consider the use of unique identifiers or codes to protect the identity of the individuals involved.
If personal information is mistakenly faxed to the wrong person and you can’t get the information back, notify the person responsible for privacy compliance in your organization. Your organization or public body should promptly notify the individual(s) whose personal information has been compromised, telling them the kind of information that has been compromised and steps that are being taken.

It is preferable to use interoffice envelopes for sending internal mail; however, if you re-use an envelope, remove the return address and any other identifying information.
Adopt a “clear desk” policy and ensure paper records are locked in a secure location with limited access.
Student papers and lab reports must be given to students directly.

Password protected
Encrypt electronic devices containing personal information.
Avoid storing personal information on portable electronic devices, including laptop hard drives.

Written permission received from a student, by email, should be scanned into the Student Record.
Once a document has been finalized, delete all ‘draft’ paper and electronic copies.
Limit the amount of personal information collected to that which is reasonably needed to meet departmental requirements.
Keep personal information only as long as necessary to meet business and legal requirements then securely destroy the information.
If minutes contain information of a personal nature – by naming or otherwise identifying individuals – precaution should be taken when storing. The document should be marked “Confidential” and should only be distributed to committee members.

If you don’t need it, don’t keep it.
Maintaining personal information that is no longer useful is a security liability. When all relevant retention requirements have been met and the personal information is no longer relevant for business or legal reasons, destroy the information in a manner that will not compromise security or the privacy of the information.
Authority required for collection:

Collect only information related to a program or activity, on a need-to-know basis.
Avoid using Social Insurance Numbers for identification purposes – if a S.I.N. is not necessary for program delivery, do not collect it.
Routinely review personal information collection practices to determine the minimum personal information essential for operational requirements. Justify why particular information is necessary.

Never travel with personal information unless you absolutely must have it with you. If you take personal information with you, take the least amount that you need and leave the rest behind.
While away from the office, laptops and other electronic devices containing personal information should be kept with you.
Personal information should be stored on a password-protected storage device rather than the hard drive of your laptop or home computer.
Electronic records of sensitive personal information should be encrypted.
Avoid using cell phones to discuss personal information. Cell phone conversations can be easily overheard and can be intercepted.