You can find almost any type of personal data somewhere on campus. This is because at Penn, we work with personal data about students, faculty, staff, alumni, parents, visitors, patrons, patients, research subjects and so many others to provide premier education, cutting edge research, service locally and globally and more. To serve our community and to serve Penn, it is critical that we properly use and protect that personal information.

Eliminating Unnecessary Data

Too often we read about data breaches that were avoidable because the data stolen was being kept by an institution unnecessarily. So, securely delete confidential information that is no longer needed for teaching, research, service, operations or any other Penn-related function.

Before securely deleting information, make sure that this is permissible according to Penn GuidancePDF. Use Identity Finder Software to locate Social Security numbers, credit card data and other sensitive data you may not know you have. Don’t just put sensitive data in the electronic “trash,” make sure to use effective, Electronic File Deletion Tools and Shred Paper Records with unnecessary confidential information. When, Disposing of Computers and other devices, make sure to securely wipe them of existing data. Finally, for you and your organization, Host a Records Cleanup Day.

Appropriate Use of Penn Data

Make sure you are using Penn Data in keeping with community expectations and law and policy. See Penn resources on protecting student privacy under FERPA, health records under FERPA, HIPAA, Social Security Numbers, and Credit Card Data.

Strong Security Protections

Protecting the security of information is a critical part of protecting the privacy of that information. Penn’s Office of Information Security (OIS) makes it easy with its Top 10-Security Tips for faculty, staff and students. Also check out OIS’s education on high risk areas Combating Malware and Phishing. Finally, make sure to use Penn’s Secure Share service to send confidential information and Secure Space to store it.

Transparency

One very important best practice in privacy is to be transparent regarding what information is collected, for what purposes it is used and shared, how it is protected and what control if any individuals have. See Penn's Guidance on Website Privacy StatementsPDF and Penn's FERPA Notice for example.

Assessing and Remediating Risk in IT Systems

Take advantage of the Penn-developed highly-recognized Security and Privacy Impact Assessment (SPIA) program — a transformative initiative — to reach a far deeper and more effective level of data protection in Penn systems and databases.

Evaluating Third Parties

Google Docs, Survey Monkey, Dropbox, Basecamp -- These and countless other hosted services empower individuals to get more done, faster. But, putting Penn data in the hands of a third party also creates risks of, for example, data loss, service outages, foreign government access, inadequate technical support, non-compliance.

Know the Risks

Review Penn’s Guidance - Cloud Computing: Opportunities Used Safely.

Use Due Diligence in Selecting Vendors

Consult the Data Classification and Review FrameworkPDF, including the SPIA for Vendors toolPDF referenced in that Framework, and "vet" the third party and the agreement appropriately based on the sensitivity of the data.

Asking Questions and Reporting Incidents

There are many resources at Penn to help answer questions and concerns related to privacy. You may contact the Privacy Office at privacy@upenn.edu. You may also contact Penn’s Reporting and Help Line at 215-PComply (215-726-6759) or www.upenn.edu/215pcomply. Information security incidents should be reported to security@isc.upenn.edu.