KEEPING PENN DATA SAFE and PRIVATE Treat other people’s confidential data as you would want your own data treated. Don’t let confidential data fall into the wrong hands.     Such data can be used to steal identities, disrupt University operations, impede research, and damage Penn’s reputation. Examples of confidential data include:   Social Security Numbers (SSNs)   Health Information   Credit card data    Student grades   Non-public directory information   University and personal financial information Use Penn IDs or another unique identifier instead of SSNs. If SSNs are required, mask the first five digits: xxx-xx-1234. Don’t store or download confidential data unless absolutely essential. If you must share confidential data:     Don’t send them in email or IM. See your LSP for more secure alternatives.   Make sure anyone who requests confidential data is properly authorized. Student data, health information, and certain other personal data are protected by federal law and Penn policy. Shred printed data you no longer need. For help, contact the Records Center at 898-9432. Protect the computer your data is stored on:     Assign a complex, hard-to-guess password to your computer.     Activate your computer’s firewall.     Install current antivirus software and make sure it’s set for regular auto-updating.   Set your computer to auto-download security patches for the operating system.   Turn off your computer’s filesharing capability or configure it to require a complex, hard-to-guess password   Do not use Internet filesharing software, such as Kazaa or BitTorrent, which often comes with adware and spyware that can compromise your computer.   Use a password-protected screensaver.   Don’t click on unknown URLs, web links, or attachments.   Upgrade to a current operating systems such as Windows XP Pro or Mac OS X to better protect your data. Older, unsupported operating systems (Windows 98/ME, Windows NT, Mac OS 9) are very difficult to secure. If you have confidential data on a server (even one administered by someone else), make sure the server is registered with ISC as a Critical Host and seek assurance that it’s protected. Mind your vendors. Contracts with third party vendors accessing confidential (i.e., personal or proprietary) data should include strong confidentiality language. Raise awareness in your organization about the importance of protecting Penn’s confidential data and how to do so.     Ask staff to periodically sign confidentiality statements, alerting them to key policies and their responsibility to protect confidential data.     Make sure you’re using HR’s current sample offer letters in hiring. Current versions ask newly hired staff to sign that they acknowledge their privacy responsibilities.     Leverage Penn’s Security and Privacy Made Simple tips. Penn’s Almanac now offers privacy and security tips routinely. Spread the word!     Request in person training. The Office of Audit, Compliance, and Privacy and the Office of Information Security are available to present on privacy and security issues to Penn workforce members. Contact privacy@pobox.upenn.edu to request such training. Consult Penn Resources     Audit, Compliance, and Privacy: privacy@pobox.upenn.edu and www.upenn.edu/privacy   Information Security: security@isc.upenn.edu and www.upenn.edu/computing/security   Local Support Providers: www.upenn.edu/computing/view/support/
Copyright 2006-08 University of Pennsylvania					Privacy Statement