Guidelines for confidential records
Confidential records are created with an expectation that they will not be disclosed to anyone except those persons requiring the records for a legitimate purpose.
Confidentiality is demonstrated in the following ways:
- an explicit statement of confidentiality,
- a written request for confidentiality,
- the university’s treatment of the record as sensitive and confidential.
The fact that a record is stamped confidential, while an indicator of its confidential nature, may not be sufficient to support the assertion of confidentiality. To maintain their confidential status, confidential records must actually be treated as confidential.
Confidential records should be subject to reasonable security measures to keep them from inappropriate disclosure.
Confidential paper records, for example, are to be:
- stored in secure cabinets (locked when not in use, not in a public area, with limited access to staff and faculty),
- provided with a file/record cover when out of the secure cabinet,
- returned to the secure cabinet if the employee is called away while working on a record, and
- accessed by staff and faculty only on a “need to know” basis.
Confidential electronic records, for example, are to be:
- protected by the use of passwords and other appropriate methods to restrict access to computers and computer networks, and
- protected by secure disposal practices (with special care taken before a computer is used by another person or deemed surplus equipment).