Employee Responsibilities for
     

espect for privacy of personal information is a core University of California principle. All UC employees—both academic and administrative—must protect any personal information they handle in the course of their work. This means your own information and that of students, alumni, employees, patients, donors, etc. Examples of personal information include Social Security numbers, financial account numbers, and patient health data, as well as someone’s name in combination with payroll information, home address, or home phone number.

Rule of Thumb: If the data identifies or is linked to an individual, safeguard it! Here are steps you can take:

• Protect your laptop carefully so it doesn’t get lost or stolen
• Do not store personal information on portable devices, e.g., laptops
• Protect your computer passwords so others can’t access your accounts
• Use a password-protected screensaver
• Log out of programs when you leave your office
• Position your monitor so passersby can’t read the screen
• Remove all data from your computer when you dispose of it
• Protect confidential documents when you step away from your desk
• Lock your office door when you leave the room
• Shred unneeded confidential papers
• Seek guidance from your local IT or computer security coordinator

The Associate Vice President for Information Resources and Communications at UCOP serves as the University's Chief Information Officer and is the UC Information Security Program Coordinator. The position is charged with directing information security policy and planning for the UC system. In addition, most UC campuses and medical centers have IT or computer security coordinators who can provide consultation to reduce computer security exposures.

Safeguards in the Law
Several state and federal laws provide protections for personal information. As a University representative, you help UC comply with these laws when you safeguard data.

Security Breaches
In July 2003, a California bill to aid potential victims of identity theft took effect. The law says that if an organization’s computer system suffers a security breach, the organization must notify affected individuals if there is reasonable belief that an unauthorized individual gained access to their personal information. Knowledge of the breach enables people to take steps to prevent identity theft. Several security breaches at UC have been the result of laptops being lost or stolen.

Social Security Numbers
Social Security numbers are particularly sensitive and shouldn’t be used unless absolutely necessary. California law recognizes this and restricts their use. For example, the SSN can’t be publicly posted or displayed, or printed on a card that an individual uses to access products or services. Individuals can’t be required to transmit the SSN over the Internet unless the connection is secure or the SSN is encrypted. Individuals can’t be required to use the SSN to access a Web site unless a password or unique personal identification number or other authentication device also is required.

Patient Information
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards to guard the privacy of patient health information. The regulations apply to everyone who works in the health care arena, from volunteers, to health care providers, to trainers, to those who provide financial, legal, or administrative support to health care providers or health plans. Visit http://www.universityofcalifornia.edu/hipaa for more information.

Loan Information
Federal Trade Commission regulations implement the Gramm-Leach-Bliley Act. They require institutions, including universities, to develop a program to protect customer information related to loan transactions. UC’s program is online at http://www.ucop.edu/irc/itsec/glbplan/.