Privacy Basics at UWinnipeg - Module 3
Module 3 explains how to safeguard PI / PHI in accordance with the Privacy Policy.
Employees must protect the confidentiality, security, and accuracy of the PI / PHI under their control. Protective measures should be applied throughout the lifecycle of a record: from collection to use, disclosure, storage, and destruction.
Security safeguards must be appropriate to the nature of the PI / PHI. The more sensitive the information, the more robust the security safeguards need to be.
Security safeguards are classified into three categories:
- Administrative safeguards
- Technical safeguards
- Physical / personal safeguards
The safeguards that follow represent the minimum standard necessary under the Privacy Policy. Additional measures should be taken where appropriate. University administrators have an obligation to ensure that the information in the custody or under the control of their office(s) is adequately protected.
Administrative safeguards focus on policies and procedures for the protection of PI / PHI.
The Privacy Policy is the University’s primary administrative safeguard but office-level policies and procedures may be created to:
- Designate access to PI / PHI based on particular office role,
- Undertake a privacy impact assessment (PIA) before commencing new projects,
- Implement specific training requirements for employees that handle PI / PHI.
If office-level privacy policies and procedures are created, please provide a copy to the Information and Privacy Officer.
Technical safeguards are focused on protecting PI / PHI stored on electronic devices and media, such as computers, smart phones, and flash drives.
Most privacy breaches at the University involve electronic information, with desktops, laptops, and flash drives most commonly associated with a breach. Technical safeguards are therefore one of the most important considerations in protecting PI / PHI.
Technical safeguards include:
- Using access controls such as strong passwords to help protect against unauthorized access,
- Clearing display screens and logging / shutting off computers,
- Using password protection/encryption* if transporting PI / PHI on laptops, smart phones, or similar electronic devices and media,
- Consulting the Guidelines for the Communication of Personal and Personal Health Information,
- Transferring emails containing PI / PHI from inboxes to secure network drives,
- When electronic devices and media are disposed of or used for another purpose, removing or destroying all PI / PHI.
*Excluding Bitlocker deployments managed by TSC, be aware that the University cannot assist you in decrypting your files should you lose or forget your password. Back up your files and secure your password to prevent data loss.*
All UWinnipeg employees should be familiar with encryption, which scrambles electronic information so that it is unreadable without a special key. It is a vital aid for protecting privacy and is especially helpful for laptops, tablets, USB flash drives, and similar devices that are easily lost or stolen. PI / PHI stored on these devices must be encrypted during transport.
Encryption can be done at the file level (Word, Excel, PDF, etc.) or at the disk level, known as full-disk encryption. This latter form of encryption protects an entire disk drive (or a specified part thereof) and is a powerful tool to lessen the likelihood and impact of privacy breaches.
Encryption tools are often bundled with operating systems, such as Bitlocker for newer versions of Windows and FileVault for Apple iOS. 3rd party tools are also available, such as the popular (and free) VeraCrypt software available for Windows, Apple, and Linux. Even 7-Zip, which is a commonly-used, free file archiver / compressor, can be used to encrypt multiple files at once.
It is also a good plan to purchase at least one USB flash drive with built-in encryption technology. These are very affordable and simplify the process of protecting PI / PHI on the go. Certain encryption tools, such as 7-Zip and Veracrypt, can also be used on regular USB drives for added security.
Remember that encryption is only as good as the password that protects it! Be sure to use a strong password at all times. Avoid reusing passwords across multiple accounts.
*Excluding Bitlocker deployments managed by TSC, be aware that the University cannot assist you in decrypting your files should you lose or forget your password. Back up your files and secure your password to prevent data loss.*
Physical / personal safeguards are focused on protecting PI / PHI from physical threats and harms, such as theft, tampering, and unauthorized access. They involve both physical barriers to access as well as personal behaviours.
Physical / personal safeguards include:
- Limiting physical access to PI / PHI to only those who need-to-know,
- Not discussing PI / PHI in the presence of those who are not authorized to know the information,
- Storing paper files and electronic devices and media containing PI / PHI in a secured place other than when being used as a necessary function of work,
- Consulting the Guidelines for the Communication of Personal and Personal Health Information,
- Not transporting or otherwise removing PI / PHI from a secured place unless necessary,
- If transporting or otherwise removing PI / PHI from a secured place, taking only the minimum amount of information necessary and securing it in a closed, opaque container and under the care and control of an authorized person,
- Whenever practicable, de-identifying PI / PHI before removing it from a secured place,
- Not leaving PI / PHI unattended or stored in a vehicle,
- Labeling file containers with the minimum amount of PI / PHI necessary for identification and use,
- Secure destruction (i.e., shredding).
A privacy breach can be any collection, use, disclosure, or destruction of PI / PHI in contravention of applicable privacy legislation. But in most instances, a privacy breach is caused when PI / PHI is stolen, lost, or accessed inappropriately. Snooping is also an issue, and electronic information is particularly susceptible to breaches.
Examples of privacy breaches include:
- Theft of electronic or paper records from vehicles and homes,
- Losing laptops, USB sticks, and similar electronic devices and media,
- Sending emails and email attachments containing PI / PHI to the wrong recipient,
- Employee snooping,
- Paper records being recycled or thrown out instead of shredded,
- Disposal of computer hard drives, cellphones, fax machines, and copiers without adequate data deletion.
If you receive a complaint about a privacy breach, have any knowledge of a privacy breach, or have a reasonable suspicion that a privacy breach has occurred, you are required to immediately report the breach to your supervisor and the University's Information and Privacy Officer.
Quick reporting is crucial to enable the University to take appropriate measures to contain and investigate the breach.
- Safeguards must be appropriate to the sensitivity of the information.
- Administrative safeguards focus on policies and procedures for handling PI / PHI.
- Technical safeguards include:
- Access controls such as strong passwords,
- Using password protection/encryption if transporting electronic PI / PHI,
- Removing or destroying PI / PHI when electronic devices and media are disposed of or used for another purpose.
- Physical/personal safeguards include:
- Not discussing PI / PHI in presence of those who are not authorized to know the information,
- Storing records containing PI / PHI in a secured placed,
- Limiting the transportation of PI / PHI and not taking more than the minimum amount necessary,
- Not leaving PI / PHI unattended or stored in a vehicle.
- Report all suspected or confirmed privacy breaches.