Presentation #4 2/3/2015 Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. 1 2 Question 1: I have e-waste that may contain sensitive information. Will I be able to drop off e-waste for secure disposal? Answer: Yes. The e-waste will be collected by furniture services for secure disposal. We will not be collecting hazardous waste – such as paint and chemicals. 3 Question 2: Answer: Can I bring materials from home? No this event is to dispose of university related materials only. 4 Question 3: Can I shred cardstock? Answer: Yes. You can also shred staples. The only thing to look out for is large clips. 5 Question 4: Should departments be shredding new hire documentation after an employee receives his or her first paycheck? Answer: Yes that is true. At UCSB, Business and Financial Services holds the official record of the new hire documentation, including the I-9, Oath/Patent, and W-4. To protect employee Social Security Numbers that are contained on these forms, the departmental copies of new hire documents should be destroyed after the employee receives his or her first paycheck. 6 Question 5: Do I need to print the IDOC hire/rehire form from PPS and place it in the personnel file? Answer: No. The information on the IDOC hire/rehire form is in the PPS system and there is no need to print that out and retain it in the personnel file. The IDOC separation document, on the other hand, must be submitted to payroll for the final paycheck to be processed. 7 Question 6: Answer: How do departments handle separated personnel files with regards to documents that have social security numbers? New hire documentation – such as I-9 and W4 should be shredded. (BFS is office of record.) In general, the documents in personnel files should be held for 5 years after the employee separates from the university. 8 Question 7: Answer: Student personnel file retention. How long and what date does the department use to determine the retention date? Retain records for 3 years after the end of the fiscal year in which the specific individual no longer has any employment relationship with the University. 9 Restricted Information Restricted Information: "Restricted information" is UC's term for the most sensitive confidential information. Restricted information or data is any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage, transit, or deletion. BFB IS-2 10 What is “PII”? As used in US privacy law and information security, personally identifiable information (“Pll”) is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. For legal purposes, the effective definitions vary on the jurisdiction and the purposes for which the term is being used. 11 Other Types of Restricted Information • Personally Identifiable Information (PII) • Protected health information (PHI) protected by Federal HIPAA legislation • Credit card data regulated by the Payment Card Industry (PCI) • Passwords providing access to restricted data or resources • Court-ordered settlement agreements requiring non-disclosure • Information specifically identified by contract as restricted • Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high. 12 Do you have restricted information in your department? Guidelines for Dealing with Restricted Information IS-3, Appendix B • Restricted information should not be collected or stored unless absolutely necessary. • Access to restricted resources should be authorized only as needed to perform assigned duties. When destroying restricted information, don't forget about email attachments, screenshots, old or previous versions of files, drafts, archives, copies, backups, CDs/DVDs, old floppies, etc. • Ensure training for all individuals who have been granted access to restricted resources. • Delete or redact restricted information when there is no longer a business need for its retention. • When deleting restricted information, ensure record contents are rendered irretrievable by shredding or other means. 13 Examples of Other Types of Confidential Information • Home address or home telephone number • Personal information protected by anti-discrimination and information privacy laws such as: • Ethnicity or Gender • Date of birth • Citizenship • Marital Status • Religion or Sexual orientation • Certain types of student records • Exams, answer keys, and grade books • Applicant information in a pending recruitment • Information subject to a non-disclosure agreement, including research data, intellectual property (IP), patent information and other proprietary data • Academic evaluations and letters of recommendation • Some kinds of personnel actions • "Pre-decisional" budget projections for a campus department (can 14 also be marked "Draft" or "Not for Distribution")