Managing Legally Protected Electronic Private Information

The University of Minnesota values the privacy of every member of its community, but protecting private data is more challenging than it has ever been. We read or hear, almost daily, about incidents in which private data has been compromised through theft, negligence, or ignorance. As a result, we all need to take responsibility for understanding what legally protected private data is and how we can protect it. The goal is to collectively avoid unwanted disclosure of personal information that, in turn, saves all of us from the unfortunate experience of identity theft or other problems.

The University of Minnesota has a series of guidelines, standards, and policies that explain this issue and lay out the steps needed to protect private information. While legally protected private data can exist in formats that include paper, photographs, or credit card magnetic strips, the purpose of this communication is to inform you of ways to protect private information when it exists electronically. Information in digital, electronic form becomes portable and can be replicated with little to no effort. The following best practices, guidelines, standards, and policies are in the context of this focus on portable, digital/electronic information.

Preventing Accidental and/or Unwanted Exposure 

Below are ways to prevent accidental and/or unwanted exposure of electronic legally protected private information:

1. Know the meaning of the term "private data" and what it means to protect it. Read the definition.

2. Know what "encryption" means and how it applies to protecting electronic private data. Read Encypting Private Data.

3. Know the University's policy on the Acceptable Use of Information Technologies. This policy outlines the uses and associated behaviors that are acceptable when using the University's technologies. Read the policy.

4. Other useful best practices:

Following these protocols can help protect you from the legal problems, embarrassment, inconvenience, and other problems that result when preventable private data breaches occur.

Frequently Asked Questions

What are the U of M rules for securing computers with private data?

See the U of M policy for Securing Private Data, Computers and Other Electronic Devices.

What does "Private Data" mean in this context?

Legally private data includes social security number, private health information, date of birth. The Data Security Classification Policy for a longer list.

What can I do to make sure the private data I work with is adequately secure?

Store private data on a professionally maintained server. Do not store private data on a laptop computer unless you are sure it is encrypted AND the above policy is met. Review the Securing Private Data, Computers and Other Electronic Dvices Policy with your technology support staff to be sure you are meeting the policy.

What are some common ways that desktop computers get infected and/or compromised?

What if I need private data on my laptop to do my job?

If there is no other way, options are to store the data on a server and log into the server during the time that you work with the data or to work with your technology support staff to encrypt the disk drive on the laptop. Note that with disk encryption a lockout screensaver set to a reasonably short time must be used, or a thief would have access to everything you do. Also information saved or sent via e-mail from the computer is not encrypted. When you open a file, it is unencrypted.

Can't I just protect private data on a laptop by being very careful?

Being careful helps, but computers are still stolen, even from careful people. If it is determined that a security breach as defined by Minnesota law has occurred, notifications will need to be sent to the individuals affected. Read the University's Breach Policy.