Due to character limitations, the following policy is presented in a summarized format. If you would like to access the full policy, please email HR@atsu.edu.
This policy outlines how ATSU protects confidential information, including definitions, responsibilities, and procedures for workforce members. Unauthorized disclosure may result in legal penalties, reputational harm, and increased risk of fraud or identity theft.
Policy Summary
ATSU classifies information into high, moderate, and low-risk categories. Confidential information typically includes data in the high and moderate risk categories. Examples include:
- Protected Health Information (PHI) such as patient records and incident reports.
- Student records protected under FERPA.
- Personally Identifiable Information (PII) like Social Security numbers, payroll, and personnel records.
- Financial data, including credit card and bank account information.
- Business information such as research data, contracts, strategies, and proprietary methods.
- Passwords and access codes.
- Background checks, transcripts, and other sensitive documents.
- Media, both digital and physical, that contains sensitive content.
Confidential Information Handling Requirements
Confidential information must be:
- Protected from unauthorized access or disclosure.
- Shared only on a need-to-know basis and used for legitimate business purposes.
- Stored securely and encrypted when taken offsite.
- Properly destroyed when no longer needed.
Workforce Responsibilities
All ATSU workforce members—including employees, students, contractors, and volunteers—must sign a Statement of Confidentiality upon hire and participate in annual training. Access to confidential information is restricted based on role and business need and does not imply ownership.
Access and Use Guidelines
- PHI must only be accessed for patient care, risk management, or payment activities.
- Employee and student data must follow applicable laws such as FERPA and internal policies.
- Proprietary and business data should never be shared with unauthorized individuals.
Storage and Retention
Confidential media must be securely stored and encrypted if taken offsite. Official records must comply with retention laws. Managers are responsible for specifying secure storage methods.
Transmission
- When faxing, use a confidentiality notice on the cover sheet.
- Emails with confidential data must be encrypted; avoid using identifying info in subject lines.
- Secure texting platforms approved by ITS must be used for any messaging containing sensitive data.
Recycling and Disposal
Before recycling or reusing media, all confidential data must be sanitized. Paper documents should be shredded or placed in secure bins. Electronic devices must be inspected and cleared by ITS before disposal.
Oversight and Enforcement
- Chief Information Security Officer (CISO) oversees policy implementation and risk management.
- Deans, directors, and supervisors enforce compliance and ensure training within their teams.
- Employees are responsible for following policy and reporting any violations.
This policy ensures compliance with regulatory standards and helps safeguard the integrity, privacy, and security of ATSU’s data.