Security Checklist for Personal and Other Confidential Information

Purpose and Objective 

Law, policy and practice require that personal, health and other confidential information, be protected from unauthorized access. 

This practice supports protection of electronic and hard copy records, consistent with law, policy and risk management practice. It does not supersede University IT security standards or measures such as those under the Chief Information Officer, but is intended to work with them. 

The objective is to protect confidential information from unauthorized access, without disrupting University operations, and with measures appropriate for each type of record. 


  • Know which records in your work are confidential and require protection; e.g. records that contain personal or health information. 

  • Keep hard-copy confidential records in a secure institutional environment, locked in a non-public area when not in use or you are not present. 

  • Only take hard-copy confidential records out of a secure, institutional environment as necessary for immediate work.

Protect hard-copy confidential records with strong security, including:

  • keeping records out of sight

  • keeping records securely locked up 

  • keeping electronic records of confidential information in a secure-server environment. 

  • Only take confidential records out of secure environments if you have:

    • official authorization

    • operational need

    • and no other reasonable means to accomplish the task.

  • To take confidential electronic records out of a secure-server environment:

    • encrypt your drive, memory stick or mobile device with the latest version of commercially available and supported encryption software

    • or de- identify the information. 

  • When work permits, use depersonalized records, not personally identifiable ones. 

  • Access confidential electronic records remotely using encrypted secure means, such as virtual private network (VPN) or encrypted remote desktop connection. 

  • Encrypt attachments that contain personal or confidential information before emailing them to addresses

    • do not email or forward unencrypted personal or confidential information out of the email system, because it could be viewed by third parties if intercepted

  • Communicate passwords by phone, not by email.

Excerpted from FIPPA - General and Administrative Access and Privacy Practices (June 23, 2011).