When storing Personally Identifiable Information (PII), additional security measures should be taken in order to minimize risk. This includes protecting physical devices, as well as implementing software to help encrypt your information.
All devices containing personal information should be regularly backed up to UBC network drives and periodically maintained to ensure the backups are successful. If you make frequent and significant changes to your data, you should increase the number of backups.
Protecting Physical Devices
These measures affect any device being used to store or process PII, including personal devices owned by UBC employees for work purposes. Desktop and laptop computers, tablets, and smartphones are all vulnerable to physical theft and should be secured using the following guidelines.
- Unattended devices, including fax machines and photocopiers, that handle sensitive information should be kept in access-controlled or locked rooms;
- Devices storing PII should have access restricted with swipe cards for authorized individuals only.
Although all UBC supported devices should already be encrypted and protected by anti-virus software, there are additional measures you can implement to help secure personal devices that access sensitive information.
- Set screensaver locks after 30 minutes;
- Automatically erase data if 10 consecutive incorrect passwords are entered;
- Turn on remote location and deletion so that you can find your device and remove the data in the event of loss or theft;
- Keep operating systems updated.
For assistance on how to implement these measures, message us through the contact tab or visit us in person.
Any services based outside of Canada (including Gmail, Dropbox, Hotmail, and Yahoo) must not be used for storing or transmitting sensitive information, including backups and temporary storage. These services are less secure and violate federal and university information security policies.
Securing Paper Records
Sensitive information stored in paper records instead of electronic devices are still legislated under UBC information security standards. Due to the potential volume of physical records, UBC recommends a risk-based approach for safeguarding vulnerable information. This means that confidential information (e.g. data that can be used to commit identify theft or harm an individual’s reputation) should be prioritized over sensitive (e.g. research data without personal details) or public information (e.g. business contact information).
For a full explanation of how to store, transmit, and dispose of paper records, see UBC IT’s guidelines below.