Published: June 3, 2020
As your employees continue to telework, they might be handling, transferring and storing confidential data at home differently than they did at their usual work location. Ideally, you would have a policy in place and trained employees in this area. If you have taken those steps, that is a great start! However, given this period of change and transition, you’ll still want to check in with staff to ensure confidential data is safeguarded.
What is confidential data?
You’ll want to form your own legal conclusions about what qualifies as confidential data. A best practice is to get a legal opinion about what confidential data you might have. There’s a lot to consider when making these decisions and more data might be confidential than you might expect.
Some areas to consider include:
- Personal information as identified in the state of Washington’s data breach laws: RCW 42.56.590 (This law was recently changed, so make sure you scroll down to the law that took effect March 1, 2020)
- Information that the Public Records Act exempts from disclosure: RCW 42.56
- Information you’ve agreed to keep private, such as with third parties under contract
- Federally regulated data, such as information covered by the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA)
Securing hard copy information at home
If employees have confidential data at their home, such as might be present in payroll or human resource records, then that data should be secured. This means that if you were expected to keep it locked at work, then it needs to be locked at home too. It could be considered an unlawful breach of data if a person with unauthorized access views this data, such as a parent or a roommate.
Then there is the matter of how confidential information should be disposed of. If it would have been shredded at work, then it still needs to be shredded at home. It could be burned, if that’s an option. Otherwise, everyone should keep information locked up and secured until arrangements can be made to shred it. It should not be discarded in the trash or recycling!
Keeping confidential information on personal computers
The state’s policy for state employees is that personal computers cannot be used for work business. However, if you are with local government and using a personal computer for work, then you’ll want to check with your IT staff and consult computer-use policies for guidance.
If you are using personal devices for work purposes, your IT staff (or contractor) will want to ensure that equipment has full disk encryption. This prevents someone from stealing the hard drive and extracting confidential information from it. The older the machine, the more likely it did not come with full disk encryption as a standard feature.
For government-provided devices, ideally your IT staff would have ensured that hard drives are encrypted. However, you should confirm this with your IT staff.
In addition, we suggest you work with your IT staff to ensure that any storage devices, such as a USB flash drive, are also encrypted to protect any confidential data. This protects the information should the storage device be stolen or lost.
Transmitting confidential information
If you’re sending hardcopy (paper) records, a best practice is to send them in a sealed envelope or box by certified mail.
If sending electronic records, you’ll need to make sure confidential information is encrypted. This includes any confidential information that you might send using email. For example, the state of Washington (and the State Auditor’s Office) transfers confidential data using this protocol: watech.wa.gov/services/Secure-File-Transfer
- Data disposal best practices: ocio.wa.gov/policy/media-handling-and-data-disposal-best-practices
- State of Washington’s security policy: ocio.wa.gov/policy/securing-information-technology-assets-standards
- Information about data breaches from the Washington State Office of the Attorney General: www.atg.wa.gov/data-breach-notifications