Maintaining Information

 Controlling Access to Information

Always make sure that only those with a clear business need have access to sensitive information. Usually this will mean placing files on a secure server with access controls that only allow authorized individuals to access the data. Make sure to update the access that people have as their roles change.

Properly controlling access to information also means not storing it in insecure locations. For example, sensitive data shouldn't be stored on an unencrypted thumbdrive, or placed on a website available to the public. Paper files should always be secured in a locked cabinet or room with limited physical access.

Maintaining Information

The best way to protect sensitive information is simply not to maintain it at all if it's unneeded in the first place. Maintain only the minimum amount of information necessary to support a particular process, business, research, clinical, or academic need. In some cases it may have been necessary in the past to maintain sensitive data that is no longer needed today. For example, you may have a spreadsheet that contains the social security numbers of individuals that were used for some purpose in the past. Ask yourself if it's necessary to continue to maintain that information. If not, you may be able to dispose of the entire document or just remove sensitive fields that are no longer needed.

Follow proper records retention schedules to ensure that you are keeping data for the correct length of time as required by contract or law. This includes not only maintaining the data for a specific period of time, but also not maintaining it longer than you should. To determine if your data falls under a record retention schedule, view the Emory University and Emory Healthcare Records Retention Schedules site (http://records.emory.edu/retention-schedules/index.html). If data is no longer needed, follow the proper steps to dispose of it.