This article describes methods that College employees can use to communicate sensitive information. This article first highlights relevant College policies and then provides recommendations on specific methods to communicate sensitive information.
Relevant Policies:
Policy 8.4: It is the responsibility of each employee and their supervisor to ensure their work data is stored in the proper location to ensure the security and availability of their data.
College policy 8.4 defines sensitive or confidential data as information that could cause harm to individuals or the College should it be improperly disclosed.
- Employees must ensure data classified as sensitive or confidential or otherwise contains personally identifiable information (PII) is only stored on equipment or data services owned by and under the control of the College.
Systems Designated for Confidential Information Storage and Processing - Published on the IT Department homepage on The Insider
- Users should be aware that email is not private or secure.
Examples of sensitive or confidential information include:
- Passwords
- Tax ID numbers
- Academic records
- Social Security Numbers
- Student grades and GPA
- Personal phone numbers
- Credit card payment information
- Personal medical or heath status information
- Proprietary information provided by a company or external organization - such as future expansion plans
- etc.
Communicating sensitive information:
1) Ensure you know who you are communicating with and are certain they are authorized to receive this information.
2) Many external organizations that regularly handle sensitive information often already have established secure communications channels. Determine if an existing secure communications channel already exists. Use the existing channels when possible or continue reading for additional options.
A) Use Microsoft OneDrive:
- Determine appropriate location to store the information:
- Departmental External OneDrive/Teams Site: Designated employees within the department can share and control access to files and folders.
- Your Personal OneDrive: Individual employees can share and control access to files and folders within their personal OneDrive account.
- Departmental Internal OneDrive/Teams Site: Files stored here are only accessible to department employees and individuals explicitly authorized by Division Vice President.
- If you need to RECEIVE sensitive information:
- Using either the standard Windows File Explorer or the Microsoft Teams app
- Create a folder specifically for this purpose that is clearly named
- Select "Share", enter the specific email address(es) of the individuals you wish to receive the sensitive information from
- Select "Edit" - to allow them to upload files into that folder (see screenshots below)
- Click "Copy Link"
- Send an email to the individual that includes the copied link and ask them to use that link to upload the sensitive information
Screenshot of Sharing a folder in OneDrive from Windows File Explorer
Screen shot of Share dialog - set permissions - copy link
3) If you need to SEND information
- Follow the same steps as above, except:
- You do not need to share an entire folder - you can share an individual file or folder, depending on your need
- You only need to give "View" access and you can prevent them from downloading the file if needed
Note: When you share files or folders with someone outside of BRCC, they will be automatically emailed a "one time password" from Microsoft when they first try to access the shared file/folder.
B) Use Email "Confidential Mode"
- You can send an encrypted email using Gmail (in future Microsoft Outlook)
- How to send a confidential email using Gmail
- This is somewhat less ideal because the sensitive information remains in your email inbox - OneDrive is preferred when possible