Do not share your login credentials.
Not with the public, your coworkers, or even the Service Desk. What happens while you are logged in is your responsibility.
Change default passwords.
Always change standard or factory passwords immediately. This applies to company-issued cell phones, PCs, email services, voicemail, FTP servers, members-only websites, routers, etc. Check your password strength at www.howsecureismypassword.net. Never use the same password on multiple sites.
Do not use your person email for business.
Or it may be subject to management scrutiny and public records requests. Don’t forward business emails to your personal email. Likewise, do not use your business email for personal use.
Do not use your personal business email to correspond with clients.
Instead of first.lastname@oregon.gov, use a generic email, such as info.dcbs@oregon.gov, especially if a client is belligerent. In some cases, you may want to use your first name only. Check with you manager.
Avoid putting confidential information in email chains and group emails.
“As much as necessary, as little as possible.” Best practice: truncate Social Security Numbers and medical records in your communication. Even better: Use a generic ID, such as a policy account, or case number.
Track and report incidents
“Incident” definition: Confidential information is disclosed to a person not authorized to see it, or used for an unauthorized purpose. Internal and external reporting may be required, e.g., to the client, your manager, administrator, CIO, Attorney General’s office, or credit reporting agencies.
If you telecommute, don’t use personally-owned devices for business.
E.g., PCs, fax, printer, cell phone, text messaging. This opens up your devices to public records requests and searches by management, even if you have a BYOD agreement. If prosecution ensues, your device could be seized as evidence. Talk to your manager if you don’t have the tools you need. Is your family home? Remember, they’re not authorized to see or overhear confidential information.
Keep confidential information safe during transport
Confidential information transported in vehicles by employees should be logged, inventoried, kept locked and out of-sight when the employee is not in the vehicle. Use point-to-point receipt for mailing if necessary (UPS, FedEx). Use tamper-proof packaging. Always ship password separately from encrypted media.
Let clients know what the agency will and won’t do with their data.
“Privacy involves each individual’s right to decide when and whether to share personal information, how much information to share, and the particular circumstances under which that information can be shared. Privacy is more than security, however, and includes the principles of transparency, notice, and choice.”
Meet with clients in transparent settings.
Don’t let conversations be overheard by fellow clients, coworkers, etc. Stay within view of others. Be aware of appearances. Be safe.