Security & Confidentiality

Security and confidentiality of information held by Western Sydney University is of great concern not only to the University itself but also to its clients, staff, students and other people and organisations with which it has contact or conducts business. The University holds a great deal of information which contains personal details, is confidential or otherwise sensitive in nature.

Areas of the University creating records that:

• are commercial-in-confidence;
• are client-in-confidence;
• are personnel-in-confidence; or
• contain information whose compromise would cause damage to the University, commercial entities, students or members of the public

should ensure that appropriate measures are taken to ensure that records containing sensitive information are appropriately managed. Measures to consider include ensuring that:

• records containing sensitive information are identified;
• access to such records is restricted to those with a legitimate business requirement; and
• access to such records is restricted for the full life of the record, from creation to disposal, or until the information is no longer deemed sensitive.

What is sensitive information

Sensitive information includes:

• personal information;
• financial or commercially sensitive information;
• information given in confidence;
• information relating to an investigation; and
• information posing a security risk.

Security Guidelines

Records in all formats should be stored securely to prevent unauthorised access, destruction, alteration or removal. File locations should be kept up-to-date in CM (TRIM) to ensure that there is a history of all employees who have had access to a particular file.

If you are unable to guarantee secure storage, physical (hard-copy) sensitive records should be returned to RAMS for secure storage. Below are some guidelines on maintaining records security.

• Access to records should be strictly controlled and restricted to those who have an identified ongoing need.
• Caution should be exercised when using email to convey confidential or commercially sensitive information.
• Security of records should be maintained for the entire life of the record or for as long as the information contained in the record remains sensitive.
• Files containing sensitive or confidential information should be labelled/classified appropriately.

The following are some situations containing potential risks where you should be conscious of records security:

• When taking physical (hard-copy) files out of the office – once files are out of the office it is much more difficult to maintain appropriate security measures.
• Leaving physical (hard-copy) files in the boot of your car.
• Sensitive documents maintained on your laptop (laptop theft is common and is one of the high risk areas for unauthorised access to sensitive information).
• Sensitive documents saved to portable storage devices (thumb drives, USB drives, CD’s, external hard-drives)
• Leaving your computer unattended while you are logged on.
• Poor password management of University systems.
• Making copies of documents/printing electronic documents, that contain sensitive information (the more copies around the greater the risk of a breach in security)
• Destruction of records – this is where security often breaks down. You should ensure that destruction of records is managed only by those who would normally have access to the files (excluding destruction contractors and RAMS staff).

The following questions can help when considering whether you have adequate security for your confidential or sensitive records:

• Who has access to the area?
• Can the records be locked away when the room is unattended?
• Who has access to electronic data/documents?
• What is the security in the buildings? Are there alarms, keycard access, after-hours access?

Use lockable file shelving for sensitive/confidential records.

Legal documents (such as contracts, agreements, MOU’s, etc) should be sent to RAMS via WesternNow ticket (legal document coversheet)