Guidelines for Working with Sensitive Information

1)      All University workforce, faculty and student members must follow UofL’s Information Security Policies and Standards (  The definition of ‘sensitive information’ can be found at   

2)     University workforce, faculty and student members should report to UofL all known or suspected privacy and security incidents which include sensitive information. Notification may be provided to the Information Security Office at, the Privacy Office at, or for anonymous reporting, to the UofL Compliance Hotline (1-877-852-1167).  

 Examples of known or suspected privacy and security incidents include:

         Misdirected emails or faxes

         Lost or stolen devices

         Lost or stolen paperwork

         Access by an unauthorized individual to paper or electronic sensitive information

         Inappropriate disposal of sensitive information (e.g., placing the information in a trash can instead of a shred bin)

         Sensitive information that has been posted or shared on social media

         “Snooping” in a record or file that includes sensitive information

3)     All sensitive information in electronic format must be stored on systems and devices (e.g.,  laptop, phone, flash drive, external hard drive) that are encrypted and protected according to UofL’s Information Security Policies and Standards (see link above). 

4)     Sensitive information which is in paper format must be stored in a manner which is not accessible to unauthorized individuals or individuals outside of UofL.  The preferred location is in a locked room or filing cabinet with access restricted only to authorized individuals.  Sensitive information must be disposed of in a secure manner utilizing secure shred bins or use of a secure shredding process.

5)      In the event that a workforce member, faculty, or student member must remove sensitive information from UofL, the workforce member must obtain approval from a supervisor for removal of the information and ensure that the information is appropriately attended and protected from unauthorized access, use, or disclosure, and is returned to UofL as soon as it is no longer needed outside of UofL. 

6)     Telephone or in-person conversations that may reveal sensitive information should be conducted in settings with reasonable safeguards designed to protect the privacy rights of the individual who is the subject of the information being discussed.

7)      Workforce members, faculty, and student members may not post or share sensitive information on social media.

8)     Only University approved vendors or third parties may be used to store the University’s sensitive information.  Sensitive information may not be stored in unapproved cloud services or personally acquired services (e.g., Dropbox, Google Drive/Docs, third party email providers such as Gmail and other products that have not been sanctioned by the University).