Confidential information
Class 3
Access restriction
Access to confidential information must only be granted on a need-to-know basis. Access to confidential information by external parties must be subject to a non-disclosure agreement (NDA) on a need-to-know basis as well. For assistance creating an NDA, contact Legal Services.
Data protection controls
Protection such as encryption is required for the internal storage of confidential data (e.g. saved in an encrypted file server) as well as for storage in third-party systems (e.g. encrypted file storage on Azure). Protection is required when confidential data is shared with third parties (e.g. SFTP) and preferred, for internal transmission (e.g. data transfer between an app server and a database server).
Frequently asked questions
When storing confidential data, avoid the use of external media (e.g. USB drives). If external media must be used, encrypt all files. Using access controls to restrict to selected individuals, confidential data can be stored in:
- Shared network drives
- Sharepoint (internal, restricted)
- Sharepoint (modern)
- OneDrive
Confidential physical documents must be stored in a non-public area.
Confidential data can be shared/transferred encrypted over email.
Mark all confidential data as ‘Confidential’ in header or footer of every page in document.
Confidential physical documents must not be left unattended and must be stored appropriately when not in use (see physical storage above).
Responsible managers can decide who can have access to confidential data. If sharing externally, ensure a non-disclosure agreement (NDA) is in place. For assistance creating an NDA, contact Legal Services.
Confidential information can be disposed in a shred bin.
Confidential information should be archived according to Records Management Guidelines or deleted from workstations or devices. All workstations and devices used to house confidential information must be returned to IITS at the end of life or when the user leaves Concordia for decommissioning.