You are here

Managing Confidential or Sensitive Records

This guidance is intended to provide advice on managing records which contain information that requires safeguarding or additional controls pursuant to and consistent with applicable law, regulations, or government-wide policies. Public officials should be familiar with the various laws, regulations and policies that require special protections for certain records, particularly state laws including the Personal Privacy Protection Law, the Public Health Law and the Mental Hygiene Law and applicable Federal statutes or regulations. 

Confidential Information

Identify and label confidential files

The first step in ensuring that sensitive records are sufficiently protected is to identify them.  This process of “classification” will enable the agency or local government to develop appropriate measures for records protection.
 
Maintain up-to-date inventories and confidentiality, integrity, and access measures. The Office of Information Technology Services' (ITS) Information Classification standard is useful for classifying information on three principles of security: 1) confidentiality, 2) integrity, and 3) availability.  ITS’s Recommended Classifications for the General Schedule and Disposition Schedule for New York State Government Records, while based on an older version of the State Archives’ General Schedule for state agencies, remains a useful reference for classification purposes. 
 
Labeling sensitive information serves as a practical method to ensure confidential information is handled properly. The federal government has established a program for managing Controlled Unclassified Information (CUI) across the Executive branch. This program establishes consistent standards for identifying and marking confidential information. To facilitate eventual disposition of sensitive documents, we suggest developing filing systems to segregate records based on their disposition date.

Store confidential information in a secure environment

In addition to utilizing passwords, firewalls, and encryption, choose a storage environment where access to the information is tracked and documented (e.g., audit trails), security software and anti-virus software updates are regularly installed, unattended computers are logged out, shut down, or locked from the system, and regular backups are made for disaster purposes. Storing confidential information in a centralized, network environment satisfies most, if not all, of these requirements. Make sure basic physical safeguards are in place, including locking of doors and windows where computers, servers, or electronic media containing confidential information are stored.  
 
Hard-copy records with confidential information should be maintained in an area where access is restricted and the environment can be physically secured during non-working hours.

Securely and completely destroy unnecessary confidential information

Once the appropriate retention period has been satisfied, ensure that all copies are destroyed, including unredacted, redacted, and convenience copies, as well as copies saved to electronic media. Simply pressing the delete button will not completely delete your files. Degaussing of hard drives or tapes and overwriting or scrubbing with multiple, random overwrite patterns are two of the best methods of destruction. The State Archives maintains a contract for the secure destruction of hard-copy records.  The contract requires that secure destruction methods meet standards developed and used by the Federal Internal Revenue Service.  

Develop and distribute policy and procedures for dealing with confidential information

Policy and procedures should address the life cycle of the information from creation to final disposition and describe staff’s responsibilities for handling confidential information during each of the stages of the life cycle. For example, the policy should cover the prompt reporting of any possible unauthorized access, use, or loss of information and the avoidance of email for transmitting confidential information. Refer also to ITS's advisory on complying with New York's data breach notification law. Consider, too, addressing in the policy what protocols should be followed by contractors who have access to your system or information.

Staff training

Educate staff about protecting confidential information, beginning with explaining why confidentiality is critical to your agency. Next, train staff on the practical aspects of data protection that are discussed above, such as using secure passwords, protecting hard-copy materials and the proper destruction of confidential documents. Make sure they understand their responsibilities as outlined in the policy and procedures.

Employee Medical Records

Many agencies maintain medical records relating to their employees.  These medical records are typically highly confidential and should be rigorously managed and protected and should not be co-mingled with other personnel records.   There are three primary reasons or requirements for maintaining employee medical records separate from personnel or other records:
  1. Records retention requirements differ for employee medical records and personnel records and filing the two types of records separately facilitates disposition of the records. For example, the General Retention and Disposition Schedule for New York State Government Records authorizes destruction of employee personnel records 6 years after employee separation from agency, whereas, for example, employee hazardous substance exposure records, which usually contain medical information, must be retained 30 years after exposure per federal Occupational Safety and Health Administration (OSHA) regulations. Local government retention items make a similar distinction in terms of retention periods for personnel records and employee medical records.
     
  2. It is important to limit access to employee medical records to a small number of human resources staff and physical separation of medical and personnel records allows you to do this. Although most staff in an HR department have access to personnel files, only one HR staffer should have access to employee medical information. Limiting access to employees' medical records helps ensure privacy and assures that personal medical information won't get in the hands of staff who don't have a need to know.
     
  3. There are federal laws that require employee medical records be filed separately. Here is a listing of those laws: 

    The Americans With Disabilities Act (ADA) imposes very strict rules for handling information obtained through post-offer medical examinations and inquiries. Employers who are covered by the ADA must keep these medical records confidential and separate from other personnel records. This information may be revealed only to safety and first aid workers, if necessary, to treat the employee or provide for evacuation procedures; to the employee's supervisor, if the employee's disability requires restricted duties or a reasonable accommodation; to government officials as required by law; and to insurance companies that require a medical exam [see ADA Sect. 12112 (d)(3)]. 

    The Health Insurance Portability and Accountability Act (HIPAA) also imposes privacy obligations on many employers who provide group health plans. Under HIPAA, employers are required to protect the privacy of employees' personal health-related information by designating an in-house privacy official, adopting policies and procedures to keep this information private, and notifying employees of their privacy rights, among other things.

    The Genetic Information Nondiscrimination Act (GINA) also requires employers to keep employee medical records confidential. GINA prohibits employers from requesting or requiring that employees provide genetic information. If, however, the employer receives such information inadvertently or pursuant to one of the strict exceptions to the law, the employer must keep it in separate, confidential files [see GINA Sect. 206].

    The Family and Medical Leave Act (FMLA) also stipulates that covered employers must maintain “records and documents relating to certifications, re-certifications or medical histories of employees or employees' family members, created for purposes of FMLA, …as confidential medical records in separate files/records from the usual personnel files” [see FMLA Sect. 825.500(g)].