You receive sensitive information every day, such as Social Security numbers, credit card data, GMAT® scores, tax information. How long you keep it and how you store it directly affect your chances of losing data and having to notify applicants, students, or alumni.

Although most data leaks are accidental (laptops stolen, files inadvertently posted online), there are steps you can take to lower the chance of an incident. First, set up a standard for data storage, and destroy all records as soon as they are no longer useful.
“Knowing how long you need to keep data is key to protecting your institution,” says Allen Brandt, GMAC® corporate counsel, data privacy and protection  “Sensitive information should stay in your files, only as long as it is valuable for making decisions.

Second, consider splitting the data between two or more servers. Names and addresses are public information, but when linked to Social Security numbers, credit card numbers, financial information, test scores, etc., they can be dangerous. Storing the sensitive data separately reduces the risk that a data thief could have access to both files and match the names to the numbers, or that both files would have their data accessible.

Third, encryption is recommended by many privacy experts as the best way to lock up the information. Many software packages available commercially limit access to personally identifiable information; your IT department can help you decide what will work best for your office. Encryption has the added bonus of protecting your institution, in most cases, from having to notify people whose information may have been accessed. (Notification laws vary from state to state and are constantly evolving.)

The 2007 Annual Industry Conference in Philadelphia, PA, June 14–16, will feature a session on data privacy and protection.

This article is not intended to be specific, comprehensive legal advice. Please consult with your institution’s legal resources about questions you may have regarding data privacy and protection.