Physical Records

• Access to file cabinets containing confidential data must be limited to trained and authorized personnel.
  • Access to be determined by Data Steward according to Western University MAPP 1.23
• Access logs must be maintained and reviewed periodically.
• Confidential data must never be left unattended while in use.
• When transporting or temporarily removing records, they must be secured in locked containers and tracked.
• Staff must receive annual training on proper handling procedures and incident reporting.

Electronic Records

• Read/write access must be granted based on need, role and least privilege principles.
  • Access to be determined by Data Steward according to Western University MAPP 1.23
• Access must be reviewed quarterly and revoked immediately when no longer needed.
• When in use, data must be shielded from unauthorized viewing (e.g., use of privacy screens).
• Screen locking must be enabled after a short period of inactivity.
• Data minimization must be practiced—only access what is needed.
• Remote access must be through secure, encrypted channels (e.g., VPN).
• Copying or transferring data must be restricted and logged.
• Systems must log access and usage events.
• Any suspected misuse or exposure must be reported immediately to the appropriate authority according to Western's Breach Notification Process.

Physical Records

• Access to file cabinets containing sensitive data must be limited to trained personnel.
  • Access to be determined by Data Steward according to Western University MAPP 1.23
• Access logs should be maintained where feasible.
• Sensitive data must not be left unattended while in use.
• When transporting or temporarily removing records, they must be secured and tracked.
• Staff should receive periodic training on proper handling and reporting procedures.

Electronic Records

• Access must be granted based on need, role and least privilege principles.
  • Access to be determined by Data Steward according to Western University MAPP 1.23
• Access must be reviewed periodically and revoked when no longer needed.
• Auditing must be enabled to track access and changes to sensitive data.
• Data must not be placed where it can be accessed by unauthorized individuals
• Devices must use screen locking and auto-timeout features.
• Data minimization should be practiced—only access what is needed
• Remote access must be through secure, encrypted channels (e.g., VPN).
• Shared systems must have user-specific logins and session isolation.
• Any suspected misuse or exposure must be reported promptly to the appropriate authority according to Western's Breach Notification Process.
• Systems should support basic alerting for unusual access patterns.

Physical Records

No restriction on how data is used.

Electronic Records

No restriction on how data is used.