Skip to main content

Confidentiality of Information

General

The nature of internal audit work requires that, to the extent permitted by law, we have unrestricted access to all sources of information, property, and personnel at the University. Because we often work with sensitive matters or information that is not subject to public disclosure, we must take careful precautions to maintain the confidentiality of these items.

Our correspondence (including audit reports) is classified as public documents.

Although our working papers are exempt from disclosure under public records laws, consideration of only appropriately supporting information should be maintained in such files.

Information that we obtain and documents that we prepare must not be given to anyone other than individuals within the University who need to know or the State Auditor’s staff except with the specific approval of the Chief Audit Officer or the Chancellor. Unauthorized disclosure of confidential information from personnel files is a misdemeanor and can result in disciplinary action.

While we may be compelled to provide copies of items from our working papers, we should refer requests for other information to the office that is responsible for those records, for example, Employee Records is responsible for personnel information. Subpoenas, other court orders, and requests under the Public Records Act should be referred to the senior University Counsel.

Public Information

The following information from personnel records is public and may be included in the working papers or written communications. An employee:

  • age;
  • current department and entry-on-duty date;
  • current position title and salary; and
  • date of most recent personnel action (promotion, demotion, transfer, etc.) and the date and amount of most recent salary change.

Students’ addresses, majors, and other “directory information” may also be public information.

Employees’ and students’ names are public information but should not be used in documents we prepare if the name will be linked to or displayed with potentially confidential information, such as an evaluation of an employee’s performance.  As a rule, we should structure a document so that the result of work performed is clear but not include anything that makes the information personally identifiable.

Confidential Information

Federal and state privacy laws require that many types of information be protected from public disclosure. Penalties range from a possible misdemeanor conviction and fine for the individual who disclosed the loss of all funds the University receives from the US Department of Education until we can show compliance with privacy laws.

Confidential information includes, but is not limited to:

  • social security numbers
  • bank account numbers
  • debit and credit card numbers;
  • any information from an individual’s personnel file, except those items identified above;
  • medical records;
  • student records, except for “directory information;”
  • library users’ records; and
  • information protected by the Health Care Portability and Accountability Act

We should never include social security numbers in our working papers. If our audit procedures involve the review of confidential records we should document the results of the review in a way that protects the privacy of the individual involved. For example, when scheduling the results of a review of financial aid or student health records, we should use a code number or initials to identify the records tested. We should also expunge names and social security numbers from copies of documents that are included in the working papers.

While we sometimes work with the State Bureau of Investigation when conducting misuse reviews, we cannot provide them with certain pieces of information without a court order or written consent of the individual involved. NCGS §126-24.5 states that information from personnel files not specifically designated as public “shall not be divulged for purposes of assisting in a criminal prosecution, nor to assist in a tax investigation.”

Sensitive Information

In some projects, we may review the information that is not specifically protected by privacy laws but is proprietary or sensitive. Examples include records relating to research in process, contract negotiations, employee benefits, or past-due accounts. We should handle these items in the same manner as confidential information.