Protecting Personally Identifiable Information (PII)
Dec 17, 2024
Safeguarding Personally Identifiable Information (PII) is essential to maintaining security and trust within our university community. PII is any data that can be used to identify a specific individual, either on its own or when combined with other information. This includes direct identifiers like full names and Social Security numbers, as well as indirect identifiers such as date of birth and gender. PII data is considered confidential and highly confidential based on the university’s data classification, so you should treat and protect it as you would your own personal data.
Data Classification
Data classification is determined based on the type of data you are handling. It is more important than ever to understand what data you collect, transmit, or store and what the technology you use on a day-to-day basis collects, transmits, or stores. It is critical to know the data classification so you can use security best practices to protect the data appropriately. There are many data classifications such as:
- Public Data
- Confidential Data
- Highly Confidential Data
Pro-tip: most software collects, stores, or shares some type of data, so the more you understand data classification the more you start to see how much data the software you use has access to. The next time you use a software, pay attention to the different data points you access.
What Classifies as PII Data?
PII data falls under the data classifications listed above based on the information you are collecting, storing, or sharing. This includes information that, if disclosed, could cause significant harm to an individual, and/or could cause identity theft which would have detrimental effects to their life. Some examples include:
- Full Name
- Social Security Number
- Driver’s License Number
- Payment Card Industry Data Security Standard (PCI-DSS) Data
- Credit card numbers
- Primary account number (PAN)
- Expiration date
- Service code (CVV)
- Protected Health Information (PHI)
- Medical Records
- Demographic information as it relates to your medical records
- Genetic Information
- Billing Information
- Student Records (e.g., grades) (FERPA)
- Race
- Gender
- Date of birth
Best Practices for Handling PII
Before considering handling PII or sharing with someone other than yourself, you should consider why this information needs to be shared and if the method you chose to share it with is secure.
If you have the business need and authorization to share this information with others, do so in accordance with security best practices, and only use the system or technology that is approved for the type of data you are sharing. For example, FERPA and HIPAA have clearly identified systems \and require authorization from the student or patient to share data.
PII information should never be shared via email unless specifically identified in agreements with proper security controls in place. Additionally, make sure you follow these best practices:
- Use Secure Methods: Encrypt emails containing sensitive information, especially when communicating with external parties.
- Legal Agreements: Ensure you have a Non-Disclosure Agreement (NDA) and a legal agreement in place to protect the data.
- Use Secure Technology: The university has several compliant secure file storage systems, including OneDrive and Isilon, that can also be used to share files.
For more detailed guidelines, refer to these resources:
By following these best practices and staying informed, you can help protect sensitive information, maintain the security of personal data and ensure we do not violate data protection laws and security standards, including, the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI-DSS).
