Identifying and Protecting PII

What is PII?

Personal Identifiable Information (PII) is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information (including address).

Protecting PII

Limit Collection of PII

  • Only collect what is needed for specific business purposes
  • Limit the number of copies of reports, and files (excel,csv, word) containing PII
  • Every time you create: a form, application, survey, run a query, run a report or generate a file consider if all PII included is truly necessary
  • Remember the less you collect the less you need to protect

Limit Use of PII

  • Always Remember Federal and State law limit the sharing of PII data
  • Remember federal law, FERPA, requires written consent to disclose PII from education records unless an exception applies
    • FERPA School Official Exception: PII may be disclosed without consent to other school officials only where there is a legitimate educational interest
    • PII data can only be shared with third parties acting as school officials
  • Remember to think before sharing data internally, consider if there is a legitimate educational interest
  • Use fictional personal data for training and presentations
  • Remember University policy requires that the sharing of data with external partners, vendors and servicers must be strictly controlled
    • If you or your Department plan on sharing PII with a new external partner a Risk Assessment is Required
    • Data required to be shared in the support of research, accreditors or third party surveys , even when aggregate data is requested, must be reviewed and discussed with the Office of Institutional Research
  • Always think twice before sharing PII

Safeguard PII

  • Safeguard PII data in all formats (this includes paper)
  • PII must be protected at rest and in transit
  • Data should be protected from loss or unauthorized access
    • Remember sharing of passwords is prohibited
    • Maintain strong passwords
    • Secure all paper containing PII,
      •  Follow a clean desk policy
      • File documents containing PII in locked cabinets
    • Lock your computer screen when not in use
  • Safeguard the transfer of PII
    • Always email PII securely
    • Always pick up print outs containing PII immediately
    • Printers and copiers should be in an access controlled environment
  • PII should never be stored on unsecure/public computers, or portable devices (flash drives, phones)
  • Dispose of PII properly
    • Shred paper containing PII
    • Delete/dispose of PII securely at the end of retention period

Governance of PII and its use is administered by the University’s Information Security Governance Subcommittee (ISGC). The University has established this subcommittee to oversee security and data privacy issues, including ensuring the confidentiality, integrity, protection, and availability of the University’s information assets. It is important that we remain vigilant about protecting the University’s information, and appreciate your efforts and compliance with this matter. 

If there is a business need that requires PII information to be used outside of the University enterprise systems, or if you have concerns about the protection or use of PII, please contact the Office of Information Technology at 718-990-5000 (x5000).