Sensitive information should never be made public and should be used strictly for authorized business purposes and only as long as needed. There are two kinds sensitive information:
- Regulated by law, state, federal, or industry (e.g., FERPA, HIPAA, SSNs and credit card numbers) and,
- Confidential by virtue of its importance to the business operations of the College (e.g., contracts, performance reviews, financial reports)
Personal Information Requiring Notification (PIRN)
PIRN is a category of sensitive information requiring special protection because its loss or theft requires notification of the victims by virtue of Minnesota Law. In Minnesota, PIRN is defined as a person's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such a person:
- Social Security number
- Driver's license number or state-issued identification number
- Financial or investment account number or credit/debit card number in combination with any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account
- Passport number
How should sensitive information be stored or transmitted?
- PIRN, as defined above, should never be transmitted via email (regardless of domain) and should not be stored in Google Drive.
- Sensitive information that is not PIRN may be transmitted via email within the Macalester domain (i.e., from/to a @macalester.edu account).
- Sensitive information that is not PIRN may also be stored in Google Docs provided the “shared” settings only include those who absolutely need access to this information and only for a long as they need it.
- Sensitive information of any kind should not be transmitted via email to an external domain (i.e., a email@example.com account).
- Sensitive information should be backed-up to a secure, professionally administered system such as the G:/ drive. Access to folders on the G:/ drive containing sensitive information should be limited to those who absolutely need access to this information and only for a long as they need it. Because of the redundancy and protection applied to the G:/ drive, storing sensitive information in this manner ensures rapid and effective recovery in the event of data loss.