Thursday, September 26, 2013

Protecting Sensitive Information

Sensitive information should never be made public and should be used strictly for authorized business purposes and only as long as needed.  There are two kinds sensitive information:  

  1. Regulated by law, state, federal, or industry (e.g., FERPA, HIPAA, SSNs and credit card numbers) and,
  2. Confidential by virtue of its importance to the business operations of the College (e.g., contracts, performance reviews, financial reports)

Personal Information Requiring Notification (PIRN)

PIRN is a category of sensitive information requiring special protection because its loss or theft requires notification of the victims by virtue of Minnesota Law.  In Minnesota, PIRN is defined as a person's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such a person: 

  • Social Security number
  • Driver's license number or state-issued identification number
  • Financial or investment account number or credit/debit card number in combination with any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account
  • Passport number

How should sensitive information be stored or transmitted?

  • PIRN, as defined above, should never be transmitted via email (regardless of domain) and should not be stored in Google Drive.
  • Sensitive information that is not PIRN may be transmitted via email within the Macalester domain (i.e., from/to a account).
  • Sensitive information that is not PIRN may also be stored in Google Docs provided the “shared” settings only include those who absolutely need access to this information and only for a long as they need it.
  • Sensitive information of any kind should not be transmitted via email to an external domain (i.e., a account).
  • Sensitive information should be backed-up to a secure, professionally administered system such as the G:/ drive.  Access to folders on the G:/ drive containing sensitive information should be limited to those who absolutely need access to this information and only for a long as they need it.  Because of the redundancy and protection applied to the G:/ drive, storing sensitive information in this manner ensures rapid and effective recovery in the event of data loss.

No comments:

Post a Comment