The following are ITS Divisional policies regarding storage and transmission of personal identity information (PII). While these practices are encouraged for all PII, this policy specifically applies to ITS employees and their individual use of PII in the course of their jobs.

1. ITS employees must limit their own storage of PII to the minimum amount necessary, guided by law and policy.

2. ITS employees are not to download unencrypted PII to portable devices or media such as mobile phones, PDAs, USB drives, and CDs/DVDs.

3. As a general rule, PII should be stored on secure servers. If an ITS employee must temporarily store unencrypted PII on his or her desktop or laptop computer, it must be securely erased on a regular basis (i.e. daily). See the link below for information about secure deletion tools.

4. PII must be transmitted securely. This includes remote access. Additionally, ITS employees are not to send PII in unencrypted email or via unencrypted instant messaging (IM).

5. ITS employees are not to store or access PII on a non-University device.

ITS employees with questions about what constitutes PII, about University security policies, or for information about securely deleting files, should refer to ITS' PII Information & Resources page. Additional information about protecting restricted data, including PII, is available at http://its.ucsc.edu/policies/rd.html.

ITS employees are to consult with their supervisor about questions regarding incorporating these practices into their job responsibilities. Questions about policies relating to the protection of PII should be forwarded to the IT Support Center: itrequest.ucsc.edu, help@ucsc.edu, 459-HELP (4357), or 54 Kerr Hall M-F 8 AM to 5 PM.

Rev. Dec 2010