ITS Policy: Storage and Transmission of Personal Identity Information (PII)
The following are ITS Divisional policies regarding storage and transmission of personal identity information (PII). While these practices are encouraged for anyone working with PII, this policy specifically applies to ITS employees and their individual use of PII in the course of their jobs.
- ITS employees must limit their own storage of PII to the minimum amount necessary, guided by law and policy.
- ITS employees are not to download unencrypted PII to portable devices or media such as mobile phones, PDAs, USB drives, and CDs/DVDs.
- As a general rule, PII should be stored on secure servers. If an ITS employee must temporarily store PII on his or her desktop or laptop computer, it should be encrypted and securely deleted as soon as possible. If an ITS employee must temporarily store unencrypted PII on his or her desktop or laptop computer, it must be securely erased on a daily basis.
- PII must be transmitted securely. Additionally, ITS employees are not to send PII in unencrypted email or via unencrypted instant messaging (IM).
- PII and other restricted data must be encrypted if stored in Google or any other non-UCSC service.
- ITS employees are not to store or access PII on a non-University device.
ITS employees with questions about what constitutes PII, about related University security policies, or for information about encryption tools or securely deleting files, should refer to ITS' PII Information & Resources page. Additional information about protecting restricted data, including PII, is available at http://its.ucsc.edu/policies/rd.html.
ITS employees are to consult with their supervisor about questions regarding incorporating these practices into their job responsibilities. Questions about policies relating to the protection of PII should be forwarded to the IT Support Center: itrequest.ucsc.edu, firstname.lastname@example.org, 459-HELP (4357), or 54 Kerr Hall M-F 8 AM to 5 PM.
Rev. March 2014