Model for Social Security Number Scanning on Campus Systems

General Methodology for Performing Scans for Personal Identity Information (PII), e.g. SSN

Users:

Users may scan their own systems for PII. Scan results may contain PII and must be protected and disposed of accordingly.

Service Providers and Unit/Departmental Managers:

Prior to performing a scan for PII on any system, Service Providers or Unit/Departmental Managers must

  • Provide advance notification of the scan to all individuals, managers and system stewards whose data will be scanned
  • Provide an option for individuals to request an exemption from the scan, to remove or exclude personal or electronic communications files from the scan, and/or to choose to scan their own systems themselves
    • Advance notification must be sufficient to realistically allow individuals to exercise these options.

Service Providers and Unit/Departmental Managers must adhere to the following agreements with respect to scan results:

  • Assure a practice of least perusal and retention of scan results
  • Consult with user/data owner (if known) on scan results indicating potential PII
  • Proper protection and disposal of scan results

UCSC IT Security:

As part of UCSC’s standard security incident response procedure, UCSC IT Security is authorized to scan, or to direct other IT Service Providers to scan, for PII on any system in response to a security breach or compromise. The system steward (or the data owner in the case of a non-shared system) shall be notified prior to performing the scan. IT Security and other involved IT Service Providers must adhere to the above agreements with respect to scan results as applicable to a given security investigation.


Authorization for Performing Scans for PII Data

Individuals:

Individuals are authorized to scan their own systems for PII.

Service Providers:

Service Providers are authorized to scan for and access PII on systems for which they have administrator privileges, with the permission of the system steward or data owner.

  • Note: for departmental systems or servers with shared data, the system steward is the departmental manager.

Unit/Departmental Managers:

Unit/Departmental Managers are only authorized to scan departmental systems for which they are the system steward, and must comply with the terms outlined above for these scans. Unit/Departmental Managers are not authorized to scan other systems, including individual users’ systems, without the explicit consent of all parties whose data will be scanned.

UCSC IT Security:

UCSC IT Security is authorized to scan for PII on any system in response to a security breach or compromise as part of UCSC’s standard IT incident response procedure.


Related UC Policy

University of California Electronic Communications Policy (ECP)


Rev. 8/27/10