Scanning for Personal Identity Information (PII) on Campus Systems
This model applies to scans performed outside of ITS’ Routine Monitoring Practices.
Individuals may scan their own systems for PII. Scan results may contain PII and must be protected and disposed of appropriately, according to the sensitivity of the data they contain.
II. Service Providers and Unit/Departmental Managers:
- Service Providers: Service Providers are authorized to scan for and access PII on systems for which they have administrator privileges, with the permission of the System Steward or Data Owner.
- Note: For departmental systems or servers with shared data, the System Steward is the Departmental Manager.
- Unit/Departmental Managers: Unit/Departmental Managers are authorized to scan departmental systems for which they are the system steward. Unit/Departmental Managers are not authorized to scan other systems, including individual users’ systems, without the explicit consent of all parties whose data will be scanned.
Prior to performing a scan for PII on any system, Service Providers or Unit/Departmental Managers must
- Provide advance notification of the scan to all individuals, managers and System Stewards whose data will be scanned
- Provide an option for individuals to request an exemption from the scan
- Advance notification must be sufficient to reasonably allow individuals to exercise this option.
- Additional security controls may be required for data excluded from scans.
C. Scan Results
Service Providers and Unit/Departmental Managers must adhere to the following requirements with respect to scan results:
- Assure a practice of least perusal and least retention of scan results
- Consult with user/data owner (if known) on scan results indicating potential PII
- Proper protection and disposal of scan results
III. UCSC IT Security:
As part of UCSC’s standard security incident response procedure, UCSC IT Security is authorized to scan, or to direct other UCSC Service Providers to scan, for PII on any system in response to a potential security breach or compromise. Where possible and practical, the system steward (or the data owner in the case of a non-shared system) shall be notified prior to performing the scan. If advance notice is not possible or practical, notification must be provided at the earliest reasonable opportunity. IT Security and other involved Service Providers must adhere to the requirements in Section II.C as applicable to a given security investigation.
The following terms used in this document are defined in the online Glossary of UCSC IT Policy-Related Terms, available at http://its.ucsc.edu/policies/glossary.html:
- Data Owner
- Personal Identity Information (PII)
- Service Provider
- System Steward
Rev. 10/17/14; Approved 5/22/15