Storage and Transmission of Personal Identity Information (PII)

Home UCSC Information Security Security & Technology Policies and Guidelines Storage and Transmission of Personal Identity Information (PII)

The following are ITS Divisional policies regarding storage and transmission of personal identity information (PII). While these practices are encouraged for all PII, this policy specifically applies to ITS employees and their individual use of PII in the course of their jobs.

1. ITS employees must limit their own storage of PII to the minimum amount necessary, guided by law and policy.
2. ITS employees are not to download unencrypted PII to portable devices or media such as PDAs, USB drives, and CDs/DVDs.
3. As a general rule, PII should be stored on secure servers. If an ITS employee must temporarily store unencrypted PII on his or her desktop or laptop computer, it must be securely erased on a regular basis (i.e. daily). See the link below for information about secure deletion tools.
4. PII must be transmitted securely. This includes remote access. Additionally, ITS employees are not to send PII in unencrypted email or via unencrypted instant messaging (IM).
5. ITS employees are not to store or access PII on a non-University computer.

ITS employees with questions about what constitutes PII, about University security policies, or for information about securely deleting files, should refer to ITS' Security Awareness PII Resources page. Additional information about protecting restricted data, including PII, is available at http://its.ucsc.edu/security/policies/rd.php.

ITS employees are to consult with their supervisor about questions regarding incorporating these practices into their job responsibilities. Questions about policies relating to the protection of PII should be forwarded to the IT Service Manager for Community and Compliance at itpolicy@ucsc.edu or 9-2779.

Rev. April 2009