Personal Identity Information Resources Home  IT Security Awareness Personal Identity Information Resources
| What is PII | Data Management Practices | Common Places Where PII May Be Found | UCSC PII Resources | Getting Help / Reporting an Incident |
What is PII?
Personal Identity Information, or PII, is a specific category of particularly sensitive data defined as:
Unencrypted electronic information that includes an individual’s first name or initial, and last name, in combination with any one or more of the following:
- Social Security number (SSN).
- Drivers license number or State-issued Identification Card number.
- Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s financial account.
- Medical information (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional)
- Health insurance information (an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records)
California State Law (Civil Code 1798.29) requires that Personal Identity Information (PII) is appropriately protected and that affected individuals must be notified of any reasonable suspicion of a compromise of that protection. The University is responsible for complying with these legal requirements and for providing employees with information about requirements and responsibilities relating to PII.
*Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
Data Management Practices for PII
In general, the best way to protect PII is not to have it in the first place. Three overarching data management practices for individuals who work with this type of information are:
- Securely delete PII when there is no longer a business need for its retention on computing systems. This includes extra copies and data that has exceeded its required retention period. Always shred or otherwise destroy PII before disposing of it. For information on how to securely delete files, see IT Request FAQ #533 (Mac) or IT Request FAQ #822 (PC).
- Truncate or de-identify PII that you must retain whenever possible.
- Protect all intact PII that you must retain, whether it is on a work computer or a home computer. Encryption can dramatically reduce the risks associated with stored PII. See "UCSC PII Resources," below, for links to information about protecting PII and other types of sensitive information.
System Stewards with primary responsibility for the existence of PII are responsible for the security and use of that data in original systems as well as any downstream locations where the data may be sent. This includes ensuring appropriate education and training for employees with access to PII.
Common places where PII may be found
University-related personal identity or sensitive information is likely to be found in files and email containing the following types of information. While this is not an all-inclusive list, you can use it as a guide to locate PII you may not be aware of so you can remove or protect it. Remember to check old and archival files and email, too.
- Student records, including old class lists, student rosters, financial aid and grade records
- One way to locate older class lists is to search your older email for messages from script@cats.ucsc.edu. Any that are older than September 1, 2004 are likely to be class lists with Social Security numbers.
- Personnel- or academic-related spreadsheets, databases, and files
- Old Lx/Rx forms, UPAY forms, Travel Reimbursements and Pro Card Forms
- Health, medical, or insurance records
- Downloads from Banner/FIS, PPS, AIS, DivData, or Data Warehouse/InfoView
- Financial spreadsheets
- Old applications (job or student), performance evaluations or reference letters
- Credit card sale records
- Credit and collections records
- Research proposals or databases, research grant applications, or other Intellectual Property (IP)
- Data related to DMV pull notices
Examples of electronic devices on which personal or sensitive information may be stored include:
- Desktop and laptop computers
- Servers
- Personal or home computers used for University business
- Portable electronic devices, such as personal digital assistants (PDAs), Blackberries, data phones, and other mobile devices
- Removable media, such as CDs/DVDs, flash drives, disks, and backup tapes
UCSC PII Resources
Other UCSC and University Security Policies, and Related Laws
Getting Help
For questions about PII or any of these resources, contact the ITS Service Manager for Community and Compliance at itpolicy@ucsc.edu or (831) 459-2779.
For technical questions about protecting or securely deleting PII, contact:
To report a suspected security breach or compromise involving PII, including the theft or loss of computing equipment that contained PII:
- Report suspected security breaches or compromises involving PII to your supervisor and the ITS Support Center (see contact info above) as soon as possible. If no one is available to receive your report, you may contact the UCSC Information Security Team via at security@ucsc.edu.
- Any suspected theft of UCSC-related computing equipment should be reported to the UCSC Police Department (http://www2.ucsc.edu/police or 459-2231). Be sure to let them know if the stolen equipment contains any sensitive information, including PII. Local authorities should also be contacted if the incident occurred away from campus.
Rev. 2/23/09
| 
