Required for ITS employees and best practice for UCSC employees who use PII in the course of their job.
About this policy
Last updated: 03/01/2017
Responsible office: Information Technology Services
Limit use of PII
ITS employees must limit their own storage of PII to the minimum amount necessary, guided by law and policy.
Downloading
ITS employees are not to download unencrypted PII to portable devices or media such as mobile phones, tablets, USB drives, external hard drives, and CDs/DVDs.
Storage
As a general rule, PII should be stored on secure servers. If an ITS employee must temporarily store PII on his or her desktop or laptop computer, it should be encrypted and securely deleted as soon as possible. If an ITS employee must temporarily store unencrypted PII on his or her desktop or laptop computer, it must be securely erased on a daily basis.
Sharing/transmission
PII must be transmitted securely. Additionally, ITS employees are not to send PII in unencrypted email or via unencrypted instant messaging (IM) or texts.
P3-P4 data
PII and other P3-P4 data must be encrypted if stored in Google, other non-UCSC services, or cloud services.
Devices
ITS employees are not to store or access PII on a non-University device.
Questions
ITS employees should consult with their supervisors about questions regarding incorporating these practices into their job responsibilities. For questions about policies relating to the protection of PII, please contact ITS.