ITS Policy: Storage and Transmission of Personally Identifiable Information (PII)

The following are ITS Divisional policies regarding storage and transmission of personally identifiable information (PII). While these practices are encouraged for anyone working with PII, this policy specifically applies to ITS employees and their individual use of PII in the course of their jobs.

  1. ITS employees must limit their own storage of PII to the minimum amount necessary, guided by law and policy.
  2. ITS employees are not to download unencrypted PII to portable devices or media such as mobile phones, tablets, USB drives, external hard drives, and CDs/DVDs.
  3. As a general rule, PII should be stored on secure servers. If an ITS employee must temporarily store PII on his or her desktop or laptop computer, it should be encrypted and securely deleted as soon as possible. If an ITS employee must temporarily store unencrypted PII on his or her desktop or laptop computer, it must be securely erased on a daily basis.
  4. PII must be transmitted securely. Additionally, ITS employees are not to send PII in unencrypted email or via unencrypted instant messaging (IM) or texts.
  5. PII and other P3-P4 data must be encrypted if stored in Google, other non-UCSC services, or cloud services.
  6. ITS employees are not to store or access PII on a non-University device.

ITS employees with questions about what constitutes PII, about related University security policies, or for information about encryption tools or securely deleting files, should refer to ITS' PII Information & Resources page. Additional information about protecting P3-P4 data, including PII, is available at

ITS employees are to consult with their supervisors about questions regarding incorporating these practices into their job responsibilities. Questions about policies relating to the protection of PII should be forwarded to the IT Support Center:,, or 459-HELP (4357).

Rev. March 2017