Protection of Administrative Records Containing Personally Identifiable Records
This guide provides employees guidance on how to identify personally identifiable information (PII).
“The term PII…refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual” U.S. General Services Administration
Categories of PII: Protected PII and Non-sensitive PII.
Access to protected PII must be restricted to only those employees who need it to perform duties in connection with the scope of their work at the college. Protected PII must be protected, and properly stored and disposed. Examples of protected PII include, but are not limited to:
- Personal identifiable numbers: social security numbers (SSN), credit card number, bank account number
- Home telephone numbers
- Biometric identifiers (fingerprints, voiceprints, iris scans, etc)
- Medical history
- Financial information
- Computer passwords
- Student academic records (grades)
“Non-sensitive PII is information that is not linked or closely associated with protected PII that, by itself, could not reasonably be expected to result in personal harm” U.S. Department of Labor. Examples of non-sensitive PII include, but are not limited to:
- First and last names
- Email addresses
- Student identification numbers (C#)
- Business address and telephone numbers
- General education credentials (e.g., degrees earned)
However, in some circumstances, providing a combination of multiple items in the non-sensitive PII could potentially result as protected PII.
It is never acceptable to email a social security number. While it is acceptable to email a student name and their student identification number (C#), employees should avoid sending more than three pieces of non-sensitive information in a single email.
The loss of, or improper handling of PII can result in substantial harm to individuals. Since employees may have access to PII concerning students and other sensitive data, the College has special responsibility to protect that information from loss or misuse.
It is your responsibility to:
- Safeguard all student and employee information
- Obtain approval from your supervisor prior to taking any protected PII away from the office
- When such approval is granted, the employee must adhere to all college security rules, policies, and procedures regarding HIPPA, FERPA, PII, and other sensitive and/or protected information.
On occasion, a student, employee, or vendor may email protected PII. In these instances, you should email the individual and inform them of the proper avenue to share their protected PII. Additionally, you must immediately delete and empty your email trash. Below is an example of an excerpt to communicate the process.
“I have received your (document); however, please note that email is an unacceptable form for transmission for (documents) as it is not a secure method of transmitting personal identifiable information (PII). I have deleted your original email from my inbox and deleted items folder. In the future, please submit (documents) via fax, USPS, or request a link to submit (documents) via secure transfer. Please let me know if you have any questions.”
For more information, please review the U.S. Department of Labor’s Guide on the Handling and Protection of Personally Identifiable Information (PII).
For information on the systematic review, retention, and destruction of documents received or created please refer to the Board of Governors Policy Series 1, Rule 17.1 General Rules Record Retention