Identifying & Securing Personally Identifiable Information
Procedure
Domestic Violence Services of Cumberland & Perry Counties (DVSCP) employees, in the course of their normal job responsibilities, will come into contact with Personally Identifiable Information (PII). It is important for employees to understand their roles in the collection and storage of PII.
1. Purpose
The purpose of this procedure is to provide details on how to identify and handle Personally Identifiable Information (PII), the process of securely storing any PII that the organization is required to maintain, and what to do in the event of a disclosure of PII.
2. Scope
All staff, employees and entities working on behalf of DVSCP who are using DVSCP-owned or personally-owned computer or workstations that are connected to the DVSCP network are subject to this procedure.
3. Procedure
Identifying PII
There are two (2) types of Personally Identifiable Information (PII) and identification of each type will dictate the actions needed to ensure its safety and integrity.
- Public PII
This is information that is available in public sources such as telephone books, employee directories, public websites, etc. The following information can be considered Public PII: - First and Last Name
- Address
- Work Telephone Number
- Work email address
- Home telephone number
- General educational credentials
- Student email address(es)*
- Photos and videos
*Note: Student email addresses can be considered directory info under the Family Educational Rights and Privacy Act (FERPA) and could be included on this list if there is no written request to withhold student directory information. In general, it would be best to consider ANY student information as protected until the existence of a request to withhold student directory information is verified or disproved. - Protected PII
This is defined as any information which, if lost, compromised or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. It includes any one or more of the types of information that are outlined below: - Social Security Number
- Username and password
- Passport number
- Alien registration number
- Credit card number
- Clearances
- Banking information
- Biometrics
- Date and place of birth
- Mother’s maiden name
- Criminal, medical and financial records
- Educational transcripts*
- Photos and video including any of the above
*Note: Educational transcripts do fall under FERPA guidelines, please see the FERPA Compliance procedure for details.
Maintaining PII
During the course of normal job responsibilities, employees may come in contact with either Public or Protected PII, either already existing in the DVSCP network, or as part of a business process. Because Protected PII requires special handling due to potential risk associated with its disclosure, it is important to 1) verify the need for the existence of PII in the DVSCP network and 2) ensure that the information is properly secured.
- Verifying the need to collect PII
Best practice dictates that an organization only collects the least amount of information in order to follow standard business procedures. Caution should especially be taken when collecting Protected PII. The need to collect the information should be periodically reviewed, and if deemed unnecessary, the procedures should be altered to reflect the change. - Collection Procedures
If PII does need to be collected, employees have certain responsibilities in making sure the data is secured. Any written information as a result of a phone conversation must be destroyed via shredding. Physical files that contain PII should be locked in a secure cabinet or room when not being actively viewed or modified. Any PII data collected should not be stored on the local workstation; it would need to reside in OneDrive, where it is encrypted and backed up. - Verifying the need to store PII
Whenever PII is found residing in the DVSCP network, a determination needs to be made regarding whether the information is needed for an existing business practice, or if it can be securely disposed. If the information does need to be retained, please contact the DVSCP Human Resources Team (Business Manager or Executive Director) for guidance on the best means to secure or dispose of the information properly.
Maintaining PII (cont.)
- Authorized dissemination of PII
In the event an outside entity would need to have any data that includes Protected PII, said entity would need to confirm that they understand the sensitivity of the information, and the need to properly safeguard it. Once it leaves the DVSCP network, the Human Resources team cannot guarantee its security. Transport of data should be done through secure means (ideally shared through OneDrive; otherwise encryption or secured transport are necessary.)- Unauthorized dissemination of PII
In the event of an unauthorized disclosure or access of PII:
- Unauthorized dissemination of PII
- Report the incident to your direct supervisor
- Send an email to the Business Manager or Executive Director.
- Do NOT forward any compromised information in the email
- Include the location of the information (email or network location)
- If email, include the sender and subject (unless the subject contains the PII)
- Include any other relevant details, such as location and contact phone number
4. Enforcement
This procedure is for your protection. Violation of this procedure could be reported to the appropriate supervisor and could be subject to potential disciplinary action, up to and including termination.
5. Exceptions
Limited exceptions to the procedure must be approved by the DVSCP.
6. Definitions
- Personally Identifiable Information (PII): Information which can be used to distinguish or trace an individual’s identity, such as his/her name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
- FERPA: The Family Educational Rights and Privacy Act of 1974 sets forth requirements regarding the rights of students and the obligations of institutions to ensure the privacy and accuracy of education records.
7. Breach
PCCD requires all subrecipients to report any actual breach or detection of an imminent breach of PII within the scope of a federally funded program or activity or in the operation or use of a federal information system to PCCD within 24 hours after an actual breach or detection of an imminent breach. DVSCP agrees to report any actual breach or detection of an imminent breach of PII to PCCD within 24 hours after that actual breach or detection of an imminent breach.