Personally Identifiable Information (PII) - FAQ
Why should I protect PII?
We must protect PII for our students, faculty, staff and anyone doing business with the University. It has a direct and critical impact on everyone's lives. The loss of PII can result in substantial harm, embarrassment and inconvenience to individuals and may lead to identity theft or other fraudulent use of personal information.
What are examples of PII?
- First and last name
- Social security number
- Credit card number
- Physical address
- Account numbers
- Email address
- Physical/Personal traits
- Telephone number
- Employment history
- Academic history
- Medical information
- Mothers maiden name
- Maiden name
If Information is not handled properly the risks increase with each additional PII item on a form.
How should I store documents containing PII?
Only retain documents that are essential to performing the duties of your employment. When possible do NOT collect PII or dispose of it promptly. If the information must be retained it must be contained in a locked file cabinet, a locked office is NOT sufficient.
How should I dispose of documents containing PII?
Utilize a document shredder or a vendor that provides such services. If your department does not utilize such a vendor please contact purchasing for alternate recommendations.
How do I know if information is collected for a valid business reason?
Documents utilized to collect PII should be reviewed annually to ensure that the information is still relevant and that it can NOT be easily obtained through other means.
Is there any specific information that should NOT be retained?
Human Resources, Grad School and Career Services are the official repositories for personnel files; duplicate files should not be maintained by your department. If you feel the need to retain any such documentation to ensure proper processing, it should be appropriately destroyed once processed. When collecting PII that must be retained for a specific period, make use of the University Data Retention Schedule/policy.
How do we communicate with our student employees to ensure that they understand their obligation to protect PII?
Have students sign confidentiality agreement and clearly explain to them what is considered to be PII, how they should protect it, and how they should appropriately destroy such information.
What if I think that there is a problem with how PII is being handled?
Bring it to the attention of your supervisor immediately. If corrective action is not taken or if an area needs assistance with solving the problem contact:
- Doris Celian, controller, ext. 3328, firstname.lastname@example.org
- Ronald Woody, CIO, ext. 2290, email@example.com
- Christine Shell, registrar ext. 2382, firstname.lastname@example.org
- Lauren London, general counsel, ext. 8097, email@example.com
What if I need to share PII with other departments on a regular basis?
It is advisable to hand walk sensitive documents across-campus, or create a secure folder on a shared drive with appropriate access for all involved.
What can I do to ensure the PII is protected during transmission/delivery?
- Fax: Some of the basic procedures around fax security include ensuring the numbers of pages of the fax received are the same amount sent, reassembling the received document, appropriate distribution, and confirmation of receipt. When attempting to create a secure fax infrastructure, fax machines must be isolated in a secure area. This area must be restricted to authorized employees only. If you need to send a secure fax, using secure hardware from secure locations is also recommended. For more information about secure fax machines, contact the IT Help Desk.
- U.S. Postal Service: USPS is considered to be preferable when sending PII.
- Recipient internal to EMU: As an alternative to email, consider placing the PII data in a file on an internal network drive accessible to both the sender and recipient. The file should be erased from the shared network drive once the recipient has downloaded it.
- Recipient external to EMU: Where possible, the file/document containing the PII should be password protected. The sender should send two emails to the recipient: one with the password protected file attached; the other with the password to be used to access the file. Do not send both items in a single email. Finally, the sender should ask the recipient to contact them to confirm that they have received the PII file and have been able to successfully access it. The sender can them delete both emails from their "Sent Items" folder.
- On campus mail: Documents containing PII should be hand delivered by the sender.
Can I download PII to a portable device?
Downloading PII to portable devices should be avoided when possible. If it is absolutely necessary to do so, contact the IT Help Desk so that they can assist you in encrypting the device. 734.487.2120 or visit the help desk website.
How can I best protect electronic information?
Lock computers when not in use; a computer can be set to lock when not in use for a specified period of time. Do not share passwords.
How do I best protect student academic information?
Visit the registrar's website to review FERPA regulations.
What do I do if I see grades posted with student names and/or EID numbers?
Remove the information and destroy the document appropriately. Contact the Registrar to report infraction.
What do I do if I maintain a server outside of the IT data center?
Contact the IT Help Desk they will provide security standards to protect the server.
How can I minimize my use of sensitive information?
Whenever possible, minimize the duplication and dissemination of files and papers containing PII. If you need to use a unique number or data element to identify individuals, use email addresses or EID instead of Social Security numbers. Only print, extract, and copy PII when the risk is justified by an official need that is not easily met using other means. When using paper copies, redact PII that is not necessary for your immediate use or for a recipient to see.
How do I dispose of copiers and scanners that may have hard drives?
Contact the Purchasing Department.
What if I pass PII to a third party servicer?
Anytime a vendor has access to PII collected by the University they must sign a Date Security Agreement form.
What is defined as a breach of PII?
A "breach" is defined as loss of control, compromise, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.