Policy for Management of Sensitive Personal Information on External Devices
A data extract is information that is downloaded or copied from any AU database system (such as Banner and Blackboard) and maintained in electronic or print format outside of the originating system. This policy, in accordance with the Alfred University Confidentiality Agreement, details how University employees will manage sensitive personal information that is transmitted to any personal or business media including but not limited to, storage devices such as a cell phone, laptop, file, CD, diskette, USB drive, or printed report. Additionally, it addresses sensitive personal information that is transmitted across the network (including AU's VPN network) to any external storage device.
For means of clarification, this policy is limited to data extracts that contain sensitive personal information – an individual’s name in combination with any of the following related information: (a) Social Security number; (b) Date of Birth; (c) driver’s license number; or (d) credit card or financial account number.
An example of what is NOT considered a data extract under this policy is the download of name and address information for correspondence purposes. In addition, remotely accessing and working with files and information across the VPN is NOT considered a data extract. However, if you physically download (transfer) record(s) from an internal AU database system to a remote laptop or storage device through the VPN, this is considered a data extract.
Procedures for Handling Extracted Data Containing Sensitive PII
The risks from extracted personal data can be reduced in several ways:
- If the sensitive data is not needed in the extract, do not include it
- Limit the number of records in the extract to the smallest number needed
- Delete the extract as soon as it is no longer needed
In order to protect data extracts containing sensitive personal information from AU premises, employees
- Ensure that any extract which is no longer needed is securely erased
- Encrypt and/or password protect prior to transmission any sensitive PII data extracts that are sent to an external e-mail address. The password or encryption key should be forwarded to the recipient in a separate e-mail from the attached file
- Information owners are responsible for protection of the data that they have extracted
- Information owners should make a reasonable attempt to secure devices with sensitive personal information (a laptop in a locked car is not considered secure)
- Office Directors and Supervisors are responsible to ensure that their employees understand and comply with these policies