Policy Number: 1-22
Policy Name: Personal Non-Public Information (PNPI) Policy
Date: October 6, 2005; September 5, 2006
The purpose of the Personal Non-Public Information (PNPI) Policy is to expand on the Information Security Policy #1-15 to establish requirements for protecting personal, non-public information and notifying individuals whose personal, non-public information may have been disclosed by computer security breaches.
Personal, non-public information is any information that uniquely identifies a person and provides confidential information (e.g., academic, financial, medical records) about that individual. Social Security number, driver's license number, credit card and other financial account number in combination with name and security code or password needed to access the credit card or financial account pose a high risk of identity theft or financial loss to the individual if improperly disclosed. Personal, non-public information does not include published directory information or information that is lawfully made available to the general public from federal, state or local government records.
Unless required by law, or needed to perform core departmental activities which cannot be immediately facilitated by other means, Social Security numbers or other high risk personal, non-public information must not be collected or stored.
Personal, non-public information should not be stored on unit-adminstered computing systems. Whenever possible, centrally administered systems must be used to retrieve, process or store personal, non-public information. If personal, non-public information must be stored locally in the unit, it must be encrypted.
Secure, encrypted communications must be used when collecting or transmitting personal, non-public information. Personal, non-public information should not be sent via e-mail unless required by a government agency. Grades may be e-mailed to a student's official University e-mail address only after receiving the student's explicit permission.
University departments must re-evaluate their acquisition, use and safeguarding of personal, non-public information for conformance to this policy and University Guidelines for Protecting Personal Non-Public Information at least annually.
Following the discovery of a breach in the security of a system in which unencrypted high risk personal, non-public information may have been accessible, the unit must notify all persons whose personal information might have been acquired by an unauthorized person(s) of the breach of the security of their personal information when computer forensic analysis indicates that there is a reasonable expectation that data has been viewed and/or taken. A computer security breach is any incident in which the security of a computer system is compromised, including theft or loss of a computer or storage device or medium where unauthorized person(s) might have been able to access, copy or read data files on it. It does not include normal business use by authorized employees or University business partners.
Submitted by: Information Technologies