UD Home | UDaily | UDaily-Alumni | UDaily-Parents

HIGHLIGHTS

Employee performance appraisal rate close to 90 percent

Library offers workshops on teaching with media

Computing services return to Smith Hall

Library plans Multimedia Center orientations

UD mileage reimbursement increase set

Water system integrity tests on Laird Campus

UD1/FLEX card payment system set for library copiers

Sakai@UD released to faculty

Employee gifts can smooth UD's Path to Prominence

Fall parking registration under way online

More news on UDaily

Subscribe to UDaily's email services


UDaily is produced by the Office of Public Relations
The Academy Building
105 East Main St.
Newark, DE 19716-2701
(302) 831-2791

Seminars address how to protect PNPI

3:34 p.m., Sept. 26, 2005--“Do we really need to collect someone’s Social Security Number (SSN), and, if we have collected it, have we kept it safe?” These were among the main issues raised by Richard Gordon and Ron Nichols, both of IT-User Services, during “Protecting PNPI” (personal nonpublic information) seminars held Aug. 22-23, in 120 Smith Hall.

Attended by 167 individuals from across the campus, the seminars are being held in advance of UD’s Nov. 1 deadline for reviewing every department’s use and storage of sensitive personal nonpublic information materials.

Additional seminars are scheduled for Oct. 5-6 [www.udel.edu/PR/UDaily/2005/mar/pnpi091905.html].

“PNPI is confidential information that would identify individuals and could cause harm to an individual if revealed,” Gordon said. “Social Security Numbers are used today in all sorts of ways that nobody imagined when they were created in the 1930s.”

Besides SSNs, PNPI includes credit card and bank account numbers, medical, financial or educational records and other sensitive, confidential or protected data.

Particularly relevant to educational institutions, Gordon said, are student grades used in context with personally identifiable information such as name, SSN, addresses or other easily traceable identifiers.

During the presentation, available at [www.udel.edu/pnpi/], Nichols said that institutions use SSNs for a variety of reasons, including verifying identity, authenticating passwords and linking data from several sources, including credit reports, bank and credit card accounts and medical records.

Nichols also noted that UD and other colleges and universities nationwide must now comply with state and federal laws governing the safeguarding of personal nonpublic information, including SSNs. These laws include the:

  • Family Educational Rights and Privacy Act (FERPA) [educational records];
  • Gramm-Leach-Bliley Act (GLBA) [financial institution and customer data];
  • Health Insurance Portability and Accountability Act (HIPAA) [health information]; and
  • Delaware House Bill 116 and amendments.

“It’s the law. We have to notify potentially affected users any time our system is compromised, and the possibility exists that personal data could be seen by others,” Nichols said. “UD policy has taken this policy one step further--we now notify people if we even have reason to think that such data may have been compromised.”

Guidelines for the collection and storage of PNPI also are included in UD’s Policies and Procedures Manual under Policy for Responsible Computing [www.udel.edu/ExecVP/polprod/1-14.html] and
Departmental Information and Records Management Policies [www.udel.edu/ExecVP/polprod/1-13.html].

Although there are times when departments are required to collect PNPI, including SSNs, Gordon said the University wants those collecting such information to continue to ask themselves if the information is absolutely necessary and to make sure proper safeguards are in place for processing it.

“Our goal is to visit every single department and to make it clear that they understand their responsibilities in this area,” Gordon said. “We also recommend that departments review information published bimonthly on UDaily and that departments and individuals encourage people in other departments to do the same thing.“

What to do

IT-User Services recommendations for dealing with PNPI-related situation include:

  • Always ask if obtaining and storing such information is absolutely necessary;
  • Don’t use SSNs to identify individuals just because your department has always done so;
  • Be sure that a law or a particular government agency actually requires collection of PNPI; and
  • Be sure the information is essential.

Nichols said that alternative methods to identify students are now available on forms used by faculty, including the use of UdelNetIDs instead of SSNs [www.udel.edu/PR/UDaily/2005/mar/PNPI082905.html].

As of mid-September, It-User Services had visited or scheduled a visit with 180 of 251 UD departments. IT-User Services staff members also are slated to visit the Georgetown and Lewes campuses on Tuesday, Oct. 4.

During these visits IT staff members usually meet with a small group of employees to review departmental methods of processing PNPI. Issues addressed may include:

  • Local v. secure file servers;
  • Proper storage and disposal of paper records,
  • Physical security of servers and paper records;
  • Notification requirements; and
  • Grade information management, including test-scoring and records management.

Departments also are asked to go examine paper files and to shred all items not absolutely necessary, while securing all remaining PNPI materials. The same security precautions are recommended for electronic documents, Gordon said.

“If you feel that you have to have these records, make sure they are locked up and that the employees who deal with these materials know what their responsibilities are,” Gordon said. “We need to take this seriously. It is the responsibility of every employee to make sure that all PNPI is protected.”

Article by Jerry Rhodes

  E-mail this article

To learn how to subscribe to UDaily, click here.