|
|
Seminars address how to protect PNPI 3:34 p.m., Sept. 26, 2005--Do we really need to collect someones Social Security Number (SSN), and, if we have collected it, have we kept it safe? These were among the main issues raised by Richard Gordon and Ron Nichols, both of IT-User Services, during Protecting PNPI (personal nonpublic information) seminars held Aug. 22-23, in 120 Smith Hall. Attended by 167 individuals from across the campus, the seminars are being held in advance of UDs Nov. 1 deadline for reviewing every departments use and storage of sensitive personal nonpublic information materials. Additional seminars are scheduled for Oct. 5-6 [www.udel.edu/PR/UDaily/2005/mar/pnpi091905.html]. PNPI is confidential information that would identify individuals and could cause harm to an individual if revealed, Gordon said. Social Security Numbers are used today in all sorts of ways that nobody imagined when they were created in the 1930s. Besides SSNs, PNPI includes credit card and bank account numbers, medical, financial or educational records and other sensitive, confidential or protected data. Particularly relevant to educational institutions, Gordon said, are student grades used in context with personally identifiable information such as name, SSN, addresses or other easily traceable identifiers. During the presentation, available at [www.udel.edu/pnpi/], Nichols said that institutions use SSNs for a variety of reasons, including verifying identity, authenticating passwords and linking data from several sources, including credit reports, bank and credit card accounts and medical records. Nichols also noted that UD and other colleges and universities nationwide must now comply with state and federal laws governing the safeguarding of personal nonpublic information, including SSNs. These laws include the:
Its the law. We have to notify potentially affected users any time our system is compromised, and the possibility exists that personal data could be seen by others, Nichols said. UD policy has taken this policy one step further--we now notify people if we even have reason to think that such data may have been compromised. Guidelines for the collection and storage of PNPI also are included in UDs Policies and Procedures Manual under Policy for Responsible Computing [www.udel.edu/ExecVP/polprod/1-14.html] and Although there are times when departments are required to collect PNPI, including SSNs, Gordon said the University wants those collecting such information to continue to ask themselves if the information is absolutely necessary and to make sure proper safeguards are in place for processing it. Our goal is to visit every single department and to make it clear that they understand their responsibilities in this area, Gordon said. We also recommend that departments review information published bimonthly on UDaily and that departments and individuals encourage people in other departments to do the same thing. What to do IT-User Services recommendations for dealing with PNPI-related situation include:
Nichols said that alternative methods to identify students are now available on forms used by faculty, including the use of UdelNetIDs instead of SSNs [www.udel.edu/PR/UDaily/2005/mar/PNPI082905.html]. As of mid-September, It-User Services had visited or scheduled a visit with 180 of 251 UD departments. IT-User Services staff members also are slated to visit the Georgetown and Lewes campuses on Tuesday, Oct. 4. During these visits IT staff members usually meet with a small group of employees to review departmental methods of processing PNPI. Issues addressed may include:
Departments also are asked to go examine paper files and to shred all items not absolutely necessary, while securing all remaining PNPI materials. The same security precautions are recommended for electronic documents, Gordon said. If you feel that you have to have these records, make sure they are locked up and that the employees who deal with these materials know what their responsibilities are, Gordon said. We need to take this seriously. It is the responsibility of every employee to make sure that all PNPI is protected. Article by Jerry Rhodes To learn how to subscribe to UDaily, click here. |