FAQs about Personally Identifiable Information (PII)

1. My department is hosting a web site that contains confidential PII: names, majors, and various educational records. How can I restrict access to select individuals?

Websites hosting confidential PII pose a high degree of risk, and must be rigorously secured against unauthorized access and disclosure using UD’s recommended security best practices and centralized identity management.

Use CAS to identify and authenticate authorized site visitors. Carefully consider whether the operational requirements of your unit can be met by other means that are less visible to the Internet community such as private shared file systems.

2. Is it OK to send confidential PII, such as grades, via e-mail?

Confidential PII should not be sent in regular email because of the risk of unauthorized access and disclosure. While in transit, email can be intercepted and the contents disclosed to unauthorized persons. Also, if emailed to a wrong address, the information is irretrievable. Even if the email reaches its intended destination without a breach, the recipient may retain the confidential PII in their email system where it will be at risk for disclosure if their PC or email account is compromised.

Before sending confidential PII via email, it should be contained in an encrypted file. The password needed to decrypt the file should be sent separately, so that the information is protected even if one of the emails is intercepted or sent to the wrong address.

3. Is it OK to store confidential PII in the cloud?

Storing confidential PII in the cloud—including Google Apps @UDel.edu—poses a high degree of risk of unauthorized access and disclosure, and therefore must be secured using the required protection methods, including encryption.

If using an external cloud service, it must be governed by a contract that is negotiated between the University and the provider. The contract must include terms and conditions to address all privacy and security requirements, and should include periodic due diligence of the cloud provider’s privacy and security safeguards. Carefully consider whether the operational requirements of your unit can be met by other means that are less visible to the Internet community.

4. Is it OK to store high-risk confidential PII in the cloud?

Storing high-risk confidential PII such as SSNs and credit card numbers in the cloud poses a high degree of risk of unauthorized access and disclosure. Unencrypted high-risk PII must never be stored in Google Apps @UDel.edu. Whenever possible, centrally administered systems must be used to retrieve, process, or store high-risk PII.

High-risk confidential PII stored in the cloud must be secured using the required protection methods, including encryption. If using an external cloud service, it must be governed by a contract that is negotiated between the University and the provider. The contract must include terms and conditions to address all privacy and security requirements, and should include periodic due diligence of the cloud provider’s privacy and security safeguards.

5. How should I store confidential PII?

High-risk PII should not be stored on shared file systems in your unit. If you have confidential high-risk personally identifiable academic, financial, or health information on a system or shared file system in your unit, it must be encrypted, and you must safeguard it from unauthorized disclosure, alteration, and destruction in accordance with the minimum UD protection requirements and best practices.

University departments must re-evaluate their acquisition, use, and safeguarding of high-risk PII and conform to these guidelines at least annually. Carefully consider whether the operational requirements of your unit can be met by other means that are less visible to the Internet community.
6. What are the requirements for safeguarding confidential PII when stored?

Confidential PII must be secured using required protections including encryption if it is stored on a system not administered by central IT. Storing unencrypted confidential PII on any non-UD IT administered service or device is a violation of University policy.  Examples include, but are not limited to, desktop computers, laptops, tablets, cell phones, flash drives or any other personal computing device, cloud service or storage media. Accessing confidential PII on mobile devices or personal computers is strongly discouraged.

Always follow UD’s best practices to ensure UD information in your care remains private and secure.

7. My department's operational requirements dictate that certain confidential PII be temporarily stored on my personal computer, and longer term in a departmental drive/folder/server I share with others. How do we encrypt it?

You can use whole-disk encryption or encrypt individual files.  Please consult the IT Support Center pages on encryption or contact the IT Support Center for assistance.

8. What are the safeguarding requirements when sending confidential PII?

Confidential PII must be in an encrypted file before sending the information via email or any other method over the Internet (e.g., UD Dropbox). The decryption password must be sent separately.

Learn about encryption tools recommended by the University, and always follow UD’s best practices to ensure UD information in your care remains private and secure.
9. How can I access confidential PII securely?

Secure (encrypted, certificate-based) access must be used when accessing confidential PII. Some of the University supported methods include:

  • Secure file transfer protocol (SFTP)
  • Secure shell (SSH)
  • Use the UDel Secure wireless network instead of UDel.
  • Use UD’s virtual private network (VPN) to access restricted materials on a Mac or Windows operating system (OS).
  • Only use sites with https in the URL rather than http.
10. Can I work from home?

Accessing confidential PII on personal devices including your desktop or laptop at home poses a high degree of risk. If you need to access University information offsite make sure you are using UD’s virtual private network (VPN) to encrypt it from campus to your personal computer (PC) at home.

Confidential PII must be contained in an encrypted file or on a PC with whole disc encryption. If you need to electronically send confidential PII, make sure it is in an encrypted file. The decryption password must be sent separately.

11. What are the requirements for disposing of unserviceable PCs, laptops, hard drives or other equipment containing digital University information?

University policy requires that University information in unserviceable (junked) equipment be completely destroyed using approved protocols. University information must be completely destroyed by sanitizing the electronic storage media or certified secure destruction of the storage media or equipment.

If possible, junked equipment must be moved to the General Services building for secure certified recycling.

12. What are the requirements for disposing of surplus PCs, laptops, hard drives or other equipment that contain digital University media?

University policy requires that digital media (e.g., hard drives, flash drives, etc.) be sanitized of all University information if they are to be reused by a non-University entity or another University department that has no need to know the University information.

13. What are the requirements for disposing of confidential PII that is no longer needed on my PC, laptop, hard drive, or other equipment?
Subject to the University’s Records Retention Program and your department’s information and records management policies, confidential PII that is no longer needed must be deleted. Physical documents containing confidential PII must be shredded or destroyed beyond recognition or reconstruction.
14. How can I tell if SSNs or Credit Card numbers or other high-risk confidential information is stored on a system?

Cornell Spider is a recommended tool for securely finding confidential PII on your computer. It is able to search your laptop, desktop PC, website, hard drive, and other equipment, providing a list of files that may contain confidential PII.

15. How do I dispose of physical PII, such as paper records?

University policy requires that physical documents containing confidential PII must be shredded or destroyed beyond recognition or reconstruction.

16. How can I tell if a web site I am using is encrypted?

The web site URL should begin with https. Many browsers, for example, Mozilla, have an icon representing a lock at the lower right of the browser window. If you are unsure about the authenticity of the site, you can double-click the lock icon and review the certificate information.

17. How should I store and protect grades?

Grades can be securely recorded, maintained, and stored on any of the two UD-approved content managment systems; Sakai or Canvas. If you do not use Sakai or Canvas, or if you keep records of grades on your personal computer or unit computer, the file(s) containing the grades must be encrypted.


If you have comments or suggestions about this Web page or see any errors, contact the IT Communication Group.