Protecting Personal Non-Public Information

Introduction: University departments must act
Importance of protecting SSNs and other PNPI
Guidelines for protecting PNPI
PNPI software tools
For more information

Related Information
Encrypt Sensitive Data
UD's Gramm-Leach-Bliley Act Information Security Program "Tips from the federal government and the technology industry"

Questions or comments
Copyright © 2005-2008, University of Delaware
Last updated: 2/8/08

Federal laws and regulations govern the safeguarding of personal, non-public information (PNPI), such as Social Security Numbers (SSNs). The

  • Family Educational Rights and Privacy Act (FERPA) [educational records],
  • Gramm-Leach-Bliley Act (GLBA) [financial institution and customer data], and
  • Health Insurance Portability and Accountability Act (HIPAA) [health information]
all require those who collect PNPI to follow strict guidelines. Protecting information is important because of identity theft.

At the University of Delaware, all departments must reduce their reliance on SSNs, using alternative forms of identifying students, clients, employees, and faculty whenever possible. Further, all University departments should follow good practices in safeguarding all personal non-public information (PNPI). Examples of PNPI include, but are not limited to:

  • SSNs
  • Credit card or bank account numbers
  • Medical or educational records
  • Other sensitive, confidential or protected data (e.g., grades used in context with personally identifiable information such as name, address, or other easily traceable identifiers).

Every employee of every University department must work to help the University meet the requirements imposed by FERPA, GLBA, HIPAA and other laws to protect the privacy of personal information in our care.

University Departments Must Act

The first step is for each department to re-examine its use of and storage practices regarding all PNPI, including SSNs. Departments should review their processes for using PNPI annually:
  • "Why are we acquiring SSNs?"
  • "How are we storing any SSNs we do acquire?"
  • "How are we protecting the SSNs that we acquire?"
  • "What can we do to train our faculty and staff in the proper use and management of personal non-public information (PNPI) like SSNs, credit card numbers, and other confidential information?"
  • "Who has access to SSNs in our department, and do they still need the access?"

In addition if you are asked to provide a SSN (either your own, another employee's, a student's, a family member's SSN), challenge the request.

University Guidelines for Protecting PNPI

The University has developed Guidelines for Protecting Personal Non-Public Information (PNPI). In addition to containing general information, the University guidelines offer the following advice:
  • Ensure the Privacy of PNPI.
  • Encrypt Electronic Transmissions.
  • Do Not Store PNPI Locally.
  • Ensure PNPI Security When Working from Home or Outside the University.
  • Have Computer Equipment Audited.