1.4.3: Personally Identifiable Information
University Policy Regarding
Personally Identifiable Information
Employees of Spalding University (including faculty, student workers, graduate assistants, work studies, and staff) shall employ reasonable and appropriate administrative, technical, and physical safeguards to protect the integrity, confidentiality, and security of all Personally Identifiable Information (PII) irrespective of its source or ownership or the medium used to store it. All individuals who dispense, receive, and store PII have responsibilities to safeguard it.
In adopting this policy, the University is guided by the following objectives:
I. To enhance individual privacy for members of the University community through the secure handling of PII and personal identifiers (PIDs);
II. To ensure that all members of the University community understand their obligations and individual responsibilities under this policy by providing appropriate training that will permit the University community to comply with both the letter and the spirit of all applicable privacy legislation;
III. To increase security and management of Social Security numbers (SSNs) by:
A. inculcating broad awareness of the confidential nature of the SSNs;
B. establishing a consistent policy about the use of SSNs throughout the University; and
C. ensuring that access to SSNs for the purpose of conducting University business is granted only to the extent necessary to accomplish a given task or purpose.
IV. To use, throughout the University, a unique Spalding ID number that serves as the primary identification element for persons associated with Spalding and is applicable across the entire campus, reducing reliance on the SSN for identification purposes.
V. To not transmit, process, or store any complete credit card data on any University owned/controlled computers, servers, desktops, laptops, disks, flash drives, or other portable or mobile devices.
Data Trustees are responsible for oversight of personally identifiable information in their respective areas of University operations. Activities of these officials are aligned and integrated through appropriate coordination among these cognizant University officials.
Purpose of this Policy
Spalding University creates, collects, maintains, uses, and transmits personally identifiable information relating to individuals associated with the University including, but not limited to, students, alumni, faculty, administrators, staff, and vendor employees. The University is committed to protecting PII against inappropriate access and use in compliance with applicable laws and regulations in order to maximize trust and integrity.
Scope of this Policy
This policy applies to all members of the University community, including all full- and part-time employees, faculty, students and their parents or guardians, and other individuals such as contractors, consultants, other agents of the community, alumni, and affiliates that are associated with the University or whose work gives them custodial responsibilities for PII.
Policy Definitions
Data Trustees: Data Trustees are University officials who have supervisory, planning and policy-making responsibilities for University data. The Data Trustees, as a group, are responsible for overseeing the establishment of data management policies and procedures and for the assignment of data management accountability.
Minimum Necessary: Minimum Necessary is the standard that defines that the least information and fewest people should be involved to satisfactorily perform a particular function.
Personally Identifiable Information (PII): Information which can be used to distinguish or trace an individual's identity, such as their name, Social Security number or biometric records, alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
Personal Identifier (PID): A PID, a sub-category of PII, is a unique code assigned to or utilized by an individual to identify that individual. PIDs are used primarily, but not exclusively, for the purpose of electronic operations. University identification numbers and user logins are examples of PIDs.
Policy Requirements
1. Data Trustees
The following are the Data Trustees who will administer this policy in their respective areas of University operations. They will resolve the responsibility for the data, if any data elements overlap more than one area.
A. Chief Advancement Officer: Alumni and donors
B. University Registrar: Students
C. Dean of Enrollment Management: Prospective students and applicants
D. Provost: Faculty, Visiting Scholars, Graduate/Research/Teaching Assistants, and research staff
E. Director of Human Resources: Administrators, staff, service employees, and prospective employees
F. Chief Financial Officer: Business Associates, consultants, contractors, and vendors
G. Directors of CBH and CORF: Patients
H. Dean of Students: All information related to campus safety and campus visitors, including members of the public using University resources or attending University event, and information stored in access control and surveillance systems
I. Chief Information Officer: issuance of the user login and the security of PII in computer storage and transmission
2. Personally Identifiable Information
A. PII may be released only on a Minimum Necessary basis and only to those individuals who are authorized to use such information as part of their official University duties, subject to the requirements:
(1) that the PII released is narrowly tailored to a specific business requirement;
(2) that the information is kept secure and used only for the specific official University [business] purposes for which authorization was obtained; and
(3) that the PII is not further disclosed or provided to others without proper authorization as defined above.
B. PII may be handled by third parties with the strict requirement that the information be kept secure and used only for a specific official authorized business purpose as defined in a contract or business agreement with that third party.
C. Exceptions to this policy may be made only upon specific requests approved by the University Counsel and Data Trustee for that information as specified in this policy above and only to the degree necessary to achieve the mission and business needs of the University. Any and all exceptions made must be documented, retained securely, and reviewed periodically.
D. Information that has been collected that conforms to the HIPAA standards of deidentification or anonymization is not PII.
3. Government-Issued Personal Identifiers
Social Security Number
(1) Provision of Information
a. Spalding University collects SSNs:
i. when it is required to do so by law;
ii. when no other identifier serves the business purpose; and
iii. when an individual volunteers the SSN as a means of locating or confirming personal records.
b. In other circumstances, individuals are not required to provide their SSN verbally or in writing at any point of service, nor are they to be denied access to those services should they refuse to provide an SSN.
c. SSN collection must be approved by the appropriate campus official (see the Policy section above). When an SSN is requested, Spalding University informs the individual what uses will be made of the SSN and whether the disclosure is voluntary, or, if it is mandatory, by what authority.
(2) Release of SSNs
SSNs will be released by Spalding University to persons or entities outside the University only:
a. as required by law;
b. when permission is granted by the individual; or
c. when the external entity is acting as the University’s authorized contractor or agent and attests that no other methods of identification are available, and reasonable security measures are in place to prevent unauthorized dissemination of SSNs to third parties; or
d. when the Spalding University Counsel has approved the release.
(4) Use, Display, Storage, Retention, and Disposal
a. SSNs or any portion thereof will not be used by Spalding University to identify individuals except as required by law or with approval of a Data Trustee for a University business purpose.
b. The release or posting of personal information, such as grades or occupational listings, keyed by the SSN or any portion thereof, is prohibited, as is placement of the SSN in files with unrestricted access.
c. SSNs will be transmitted electronically only for business purposes approved by the campus officials responsible for SSN oversight and only through secure mechanisms approved by the Chief Information Officer.
d. The Data Trustees who are responsible for SSNs will oversee the establishment of business rules for the use, display, storage, retention, and disposal of any document, item, file, or database which contains SSNs in print or electronic form.
4. Credit Card and Banking Information
A. Spalding University accepts payment by credit card, electronic check and check. Credit Card payments are only processed through payment processors approved by the Chief Financial Officer. Complete credit card numbers are not collected or stored by the University electronically or on paper forms.
B. Credit Card, bank accounts and routing numbers or any portion thereof will not be used by Spalding University to identify individuals except as required by law or with approval of a Data Trustee for a University business purpose.
C. Credit Card, bank accounts and routing numbers or any portion thereof will be transmitted electronically only for business purposes approved by the campus officials responsible for SSN oversight and only through secure mechanisms approved by the Chief Information Officer.
5. Spalding Issued Identifiers
A. University ID Number
(1) Assignment Eligibility and Issuance
a. The Spalding ID is a unique alphanumeric identifier assigned by the University to any member of the University community who requires an identifying number in any University system or record.
b. A Spalding ID is assigned at the earliest possible point of contact between the individual and the University.
c. The Spalding ID is associated permanently and uniquely with the individual to whom it is assigned.
(2) Use, Display, Storage, Retention, and Disposal
a. The Spalding ID is considered PII by the University, to be used only for appropriate business purposes in support of University operations.
b. The Spalding ID is used to identify, track, and serve individuals across all University electronic and paper data systems, applications, and business processes throughout the span of an individual’s association with the University and presence in the University’s systems or records.
c. The Spalding ID is not to be disclosed or displayed publicly by the University, nor to be posted on University electronic information or data systems unless the Spalding ID is protected by access controls that limit access to properly authorized individuals.
d. The Spalding ID is imprinted and encoded on the official University photo identification card known as the Eagle Card. The Eagle Card is the principal means of physical identification at the University, and the use of the Eagle Card by the cardholder, whether by physical display or when swiped at an electronic reader, will constitute a voluntary disclosure of the Spalding ID.
e. The release or posting of personal information keyed by the Spalding ID, such as grades, is prohibited.
f. Any document, item, file, or database that contains Spalding IDs in print or electronic form is to be protected and disposed of in a secure manner.
B. User Login
(1) Assignment Eligibility and Issuance
a. The User Login is a unique alphanumeric assigned by the University to an individual.
b. The User Login is assigned to all persons who may require access to electronic services at the University, including students, faculty, alumni, administrators, staff, service employees, and other individuals (such as contractors, consultants, and affiliates) associated with the University.
c. The User Login is permanently and uniquely associated with the individual to whom it is assigned.
d. The User Login, alone, without a password, will not be used for access to Spalding’s electronic network.
(2) Use, Display, Storage, Retention, and Disposal
a. The User Login is used, in conjunction with an individually set password, as an authenticated identifier for on-line transactions and may be used, in addition to the User Login to identify and track individuals within the University systems, applications, and business processes.
b. Each member of the University community will be held fully responsible for any activity authorized by that individual’s User Login and password.
c. Under the Family Educational Rights and Privacy Act (FERPA), the User Login may be used as directory information as long as the identifier cannot be used standing alone (i.e., without a password) by unauthorized individuals to obtain sensitive, non-public (i.e., non-directory) information about an individual from education records.
d. The release or posting of personal information keyed by the User Login, such as grades, is prohibited.
C. Local User ID Numbers
In addition to Spalding ID Number and User Logins, Spalding schools and departments may issue other system-unique identifiers. Spalding University follows the Minimum Necessary standard and strives to safeguard these identifiers. An example of this type of identifier is a test ID for Scantron testing or a User Login for a publisher testing website.
6. Other Externally-Assigned Identifiers and Other Personally Identifiable Information
Spalding has access to, collects, and uses various externally-assigned identifiers other than those indicated above in the course of its business operations.
7. Responsibility for Maintenance and Access Control
A. The University User IDs and are maintained and administered by Spalding Information Technology Department. Other University offices may maintain and administer electronic and physical repositories containing personal identification numbers for uses in accordance with this policy.
B. Access to electronic and physical repositories containing SSNs, Spalding IDs, and User IDs will be controlled based upon reasonable and appropriate administrative, physical, technical, and organizational safeguards.
C. Individuals who inadvertently gain access to a file or database that contains SSNs or UIDs for which they have not been authorized shall report it immediately the IT Department and/or Campus Safety.
D. The Information Technology Department under the direction of the Chief Information Officer will put into place systems to restrict the distribution of PII by email and to limit storage to University owned and controlled electronic services.
E. The Information Technology Department under the direction of the Chief Information Officer will monitor electronic communications and devices on the University network for PII to prevent inappropriate distribution of PII.
8. Enforcement
Violations of this policy resulting in misuse of, unauthorized access to, or unauthorized disclosure or distribution of personal identification numbers may subject individuals to legal and/or disciplinary action, up to and including the termination of employment or contract with the University, or, in the case of students, suspension or expulsion from the University.
9. GLBA Safeguards Rule
The GLBA Safeguards Rule requires that Spalding University implement safeguards to ensure the security and confidentialility of nonpublic personal information used to deliver a financial product or service. To support compliance with the Safeguards rule, Spalding University has instituted the following:
- Designated Director of Information Technology as employee to coordinate information security program.
- Perform risk assessments to identify internal and external risks to security, confidentiality, and integrity of customer information. Risk assesment includes, but is not limited to assessing:
a. employee training and employee access control
b. information systems, including network and software deisgn, as well as storage, transmission and disposal of data and hardware
c. monitoring the campus network and systems to detect, precent and respond to attacks, intrusions or other systems failures
- Employee information security training. Employees are regularly provided informaiton security training and training materials and the effectiveness of the program are evaluated regularly.
- Overseeing service providers by taking reasonable steps to select and retain providers capable of maintaining appropriate safeguards of nonpublic information. This includes requiring providers to provide evidence of their information security safeguards annually.
10. This Policy and the related standards shall be reviewed and maintained regularly, but no less than once per year.