ITS Policy Regarding Storage and Transmission of Personal Identity Information (PII)

The following policies regarding storage and transmission of PII were communicated to the entire ITS Division on behalf of Larry Merkley, Vice Provost for Information Technology, on May 8, 2007:

1. Limit storage of PII to the minimum amount necessary, guided by law and policy.
2. PII should never be downloaded to portable devices such as PDAs or USB drives.
3. PII should be stored on secure servers. If PII must be stored temporarily on a desktop or laptop computer, it must be securely erased on a regular basis (i.e. daily). To learn about secure deletion tools, see the link below.
4. PII should always be transmitted securely. This includes remote access. PII should never be sent in unencrypted email or via unencrypted instant messaging (IM).
5. PII should never be stored on or accessed from a non-University computer.

ITS employees with questions about what constitutes PII, about University security policies, or for information about securely deleting files, are instructed to go to the ITS Security Awareness PII Resources page. Additional information about protecting restricted data, including PII, is available at http://security.ucsc.edu/policies/rd.shtml.

ITS employees are to consult with their supervisor about questions regarding incorporating these practices into their job responsibilities. Questions about policies relating to the protection of PII should be forwarded to the IT Service Manager for Community and Compliance at itpolicy@ucsc.edu or 9-2779.