Files

Private Information Handling Quick Reference Table

Private Information Handling Quick Reference Table

Updated 8/14/12

This table provides recommendations on the correct handling of private information at RIT.

New York State defines private information (PI) as any personal information concerning a natural person combined with one or more of the following data elements: Social Security number, driver's license number, account number, or credit or debit card number in combination with any required security code.

Digital Self Defense 103 - Information Handling fulfills the training requirement for handling RIT Private or Confidential Information.

Consult the Identity Finder End User Guide for Windows or Mac for more information.

Situation

Identity Finder Instructions (Preferred)

General Instructions (Use if Identity Finder is NOT available)

I no longer need the files containing the private information

Delete the files using the "Shred" command. This can be done from within the Identity Finder interactive scan report or by right-clicking on the file or folder and choosing "Identity Finder/Shred." If you are unable to delete the file, contact your help desk.

Delete the files securely. Use a secure file deletion utility such as Eraser. Contact your campus support organization or the RIT Information Security Office at infosec@rit.edu for recommended products.

I need to keep the files, but I don't need the private information

Sanitize the information by using the "Scrub" command. This can be done from within the Identity Finder interactive scan report. Identity Finder will replace the Private Information with x's. Note that this option is not available for all file types.

Sanitize the documents by deleting any private information such as Social Security Numbers (SSNs) or credit card numbers. Save a new copy of the sanitized document and delete the original file.

I need to continue to have a unique identifier for each individual

Sanitize the information by using the "Scrub" command. This can be done from within the Identity Finder interactive scan report. Identity Finder will replace the Private Information with x's. Open the file and replace the x's with unique identifiers not based on the SSN.

Sanitize the documents by eliminating the private information. Convert SSNs to University Identification Numbers (UIDs).

 

Situation

General Instructions for Handling Private Information

I need to keep the complete files containing the private information

Unnecessary possession of Private information should be eliminated.

  • There must be a business need to store this information and the system storing the information must meet all applicable RIT security standards (e.g., Desktop and Portable Computer Security Standard, Server Security Standard, etc.). In general, an RIT employee has a legitimate purpose for having access to the social security numbers of another individual when such number is required for:
    • tax or billing purposes
    • credit authorizations
    • background checks
    • in furtherance of submitting a federal or state governmental application that requires the transmission of an individual's social security number.
 

In addition, SSNs shall be maintained when required by either court order, subpoena, or by direction of the Office of Legal Affairs.

  • Consider encrypting the files.
  • Do not store the encryption key or password on the computer or drive containing the encrypted information.
  • Minimize the amount of records stored locally on a desktop or laptop computer by storing the information on an RIT file server.
  • Inform your manager and your Information Steward/Management Representative of the need to retain Private information.
 

Contact your help desk or the RIT Information Security Office for more recommended practices.

I need to carry the files on a portable computer, device, or media (e.g., Laptops, Flash Drives, CD/DVDs, smartphones)

Unnecessary possession of Private information should be eliminated.

  • Storage or conveyance of Private Information on portable devices or media is strongly discouraged.
  • Minimize the amount of records stored on portable devices or media by storing the information on an RIT file server.
  • There must be a business need to store this information and the system storing the information must meet all applicable RIT security standards (e.g., Desktop and Portable Computer Security Standard, Server Security Standard, etc.). In general, an RIT employee has a legitimate purpose for having access to the social security numbers of another individual when such number is required for:
    • tax or billing purposes
    • credit authorizations
    • background checks
    • in furtherance of submitting a federal or state governmental application that requires the transmission of an individual's social security number.
 

In addition, SSNs shall be maintained when required by either court order, subpoena, or by direction of the Office of Legal Affairs.

  • Private information (and RIT Confidential information) stored or transported on portable media must be encrypted.
  • Do not store the encryption key or password on the media containing the encrypted information.
  • If you are storing or transporting the private information on a portable computer, contact your help desk for encryption options.
  • Protect the private information from unauthorized use or theft.
 

Inform your manager and your Information Steward/Management Representative of the need to retain Private information.

I no longer need the portable media or hard drive, how do I dispose of them securely?

The RIT Information Security Office provides the following secure disposal recommendations:

  • Erase magnetic media (hard drives, LS120 media, old Zip/Jazz Cartridges, magnetic tapes) with a degausser.
    NOTE: the media may not be usable after degaussing.
  • CD/DVDs can be shredded in a media shredder.
 

A degausser and media shredder are available at the ITS HelpDesk in Booth 07B.

 

Document Destruction

Document Destruction

Updated January 31, 2013

Why Have Document Destruction Activities?

Document Destruction Activities provide a focused opportunity for RIT faculty and staff to archive securely or dispose of hard copy records that contain private information. Private Information includes financial account numbers, social security numbers, driver’s license numbers and other information that can be used in identity theft. Participation in this activity will enable RIT to secure Private Information that could otherwise be used to facilitate identity theft. Document Destruction Activities are part of the RIT Private Information Management Initiative, but they are managed by your department.  We encourage all departments to schedule Document Destruction Activities.

Why are Document Destruction Activities so important?

With its concentration of student records and private information, Higher Education is often targeted by attackers hoping to harvest private information for use in identity theft.  In addition, careless storage or loss of records often leads to data breaches that require compliance with various state and federal laws requiring notification of affected consumers. For example, DataLoss DB (http://datalossdb.org/) indicates that almost 25% of breaches have been due to the inadvertent loss of private information, in both hardcopy and digital formats.  

Participation in Document Destruction Activities will reduce the likelihood for the RIT community to have their personal information fall victim to malicious attacks or loss. This activity will also provide an opportunity for faculty and staff to adhere to the RIT Records Management Policy (C22.0).  Any questions regarding the appropriate retention period can be addressed to the RIT Office of Legal Affairs.

When are my Document Destruction Activities?

Contact your Private Information Management Initiative representative to find out what activities are being planned in your college or division for document destruction.

What do I need to do for my Document Destruction Activities?

It is important that you keep track of any documents that may leave another person susceptible to identity theft attacks. In preparation for your department’s Document Destruction Activities, please review the files in your office to ensure that you have not retained any private information that is not critical to your current work. Take this opportunity to review files and dispose of them in accordance with the RIT Records Management Policy (C22.0).

We encourage you to review your files now and dispose of those containing Private Information securey. Ensure that any RIT files in your home do not contain any private information.

How do I dispose of portable media and hardcopy documents containing Private Information securely?

Visit our Information Disposal page for recommendations.

What if I have questions?

Contact your division or college's PIMI representative

Subscribe to RSS - Files