Private Information Handling Quick Reference

PRIVATE INFORMATION HANDLING QUICK REFERENCE TABLE

This table provides recommendations on the correct handling of Private Information at RIT.

New York State defines Private Information (PI) as any personal information concerning a natural person combined with one or more of the following data elements: Social Security number, driver's license number, account number, or credit or debit card number in combination with any required security code.

Digital Self Defense 103 - Information Handling fulfills the training requirement for handling RIT Private or Confidential Information.

Consult the Spirion (Formerly Identity Finder) End User Guide for Windows or Mac for more information.

Situation

Spirion Instructions (Preferred)

General Instructions (Use if Spirion is NOT available)

I no longer need the files containing the Private Information

Delete the files using the "Shred" command. This can be done from within the Spirion interactive scan report or by right-clicking on the file or folder and choosing "Spirion/Shred." If you are unable to delete the file, contact your help desk.

Delete the files securely. Use a secure file deletion utility such as Eraser. Contact your systems administrator or the RIT Service Center for recommended products.

I need to keep the files, but I don't need the Private Information

Sanitize the information by using the "Scrub" command. This can be done from within the Spirion interactive scan report. Spirion will replace the Private Information with x's. Note that this option is not available for all file types.

Sanitize the documents by deleting any Private Information such as Social Security Numbers (SSNs) or credit card numbers. Save a new copy of the sanitized document and delete the original file.

I need to continue to have a unique identifier for each individual

Sanitize the information by using the "Scrub" command. This can be done from within the Spirion interactive scan report. Spirion will replace the Private Information with x's. Open the file and replace the x's with unique identifiers not based on the SSN.

Sanitize the documents by eliminating the Private Information. Convert SSNs to University Identification Numbers (UIDs).

Situation

General Instructions for Handling Private Information

I need to keep the complete files containing the Private Information

Unnecessary possession of Private Information should be eliminated.

  • There must be a business need to store this information and the system storing the information must meet all applicable RIT security standards (e.g., Desktop and Portable Computer Security Standard, Server Security Standard, etc.). In general, an RIT employee has a legitimate purpose for having access to the social security numbers of another individual when such number is required for:
    • tax or billing purposes
    • credit authorizations
    • background checks
    • in furtherance of submitting a federal or state governmental application that requires the transmission of an individual's social security number.

 

In addition, SSNs shall be maintained when required by either court order, subpoena, or by direction of the Office of Legal Affairs.

  • Consider encrypting the files.
  • Do not store the encryption key or password on the computer or drive containing the encrypted information.
  • Minimize the amount of records stored locally on a desktop or laptop computer by storing the information on an RIT file server.
  • Inform your manager and your Information Steward/Management Representative of the need to retain Private Information.

 

Contact the RIT Service Center or the RIT Information Security Office for more recommended practices.

I need to carry the files on a portable computer, device, or media (e.g., Laptops, Flash Drives, CD/DVDs, smartphones)

Unnecessary possession of Private Information should be eliminated.

  • Storage or conveyance of Private Information on portable devices or media is strongly discouraged.
  • Minimize the amount of records stored on portable devices or media by storing the information on an RIT file server.
  • There must be a business need to store this information and the system storing the information must meet all applicable RIT security standards (e.g., Desktop and Portable Computer Security Standard, Server Security Standard, etc.). In general, an RIT employee has a legitimate purpose for having access to the social security numbers of another individual when such number is required for:
    • tax or billing purposes
    • credit authorizations
    • background checks
    • in furtherance of submitting a federal or state governmental application that requires the transmission of an individual's social security number.

 

In addition, SSNs shall be maintained when required by either court order, subpoena, or by direction of the Office of Legal Affairs.

  • Private Information (and RIT Confidential information) stored or transported on portable media must be encrypted.
  • Do not store the encryption key or password on the media containing the encrypted information.
  • If you are storing or transporting the Private Information on a portable computer, contact your help desk for encryption options.
  • Protect the Private Information from unauthorized use or theft.

 

Inform your manager and your Information Steward/Management Representative of the need to retain Private Information.

I no longer need the portable media or hard drive, how do I dispose of them securely?

The RIT Information Security Office provides the following secure disposal recommendations:

  • Erase magnetic media (hard drives, LS120 media, old Zip/Jazz Cartridges, magnetic tapes) with a degausser.
    NOTE: the media may not be usable after degaussing.
  • CD/DVDs can be shredded in a media shredder.

 

A degausser and media shredder are available at the RIT Service Center in Booth 07B.