Permitted Use, Storage, and Transmission of Personally Identifiable Information (PII)- Standard

This Standard supports and supplements the University of Central Oklahoma's Privacy Policy. The standard is mandatory and enforced in the same manner as policy. It will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements.

This Standard provides additional requirements related to the University of Central Oklahoma's ("University" or "UCO") Privacy Policy and Information Security Policy with regards to the appropriate use and confidentiality of specific data elements maintained by the University and defined by the Privacy Policy as Personally Identifiable Information (PII), to include, for the purposes of this Standard, the following: Social Security Numbers (SSNs), credit/debit card numbers, bank account numbers, Driver's License numbers, UCO/student/banner ID numbers, state or federal government ID numbers, biometric data, protected health information, or any combination of information which can be used to distinguish or trace the identity of an individual.

 

Permitted Use, Storage, and Transmission of Personally Identifiable Information (PII)- Standard

Purpose

This Standard supports and supplements the University of Central Oklahoma's Privacy Policy. The standard is mandatory and enforced in the same manner as policy. It will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements.

This Standard provides additional requirements related to the University of Central Oklahoma's ("University" or "UCO") Privacy Policy and Information Security Policy with regards to the appropriate use and confidentiality of specific data elements maintained by the University and defined by the Privacy Policy as Personally Identifiable Information (PII), to include, for the purposes of this Standard, the following: Social Security Numbers (SSNs), credit/debit card numbers, bank account numbers, Driver's License numbers, UCO/student/banner ID numbers, state or federal government ID numbers, biometric data, protected health information, or any combination of information which can be used to distinguish or trace the identity of an individual.

Scope

This Policy applies to:

  1. This policy applies to all divisions, colleges and units established by the University that exercise any information technology (IT) function relating to the mission of the University except for those specifically exempted in writing by the senior leadership (as defined in the information security policy) of the University.

  2. This policy applies to University computer and telecommunications systems; faculty, staff, and students; academic and administrative units; affiliated entities, agents, contractors, and volunteers of the University, members of the community who use and/or administer such systems, or any information system or system asset (as defined in the information security policy) that connects directly or indirectly to any University owned, leased, contracted, or operated computer or telecommunication system.

Standard Details

MINIMIZING USE AND STORAGE OF PII:

All members of the UCO community are responsible for minimizing the use and storage of all PII. The risk of unauthorized disclosure of, or access to, PII increases with the amount of information retained. All members of the UCO community are responsible for ensuring that the number and scope of physical and electronic copies and repositories of PII are kept to the minimum necessary to accomplish the University's business needs and only retained for the time period where a valid UCO business need for the information exists and subject to the retention period as defined by the University.

PERMITTED USE OF PII WITHIN UCO:

  1. Only individuals within UCO who are permitted under law, regulations, and University Policies and who have a legitimate business need to accomplish the University's mission are authorized to access, use, transmit, handle, retain, or receive PII. This authorization only extends to the specific PII for which the relevant University employee has a legitimate business need for the purposes of performing his or her UCO job duties.

PERMITTED DISCLOSURES OF PII TO THIRD PARTIES:

  1. UCO may release PII to third parties only as permitted by law, regulation, and University Policy. Third party contractors to whom UCO is disclosing PII must be bound by agreements with appropriate safeguards and use provisions, as specified in UCO's Privacy Policy.

AUTHORIZED STORAGE OF PII:

  1. PII may only be collected, retained, and/or disclosed as permitted by applicable laws and regulations, and University Policies, Guidelines, and Standards, and only in furtherance of legitimate University business.

  2. Unless a specific business need exists to collect, maintain, and store information containing PII, it is prohibited for any University entity or Data Owner or Data Steward to store PII. This prohibition includes, but is not limited to, the creation of electronic databases, electronic reports, internal spreadsheets or other documentation that contain PII outside of University approved applications and without implementation of the required security controls as defined in the Information Security Policy and corresponding Standards. Information defined by the University as PII must be secured at the Confidential classification.

PERMITTED DISCLOSURES OF PII TO THIRD PARTIES:

  1. UCO may release PII to third parties only as permitted by law, regulation, and University Policy. Third party contractors to whom UCO is disclosing PII must be bound by agreements with appropriate safeguards and use provisions, as specified in UCO's Privacy Policy and other University policies as appropriate.

AUTHORIZED STORAGE OF PII:

  1. PII may only be collected, retained, and/or disclosed as permitted by applicable laws and regulations, and University Policies, Guidelines, and Standards, and only in furtherance of legitimate University business.

  2. Unless a specific business need exists to collect, maintain, and store information containing PII, it is prohibited for any University entity or Data Owner or Data Steward to store PII. This prohibition includes, but is not limited to, the creation of electronic databases, electronic reports, internal spreadsheets or other documentation that contain PII outside of University approved applications and without implementation of the required security controls as defined in the Information Security Policy and corresponding Standards. Information defined by the University as PII must be secured at the RESTRICTED classification.

SECURE TRANSMITTAL OF PII:

  1. Data Owners and Data Stewards that collect and retain PII must implement the appropriate and required security controls to protect this information, as defined in the Information Security Policy, Data Classification Policy, other applicable University policies, and they're corresponding Standards. Proper security controls include, but are not limited to, locking filing cabinets and offices, password-protected electronic files, and electronic encryption measures.

  2. PII is prohibited from being transmitted electronically (by e-mail or otherwise) unless such information is encrypted.

PROPER DISPOSAL OF PII:

  1. All PII must be destroyed and rendered unreadable prior to disposal. Proper methods of disposal include, but are not limited to, shredding papers and securely wiping electronic files.

PII PRIVACY BREACHES:

  1. If, at any time, any individual or unit suspects or confirms that any PII maintained by the University has been subject to unauthorized access and/or disclosure, the incident must be immediately reported to the Service Desk by calling (405) 974-2255 or by submitting a ticket. You can also notify INFOSEC via email at security@uco.edu.

PRIVACY IMPACT ASSESSMENTS:

  1. PIAs will be administered and tracked by the Privacy Office for units, departments, and individuals who collect, use, share, and maintain/store PII. These assessments will assist data owners in consciously incorporating privacy protections throughout the development life cycle of a system or program/project, and it will assist in identification, minimization, and remediation of privacy risks.

Standard Violations

  1. Failure to comply with this policy or other University policies will result in disciplinary action, up to and including termination of employment and/or enrollment. All persons to whom these guidelines are applicable, as stated above, are responsible for adhering to these rules.

  2. All supervisory personnel are responsible for ensuring that these guidelines are adhered to within their respective areas of responsibility. Any user may report University policy or law violations to their immediate supervisor, representative faculty or school personnel or using EthicsPoint.

Change Log

Version

Date

New

Original

 

 

 

 

 

 

 

 

Approvals

 

Approved By

Date

Description

Jeff Miller

February 9,

2023

Initial Policy Release

 

Print Article