510 likes | 992 Views
Awareness - Protecting our Data. Personally Identifiable Information (PII). Learning Goals:. Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII.
E N D
Awareness - Protecting our Data Personally Identifiable Information (PII)
Learning Goals: • Ability to Identify Personally Identifiable Information (PII). • Determine the difference between Non-Sensitive PII and Sensitive PII. • Why we need to protect PII. • Know What PII we have and Where PII exists. • Individual actions to protect PII. • Sensitive PII you always need to protect • Rules of Thumb • Situations
Learning Goals: Goal 1 • Ability to Identify Personally Identifiable Information (PII). • Determine the difference between Non-Sensitive PII and Sensitive PII. • Why we need to protect PII. • Know What PII we have and Where PII exists. • Individual actions to protect PII. • Sensitive PII you always need to protect • Rules of Thumb • Situations
Personally Identifiable Information (PII) Basic Definition • Information used to identify who an individual is. Can you think of what kind of PII you may have on yourself right now? Possibly a … • Business Card • Driver’s License • Credit/Debit Card • Medical Insurance Card
Definition of PII - Distinguish and Trace Any information that can be used to Distinguish or Trace an individual, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records (fingerprints, retina scan, image etc.). Distinguish - is to identify an individual. Trace - is to process sufficient information to make a determination about a specific aspect of an individual‘s activities or status. Just like how a detective can identify someone by clues.
Definition of PII -Linked and Linkable • Individual information that is logically associated with other data to the individual.Example: Combining information from the same application database i.e. linking student address information with student test score information by student number. Information that identifies a person through combining data is called Linked or Linkable, such as medical, educational, financial, and employment information. Linkable Linked • Information collected from many unrelated sources. Example: Combining enough information collected from a spreadsheet, public website and application database to determine an individual student.
Learning Goals: Goal 2 • Ability to Identify Personally Identifiable Information (PII). • Determine the difference between Non-Sensitive PII and Sensitive PII. • Why we need to protect PII. • Know What PII we have and Where PII exists. • Individual actions to protect PII. • Sensitive PII you always need to protect • Rules of Thumb • Situations
Types of PII • Some • Not all Personally Identifiable Information should be treated the same. • Some personal information if lost, compromised, or disclosed without authorization can be used to cause harm by: • Embarrassment, identity theft or blackmail to the individual. • Financial losses, opportunity loss, or loss of public reputation for an organization.
Non-Sensitive PII • Personally Identifiable Information that can be shared without concern is considered non-sensitive and can be shared publically. Examples: • Directory Information listed on a public website • Your Business Card • Public Phone Book • Name Tag
Sensitive PII (SPII) • Personally Identifiable Information that can cause harm to an individual or organization is sensitive information and cannot be shared or viewed with anyone unless the person receiving the information has a legitimate purpose to know. Examples: • Social Security Number • Bank Account Number • Passport Number • Drivers License or State Id
Personally Identifiable Information (PII) – Context Some PII can be considered non-sensitive or sensitive based on the context of how the data is used or reported. For example: In both situations below, we have PII of a student’s first name and last name. Depending on how the data is used or reported the data will be either non-sensitive or sensitive. • A student directory on a public website. Sensitive Non-sensitive • A report listing students with a disability.
Learning Goals: Goal 3 • Ability to Identify Personally Identifiable Information (PII). • Determine the difference between Non-Sensitive PII and Sensitive PII. • Why we need to protect PII. • Know What PII we have and Where PII exists. • Individual actions to protect PII. • Sensitive PII you always need to protect • Rules of Thumb • Situations
Why we Protect PII Okay, I know there is PII around our workplace, but why should I care? Federal Laws – Student Records - FERPA, Health Records - HIPAA, Individuals with Disabilities - IDEA, National School Lunch Act. Wisconsin State Statutes – General Duties of Public Officials – Personal Information Practices Chapter 19 subchapter IV, Cooperative research on education programs; statewide student data system s. 115.297, Teachers Certificates and Licenses s. 118.19(1) and (10), Public School Pupil Records s. 118.125, s.118.126, s.118.127, s118.169.
Why we Protect PII Continued … • 3. Department of Public Instruction Policy – Employee Work Rules and Code of Ethics 3.105, Medical Information 3.205, Acceptable Use of Technology 4.105, Student Data Access 4.300, Confidentiality of Individual Pupil Data and Data Redaction (Screening) 4.315. 4. Ethically. When you possess other individual’s personal information you are obligated to handle the information as it is your own so you will not cause harm to the individual or the organization you work for.
Learning Goals: Goal 4 • Ability to Identify Personally Identifiable Information (PII). • Determine the difference between Non-Sensitive PII and Sensitive PII. • Why we need to protect PII. • Know What PII we have and Where PII exists. • Individual actions to protect PII. • Sensitive PII you always need to protect • Rules of Thumb • Situations
PII In our Work Now that we understand . . . The definition of Personally Identifiable Information (PII). The different types of PII (sensitive and non-sensitive). Our duty to handle PII safely. • What kind of PII and SPII do we have? • Where can we find PII and SPII in my work?
PII In our Work • PII and Sensitive PII are used everyday as we perform our work activities. • Can you think of what PII and SPII is in your work environment? • Can you think of where PII and SPII is located in your work environment?
What kind of PII do we find in our Workplace? • Financial • Bank Account Numbers • Tax Ids • Credit / Debit Card • Educator • Social Security Number • License Number • Fingerprints • Student • Wisconsin Student Number • Economically Disadvantaged Status • Primary Disability • Human Resources • Health Information • Applications • State ID Badge
PII In our Workplace Where can we find PII and Sensitive PII (SPII) in our workplace? • Common Use Areas • Copiers • Fax Machines • Network Printers • Phone • Meetings (formal or informal) • Projectors • Filing Cabinets • Break Room • Work Area • Computer Applications • PC, Laptop, Tablet, PDA • Network file server • Email and Instant Messages • Meetings • Phone (cell or landline) • Filing Cabinets and File Folders • Media (flash drive, disk, etc) • On top of desk
PII Outside Our Workplace Sometimes work PII and Sensitive PII (SPII) is taken outside our work place. • Places where work PII and Sensitive PII can be found outside work. • At Home, Conference, Hotel, Meeting Room • Vehicle, Bus, Taxi or Plane • Briefcase, Purse, Backpack • Laptop, Tablet, PDA, Phone • Removable Media
Learning Goals: Goal 5a • Ability to Identify Personally Identifiable Information (PII). • Determine the difference between Non-Sensitive PII and Sensitive PII. • Why we need to protect PII. • Know What PII we have and Where PII exists. • Individual actions to protect PII. • Sensitive PII you always need to protect • Rules of Thumb • Situations
List of PII that always is Sensitive • Student Data • Wisconsin Student Number (WSN) • Attendance • Habitual Truancy • Suspension • Expulsion • Dropout • Course-Taking • Retention • Test Results (WKCE, AP, ACT, AA-SwD, ACCESS, etc.) • Primary Disability Category • Migrant Status • Homeless Status • English Language Proficiency Level • Educational Environment • Free and Reduced Lunch Eligibility Status • General Data • Social Security Number • Driver’s License or State ID Card • Passport Number • DNA Profile • Biometric Identifiers (x-ray, retinal scan fingerprints, etc.) • Medical Information • Authentication Information (passwords and information to re-enable passwords) • Financial Information (bank account, credit / debit card, etc.) • Sensitive context where PII data is used (queried or reported)
Learning Goals: Goal 5b • Ability to Identify Personally Identifiable Information (PII). • Determine the difference between Non-Sensitive PII and Sensitive PII. • Drivers to why we need to protect PII. • Know where PII exists. • Individual actions to protect PII. • Sensitive PII you always need to protect • Rules of Thumb • Situations
Protecting PII – Rules of Thumb It is everyone’s responsibility to protect Sensitive Personally Identifiable Information of others. Listed on the next few slides are “Rules of Thumb” with actions bolded each of us need to take. • Apply the “Golden Rule” - Treat other individual’s Sensitive PII as if it is your own. • Example: You probably would not put your personal Debit Card and Social Security Card on your desk and leave for the day. • If you identify a data breach of Sensitive PII, report it to your Supervisor and Help Desk immediately. • When reporting a data breach do not send the breached information in email. This will only proliferate the breach.
Protecting PII – Rules of Thumb Continued . . . • Whenever possible, minimize the duplication and dissemination of electronic files and papers containing Sensitive PII. • As a best practice, every request you make for Sensitive PII outside the organization should be accompanied by a reminder of how to properly secure the information. This will limit unnecessary dissemination of individual’s personal data, and will also allow the sender to be aware of what information is being collected, and purpose for collecting the information. A sample accompanying note is listed below: “The information I have requested has Sensitive Personally Identifiable Information. To properly secure this information, please send it in an encrypted format and delivered in a secure manner.”
Protecting PII – Rules of Thumb Continued . . . • If you receive Sensitive PII in an unsecured format, do not forward or copy until you have safely secured the information. • Destroy all Sensitive PII once the need for the information is no longer needed. • Ensure your departmental processes and procedures account for handling the various types of Sensitive PII. • Contact the Help Desk if you need a mobile hotspot, encrypted removable media (USB drive, CD), encrypt your disk drive, or create a secured shared network drive. • Limit the use of Sensitive PII and only access or use Sensitive PII when you have a “need to know” reason to perform your job. If you are unsure the Sensitive PII relates to your official duties, ask your supervisor.
Learning Goals: Goal 5c • Ability to Identify Personally Identifiable Information (PII). • Determine the difference between Non-Sensitive PII and Sensitive PII. • Why we need to protect PII. • Know What PII we have and Where PII exists. • Individual actions to protect PII. • Sensitive PII you always need to protect • Rules of Thumb • Situations
How to Protect Sensitive PII • In my Office . . . • Never leave Sensitive PII unattended on a desk, network printer, fax machine, or copier. • Delete files and/or shred hard copy Sensitive PII when no longer needed. • Physically secure Sensitive PII (e.g., in a locked drawer, cabinet, desk, or safe) when not in use or not otherwise under the control of a person with a need to know. • If your office is open and unsecured, avoid discussing Sensitive PII in person or over the telephone when • you’re within earshot of anyone who does not need to know the information. • If you must discuss Sensitive PII using a speakerphone, phone bridge or video teleconference, do so only if you are in a location where those without a need • to know cannot overhear.
How to Protect Sensitive PII • In my Office (continued). . . • Be alert to social engineering or phishing scams to any phone calls or emails from individuals claiming to be employees and attempting to get personal or non-public information or asking to verify such information about you. Legitimate operations procedures will not ask you to verify or confirm your account login, password, or personal information by email or over the phone.
How to Protect Sensitive PII • On my Electronic Devices . . . • All Personal Electronic Devices and Laptops should have encryption software to store the data. • Always store Sensitive PII on a shared secure drive rather than your computer hard drive or shared unsecured drive. • Lock your computer screen when away from your computer by pressing “CTRL + ALT + DEL” then “Lock this Computer”. • Do not have your computer remember passwords. • Do not share account information, especially logins or passwords, with anyone. • Do not have login or password information accessible to others (e.g., on a sticky note on your computer). • When using Sensitive PII in a website or web application make sure the URL starts with HTTPS://. • Lock your laptop to your secured docking station at your desk.
How to Protect Sensitive PII • When sharing SPII with others . . . • Ensure the individual(s) you are sharing the data with has a legitimate need to know. • If you are sharing sensitive data outside DPI, contact the Pupil Data Policy Officer to verify a Memo of Understanding (MOU) or contract was created with the outside party. • Before sharing verify if the data requested can be accommodated by using DPI Public tools (i.e. WINSS or WISEdash Public) --OR-- removing Sensitive PII by summarization, redacting, anatomizing, or obfuscation. • Secure FTP or a secured application is used to transfer data between two servers. • Email attachments with SPII should always be password protected. • Emailing SPII outside of DPI should be encrypted and the password should be shared via a separate email or given to the individual in person or over the phone. DPI uses a software package called Accellion for sending and receiving sensitive data, contact the DPI Help Desk if you need to use this software.
How to Protect Sensitive PII • When sharing SPII with others (continued) . . . • Avoid faxing Sensitive PII if at all possible. If you must use a fax to transmit Sensitive PII, use a secured fax line, if available. Alert the recipient prior to faxing so they can retrieve it as it is received by the machine. After sending the fax, verify that the recipient received the fax. • Seal Sensitive PII in an opaque envelope or container, and mail using First Class or Priority Mail, or a traceable commercial delivery service (e.g., UPS or FedEx). • Encrypt Sensitive PII stored on CDs, DVDs, hard drives, USB flash drives, floppy disks, or other removable media prior to mailing or sharing.
How to Protect Sensitive PII • While traveling . . . • If you must leave SPII in a car, lock it in the trunk so that it is out of sight. Do not leave your briefcase, laptop or Personal Electronic Device (PED) in a car overnight. • Do not store a briefcase, laptop or PED in an airport, a train or bus station, or any public locker. • Avoid leaving a briefcase, laptop or PED in a hotel room. If you must leave it in a hotel room, lock it inside an in-room safe or a piece of luggage. • At airport security, place your briefcase, laptop or PED on the conveyor belt only after the belongings of the person ahead of you have cleared the scanner. If you are delayed, keep your eye on it until you can pick it up. Never place a PED in checked luggage. • If your briefcase, laptop or PED is lost or stolen, report it immediately to your supervisor and the Help Desk.
How to Protect Sensitive PII • While traveling (continued) . . . • If you plan to use a laptop or Personal Electronic Device (PED) in a public setting and want to connect to a network, check out a DPI mobile hotspot from the DPI Help Desk to ensure you have a secure connection. DO NOT connect your laptop or PED that has Sensitive PII to public wireless access found in coffee shops, airports or other public places. These public connections are unsecured.
How to Protect Sensitive PII • While working remote . . . • DO NOT store or email Sensitive PII to your personal laptop or personal electronic device. Use a secured shared drive, Google Drive or encrypted media to access documents. • Use only secured network connections to access your work authorized applications. • Make sure you secure Sensitive PII data when not in use. • Limit the Sensitive PII taken outside the office. Take only the Sensitive PII you need to do your job. • Ensure other individuals do not have access to see Sensitive PII at your remote location. • Do not print Sensitive PII on your home or hotel printer. • Make sure your phone conversations about Sensitive PII are private and not overheard.
PII – Information Overload Do you feel you heard enough about PII and Sensitive PII?
Additional PII Reference Material Refer to the following documents for additional PII examples and quick reference: PII Safeguard Quick Reference http://wise.dpi.wi.gov/files/wise/pdf/PII%20Safeguard%20Quick%20Reference.pdf Additional Examples of PII http://wise.dpi.wi.gov/files/wise/pdf/PII%20list%20of%20Examples.pdf
PII – Questions? If you have any questions on Personally Identifiable Information? Ask your Supervisor.
Personally Identifiable Information (PII) – Credits • Information contained in this presentation are from: • Wisconsin Department of Public Instruction • http://dpi.wi.gov/ • United States Department of Homeland Security • http://www.dhs.gov/ • United States Department of Commerce - National Institute of Standards and Technology • http://www.nist.gov/information-technology-portal.cfm