Presentation is loading. Please wait.

Presentation is loading. Please wait.

Awareness - Protecting our Data

Published byCelina Trent Modified over 10 years ago

Similar presentations

Presentation on theme: "Awareness - Protecting our Data"— Presentation transcript:

1 Awareness - Protecting our Data
Personally Identifiable Information (PII)

2 Learning Goals: Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

3 Learning Goals: Goal 1 Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

4 Personally Identifiable Information (PII) Basic Definition
Information used to identify who an individual is. Can you think of what kind of PII you may have on yourself right now? Possibly a … Business Card Driver’s License Credit/Debit Card Medical Insurance Card

5 Definition of PII - Distinguish and Trace
Any information that can be used to Distinguish or Trace an individual, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records (fingerprints, retina scan, image etc.). Distinguish - is to identify an individual. Trace - is to process sufficient information to make a determination about a specific aspect of an individual‘s activities or status. Just like how a detective can identify someone by clues.

6 Definition of PII -Linked and Linkable
Information that identifies a person through combining data is called Linked or Linkable, such as medical, educational, financial, and employment information. Linked Linkable Individual information that is logically associated with other data to the individual. Example: Combining information from the same application database i.e. linking student address information with student test score information by student number. Information collected from many unrelated sources Example: Combining enough information collected from a spreadsheet, public website and application database to determine an individual student.

7 Learning Goals: Goal 2 Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

8 Types of PII Some Not all Personally Identifiable Information should be treated the same. Some personal information if lost, compromised, or disclosed without authorization can be used to cause harm by: Embarrassment, identity theft or blackmail to the individual. Financial losses, opportunity loss, or loss of public reputation for an organization.

9 Non-Sensitive PII Personally Identifiable Information that can be shared without concern is considered non-sensitive and can be shared publically. Examples: Directory Information listed on a public website Your Business Card Public Phone Book Name Tag

10 Sensitive PII (SPII) Personally Identifiable Information that can cause harm to an individual or organization is sensitive information and cannot be shared or viewed with anyone unless the person receiving the information has a legitimate purpose to know. Examples: Social Security Number Bank Account Number Passport Number Drivers License or State Id

11 Personally Identifiable Information (PII) – Context
Some PII can be considered non-sensitive or sensitive based on the context of how the data is used or reported. For example: In both situations below, we have PII of a student’s first name and last name. Depending on how the data is used or reported the data will be either non-sensitive or sensitive. Sensitive Non-sensitive A student directory on a public website. A report listing students with a disability.

12 Learning Goals: Goal 3 Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

13 Why we Protect PII Okay, I know there is PII around our workplace, but why should I care? Federal Laws – Student Records - FERPA, Health Records - HIPAA, Individuals with Disabilities - IDEA, National School Lunch Act. Wisconsin State Statutes – General Duties of Public Officials – Personal Information Practices Chapter 19 subchapter IV, Cooperative research on education programs; statewide student data system s , Teachers Certificates and Licenses s (1) and (10), Public School Pupil Records s , s , s , s

14 Why we Protect PII Continued …
3. Department of Public Instruction Policy – Employee Work Rules and Code of Ethics 3.105, Medical Information 3.205, Acceptable Use of Technology 4.105, Student Data Access 4.300, Confidentiality of Individual Pupil Data and Data Redaction (Screening) 4. Ethically. When you possess other individual’s personal information you are obligated to handle the information as it is your own so you will not cause harm to the individual or the organization you work for.

15 Learning Goals: Goal 4 Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

16 PII In our Work Now that we understand . . .
The definition of Personally Identifiable Information (PII). The different types of PII (sensitive and non-sensitive). Our duty to handle PII safely. What kind of PII and SPII do we have? Where can we find PII and SPII in my work?

17 PII In our Work PII and Sensitive PII are used everyday as we perform our work activities. Can you think of what PII and SPII is in your work environment? Can you think of where PII and SPII is located in your work environment?

18 What kind of PII do we find in our Workplace?
Financial Bank Account Numbers Tax Ids Credit / Debit Card Educator Social Security Number License Number Fingerprints Student Wisconsin Student Number Economically Disadvantaged Status Primary Disability Human Resources Health Information Applications State ID Badge

19 PII In our Workplace Where can we find PII and Sensitive PII (SPII) in our workplace? Common Use Areas Copiers Fax Machines Network Printers Phone Meetings (formal or informal) Projectors Filing Cabinets Break Room Work Area Computer Applications PC, Laptop, Tablet, PDA Network file server and Instant Messages Meetings Phone (cell or landline) Filing Cabinets and File Folders Media (flash drive, disk, etc) On top of desk

20 PII Outside Our Workplace
Sometimes work PII and Sensitive PII (SPII) is taken outside our work place. Places where work PII and Sensitive PII can be found outside work. At Home, Conference, Hotel, Meeting Room Vehicle, Bus, Taxi or Plane Briefcase, Purse, Backpack Laptop, Tablet, PDA, Phone Removable Media

21 Learning Goals: Goal 5a Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

22 List of PII that always is Sensitive
Student Data Wisconsin Student Number (WSN) Attendance Habitual Truancy Suspension Expulsion Dropout Course-Taking Retention Test Results (WKCE, AP, ACT, AA-SwD, ACCESS, etc.) Primary Disability Category Migrant Status Homeless Status English Language Proficiency Level Educational Environment Free and Reduced Lunch Eligibility Status General Data Social Security Number Driver’s License or State ID Card Passport Number DNA Profile Biometric Identifiers (x-ray, retinal scan fingerprints, etc.) Medical Information Authentication Information (passwords and information to re-enable passwords) Financial Information (bank account, credit / debit card, etc.) Sensitive context where PII data is used (queried or reported)

23 Learning Goals: Goal 5b Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Drivers to why we need to protect PII. Know where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

24 Protecting PII – Rules of Thumb
It is everyone’s responsibility to protect Sensitive Personally Identifiable Information of others. Listed on the next few slides are “Rules of Thumb” with actions bolded each of us need to take. Apply the “Golden Rule” - Treat other individual’s Sensitive PII as if it is your own. Example: You probably would not put your personal Debit Card and Social Security Card on your desk and leave for the day. If you identify a data breach of Sensitive PII, report it to your Supervisor and Help Desk immediately. When reporting a data breach do not send the breached information in . This will only proliferate the breach.

25 Protecting PII – Rules of Thumb Continued . . .
Whenever possible, minimize the duplication and dissemination of electronic files and papers containing Sensitive PII. As a best practice, every request you make for Sensitive PII outside the organization should be accompanied by a reminder of how to properly secure the information. This will limit unnecessary dissemination of individual’s personal data, and will also allow the sender to be aware of what information is being collected, and purpose for collecting the information. A sample accompanying note is listed below: “The information I have requested has Sensitive Personally Identifiable Information. To properly secure this information, please send it in an encrypted format and delivered in a secure manner.”

26 Protecting PII – Rules of Thumb Continued . . .
If you receive Sensitive PII in an unsecured format, do not forward or copy until you have safely secured the information. Destroy all Sensitive PII once the need for the information is no longer needed. Ensure your departmental processes and procedures account for handling the various types of Sensitive PII. Contact the Help Desk if you need a mobile hotspot, encrypted removable media (USB drive, CD), encrypt your disk drive, or create a secured shared network drive. Limit the use of Sensitive PII and only access or use Sensitive PII when you have a “need to know” reason to perform your job. If you are unsure the Sensitive PII relates to your official duties, ask your supervisor.

27 Learning Goals: Goal 5c Ability to Identify Personally Identifiable Information (PII). Determine the difference between Non-Sensitive PII and Sensitive PII. Why we need to protect PII. Know What PII we have and Where PII exists. Individual actions to protect PII. Sensitive PII you always need to protect Rules of Thumb Situations

28 How to Protect Sensitive PII
In my Office . . . Never leave Sensitive PII unattended on a desk, network printer, fax machine, or copier. Delete files and/or shred hard copy Sensitive PII when no longer needed. Physically secure Sensitive PII (e.g., in a locked drawer, cabinet, desk, or safe) when not in use or not otherwise under the control of a person with a need to know. If your office is open and unsecured, avoid discussing Sensitive PII in person or over the telephone when you’re within earshot of anyone who does not need to know the information. If you must discuss Sensitive PII using a speakerphone, phone bridge or video teleconference, do so only if you are in a location where those without a need to know cannot overhear.

29 How to Protect Sensitive PII
In my Office (continued). . . Be alert to social engineering or phishing scams to any phone calls or s from individuals claiming to be employees and attempting to get personal or non-public information or asking to verify such information about you. Legitimate operations procedures will not ask you to verify or confirm your account login, password, or personal information by or over the phone.

30 How to Protect Sensitive PII
On my Electronic Devices . . . All Personal Electronic Devices and Laptops should have encryption software to store the data. Always store Sensitive PII on a shared secure drive rather than your computer hard drive or shared unsecured drive. Lock your computer screen when away from your computer by pressing “CTRL + ALT + DEL” then “Lock this Computer”. Do not have your computer remember passwords. Do not share account information, especially logins or passwords, with anyone. Do not have login or password information accessible to others (e.g., on a sticky note on your computer). When using Sensitive PII in a website or web application make sure the URL starts with Lock your laptop to your secured docking station at your desk.

31 How to Protect Sensitive PII
When sharing SPII with others . . . Ensure the individual(s) you are sharing the data with has a legitimate need to know. If you are sharing sensitive data outside DPI, contact the Pupil Data Policy Officer to verify a Memo of Understanding (MOU) or contract was created with the outside party. Before sharing verify if the data requested can be accommodated by using DPI Public tools (i.e. WINSS or WISEdash Public) --OR-- removing Sensitive PII by summarization, redacting, anatomizing, or obfuscation. Secure FTP or a secured application is used to transfer data between two servers. attachments with SPII should always be password protected. ing SPII outside of DPI should be encrypted and the password should be shared via a separate or given to the individual in person or over the phone. DPI uses a software package called Accellion for sending and receiving sensitive data, contact the DPI Help Desk if you need to use this software.

32 How to Protect Sensitive PII
When sharing SPII with others (continued) . . . Avoid faxing Sensitive PII if at all possible. If you must use a fax to transmit Sensitive PII, use a secured fax line, if available. Alert the recipient prior to faxing so they can retrieve it as it is received by the machine. After sending the fax, verify that the recipient received the fax. Seal Sensitive PII in an opaque envelope or container, and mail using First Class or Priority Mail, or a traceable commercial delivery service (e.g., UPS or FedEx). Encrypt Sensitive PII stored on CDs, DVDs, hard drives, USB flash drives, floppy disks, or other removable media prior to mailing or sharing.

33 How to Protect Sensitive PII
While traveling If you must leave SPII in a car, lock it in the trunk so that it is out of sight. Do not leave your briefcase, laptop or Personal Electronic Device (PED) in a car overnight. Do not store a briefcase, laptop or PED in an airport, a train or bus station, or any public locker. Avoid leaving a briefcase, laptop or PED in a hotel room. If you must leave it in a hotel room, lock it inside an in-room safe or a piece of luggage. At airport security, place your briefcase, laptop or PED on the conveyor belt only after the belongings of the person ahead of you have cleared the scanner. If you are delayed, keep your eye on it until you can pick it up. Never place a PED in checked luggage. If your briefcase, laptop or PED is lost or stolen, report it immediately to your supervisor and the Help Desk.

34 How to Protect Sensitive PII
While traveling (continued) . . . If you plan to use a laptop or Personal Electronic Device (PED) in a public setting and want to connect to a network, check out a DPI mobile hotspot from the DPI Help Desk to ensure you have a secure connection. DO NOT connect your laptop or PED that has Sensitive PII to public wireless access found in coffee shops, airports or other public places. These public connections are unsecured.

35 How to Protect Sensitive PII
While working remote . . . DO NOT store or Sensitive PII to your personal laptop or personal electronic device. Use a secured shared drive, Google Drive or encrypted media to access documents. Use only secured network connections to access your work authorized applications. Make sure you secure Sensitive PII data when not in use. Limit the Sensitive PII taken outside the office. Take only the Sensitive PII you need to do your job. Ensure other individuals do not have access to see Sensitive PII at your remote location. Do not print Sensitive PII on your home or hotel printer. Make sure your phone conversations about Sensitive PII are private and not overheard.

36 PII – Information Overload
Do you feel you heard enough about PII and Sensitive PII?

37 Additional PII Reference Material
Refer to the following documents for additional PII examples and quick reference: PII Safeguard Quick Reference Additional Examples of PII

38 PII – Questions? If you have any questions on Personally Identifiable Information? Ask your Supervisor.

39 Personally Identifiable Information (PII) – Credits
Information contained in this presentation are from: Wisconsin Department of Public Instruction United States Department of Homeland Security United States Department of Commerce - National Institute of Standards and Technology

Download ppt "Awareness - Protecting our Data"

Similar presentations

Surfing the net: Ways to protect yourself. Internet Safety Look into safeguarding programs or options your online service provider might offer. Look into.

Surfing the net: Ways to protect yourself. Internet Safety Look into safeguarding programs or options your online service provider might offer. Look into.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
HIPAA Security.

HIPAA Security.
CONFIDENTIALITY / PRIVACY. Federal Laws Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers……….

CONFIDENTIALITY / PRIVACY. Federal Laws Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers……….
COMPLYING WITH PRIVACY AND SECURITY REGULATIONS Overview MHC Privacy and Security Committee Revised 1/17/11.

COMPLYING WITH PRIVACY AND SECURITY REGULATIONS Overview MHC Privacy and Security Committee Revised 1/17/11.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
Welcome to the SPH Information Security Learning Module.

Welcome to the SPH Information Security Learning Module.
Top 10 Checklist to Protect Your Personal Privacy Online Teens 1.

Top 10 Checklist to Protect Your Personal Privacy Online Teens 1.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
 Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers……….

 Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers……….
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.

Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.
1.3.1.G1 © Family Economics & Financial Education – Revised October 2004 – Consumer Protection Unit – Identity Theft Funded by a grant from Take Charge.

1.3.1.G1 © Family Economics & Financial Education – Revised October 2004 – Consumer Protection Unit – Identity Theft Funded by a grant from Take Charge.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

Similar presentations

Ads by Google