Presentation on theme: "Awareness - Protecting our Data"— Presentation transcript:
1Awareness - Protecting our Data Personally Identifiable Information (PII)
2Learning Goals:Ability to Identify Personally Identifiable Information (PII).Determine the difference between Non-Sensitive PII and Sensitive PII.Why we need to protect PII.Know What PII we have and Where PII exists.Individual actions to protect PII.Sensitive PII you always need to protectRules of ThumbSituations
3Learning Goals: Goal 1Ability to Identify Personally Identifiable Information (PII).Determine the difference between Non-Sensitive PII and Sensitive PII.Why we need to protect PII.Know What PII we have and Where PII exists.Individual actions to protect PII.Sensitive PII you always need to protectRules of ThumbSituations
4Personally Identifiable Information (PII) Basic Definition Information used to identify who an individual is.Can you think of what kind of PII you may have on yourself right now? Possibly a …Business CardDriver’s LicenseCredit/Debit CardMedical Insurance Card
5Definition of PII - Distinguish and Trace Any information that can be used to Distinguish or Trace an individual, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records (fingerprints, retina scan, image etc.).Distinguish - is to identify an individual.Trace - is to process sufficient information to make a determination about a specific aspect of an individual‘s activities or status. Just like how a detective can identify someone by clues.
6Definition of PII -Linked and Linkable Information that identifies a person through combining data is called Linked or Linkable, such as medical, educational, financial, and employment information.LinkedLinkableIndividual information that is logically associated with other data to the individual. Example: Combining information from the same application database i.e. linking student address information with student test score information by student number.Information collected from many unrelated sources Example: Combining enough information collected from a spreadsheet, public website and application database to determine an individual student.
7Learning Goals: Goal 2Ability to Identify Personally Identifiable Information (PII).Determine the difference between Non-Sensitive PII and Sensitive PII.Why we need to protect PII.Know What PII we have and Where PII exists.Individual actions to protect PII.Sensitive PII you always need to protectRules of ThumbSituations
8Types of PIISomeNot all Personally Identifiable Information should be treated the same.Some personal information if lost, compromised, or disclosed without authorization can be used to cause harm by:Embarrassment, identity theft or blackmail to the individual.Financial losses, opportunity loss, or loss of public reputation for an organization.
9Non-Sensitive PIIPersonally Identifiable Information that can be shared without concern is considered non-sensitive and can be shared publically. Examples:Directory Information listed on a public websiteYour Business CardPublic Phone BookName Tag
10Sensitive PII (SPII)Personally Identifiable Information that can cause harm to an individual or organization is sensitive information and cannot be shared or viewed with anyone unless the person receiving the information has a legitimate purpose to know.Examples:Social Security NumberBank Account NumberPassport NumberDrivers License or State Id
11Personally Identifiable Information (PII) – Context Some PII can be considered non-sensitive or sensitive based on the context of how the data is used or reported.For example: In both situations below, we have PII of a student’s first name and last name. Depending on how the data is used or reported the data will be either non-sensitive or sensitive.SensitiveNon-sensitiveA student directory on a public website.A report listing students with a disability.
12Learning Goals: Goal 3Ability to Identify Personally Identifiable Information (PII).Determine the difference between Non-Sensitive PII and Sensitive PII.Why we need to protect PII.Know What PII we have and Where PII exists.Individual actions to protect PII.Sensitive PII you always need to protectRules of ThumbSituations
13Why we Protect PIIOkay, I know there is PII around our workplace, but why should I care?Federal Laws – Student Records - FERPA, Health Records - HIPAA, Individuals with Disabilities - IDEA, National School Lunch Act.Wisconsin State Statutes – General Duties of Public Officials – Personal Information Practices Chapter 19 subchapter IV, Cooperative research on education programs; statewide student data system s , Teachers Certificates and Licenses s (1) and (10), Public School Pupil Records s , s , s , s
14Why we Protect PII Continued … 3. Department of Public Instruction Policy – Employee Work Rules and Code of Ethics 3.105, Medical Information 3.205, Acceptable Use of Technology 4.105, Student Data Access 4.300, Confidentiality of Individual Pupil Data and Data Redaction (Screening)4. Ethically. When you possess other individual’s personal information you are obligated to handle the information as it is your own so you will not cause harm to the individual or the organization you work for.
15Learning Goals: Goal 4Ability to Identify Personally Identifiable Information (PII).Determine the difference between Non-Sensitive PII and Sensitive PII.Why we need to protect PII.Know What PII we have and Where PII exists.Individual actions to protect PII.Sensitive PII you always need to protectRules of ThumbSituations
16PII In our Work Now that we understand . . . The definition of Personally Identifiable Information (PII).The different types of PII (sensitive and non-sensitive).Our duty to handle PII safely.What kind of PII and SPII do we have?Where can we find PII and SPII in my work?
17PII In our WorkPII and Sensitive PII are used everyday as we perform our work activities.Can you think of what PII and SPII is in your work environment?Can you think of where PII and SPII is located in your work environment?
18What kind of PII do we find in our Workplace? FinancialBank Account NumbersTax IdsCredit / Debit CardEducatorSocial Security NumberLicense NumberFingerprintsStudentWisconsin Student NumberEconomically Disadvantaged StatusPrimary DisabilityHuman ResourcesHealth InformationApplicationsState ID Badge
19PII In our WorkplaceWhere can we find PII and Sensitive PII (SPII) in our workplace?Common Use AreasCopiersFax MachinesNetwork PrintersPhoneMeetings (formal or informal)ProjectorsFiling CabinetsBreak RoomWork AreaComputer ApplicationsPC, Laptop, Tablet, PDANetwork file serverand Instant MessagesMeetingsPhone (cell or landline)Filing Cabinets and File FoldersMedia (flash drive, disk, etc)On top of desk
20PII Outside Our Workplace Sometimes work PII and Sensitive PII (SPII) is taken outside our work place.Places where work PII and Sensitive PII can be found outside work.At Home, Conference, Hotel, Meeting RoomVehicle, Bus, Taxi or PlaneBriefcase, Purse, BackpackLaptop, Tablet, PDA, PhoneRemovable Media
21Learning Goals: Goal 5aAbility to Identify Personally Identifiable Information (PII).Determine the difference between Non-Sensitive PII and Sensitive PII.Why we need to protect PII.Know What PII we have and Where PII exists.Individual actions to protect PII.Sensitive PII you always need to protectRules of ThumbSituations
22List of PII that always is Sensitive Student DataWisconsin Student Number (WSN)AttendanceHabitual TruancySuspensionExpulsionDropoutCourse-TakingRetentionTest Results (WKCE, AP, ACT, AA-SwD, ACCESS, etc.)Primary Disability CategoryMigrant StatusHomeless StatusEnglish Language Proficiency LevelEducational EnvironmentFree and Reduced Lunch Eligibility StatusGeneral DataSocial Security NumberDriver’s License or State ID CardPassport NumberDNA ProfileBiometric Identifiers (x-ray, retinal scan fingerprints, etc.)Medical InformationAuthentication Information (passwords and information to re-enable passwords)Financial Information (bank account, credit / debit card, etc.)Sensitive context where PII data is used (queried or reported)
23Learning Goals: Goal 5bAbility to Identify Personally Identifiable Information (PII).Determine the difference between Non-Sensitive PII and Sensitive PII.Drivers to why we need to protect PII.Know where PII exists.Individual actions to protect PII.Sensitive PII you always need to protectRules of ThumbSituations
24Protecting PII – Rules of Thumb It is everyone’s responsibility to protect Sensitive Personally Identifiable Information of others. Listed on the next few slides are “Rules of Thumb” with actions bolded each of us need to take.Apply the “Golden Rule” - Treat other individual’s Sensitive PII as if it is your own.Example: You probably would not put your personal Debit Card and Social Security Card on your desk and leave for the day.If you identify a data breach of Sensitive PII, report it to your Supervisor and Help Desk immediately.When reporting a data breach do not send the breached information in . This will only proliferate the breach.
25Protecting PII – Rules of Thumb Continued . . . Whenever possible, minimize the duplication and dissemination of electronic files and papers containing Sensitive PII.As a best practice, every request you make for Sensitive PII outside the organization should be accompanied by a reminder of how to properly secure the information.This will limit unnecessary dissemination of individual’s personal data, and will also allow the sender to be aware of what information is being collected, and purpose for collecting the information. A sample accompanying note is listed below:“The information I have requested has Sensitive Personally Identifiable Information. To properly secure this information, please send it in an encrypted format and delivered in a secure manner.”
26Protecting PII – Rules of Thumb Continued . . . If you receive Sensitive PII in an unsecured format, do not forward or copy until you have safely secured the information.Destroy all Sensitive PII once the need for the information is no longer needed.Ensure your departmental processes and procedures account for handling the various types of Sensitive PII.Contact the Help Desk if you need a mobile hotspot, encrypted removable media (USB drive, CD), encrypt your disk drive, or create a secured shared network drive.Limit the use of Sensitive PII and only access or use Sensitive PII when you have a “need to know” reason to perform your job. If you are unsure the Sensitive PII relates to your official duties, ask your supervisor.
27Learning Goals: Goal 5cAbility to Identify Personally Identifiable Information (PII).Determine the difference between Non-Sensitive PII and Sensitive PII.Why we need to protect PII.Know What PII we have and Where PII exists.Individual actions to protect PII.Sensitive PII you always need to protectRules of ThumbSituations
28How to Protect Sensitive PII In my Office . . .Never leave Sensitive PII unattended on a desk, network printer, fax machine, or copier.Delete files and/or shred hard copy Sensitive PII when no longer needed.Physically secure Sensitive PII (e.g., in a locked drawer, cabinet, desk, or safe) when not in use or not otherwise under the control of a person with a need to know.If your office is open and unsecured, avoid discussing Sensitive PII in person or over the telephone whenyou’re within earshot of anyone who does not need to know the information.If you must discuss Sensitive PII using a speakerphone, phone bridge or video teleconference, do so only if you are in a location where those without a needto know cannot overhear.
29How to Protect Sensitive PII In my Office (continued). . .Be alert to social engineering or phishing scams to any phone calls or s from individuals claiming to be employees and attempting to get personal or non-public information or asking to verify such information about you. Legitimate operations procedures will not ask you to verify or confirm your account login, password, or personal information by or over the phone.
30How to Protect Sensitive PII On my Electronic Devices . . .All Personal Electronic Devices and Laptops should have encryption software to store the data.Always store Sensitive PII on a shared secure drive rather than your computer hard drive or shared unsecured drive.Lock your computer screen when away from your computer by pressing “CTRL + ALT + DEL” then “Lock this Computer”.Do not have your computer remember passwords.Do not share account information, especially logins or passwords, with anyone.Do not have login or password information accessible to others (e.g., on a sticky note on your computer).When using Sensitive PII in a website or web application make sure the URL starts with HTTPS://.Lock your laptop to your secured docking station at your desk.
31How to Protect Sensitive PII When sharing SPII with others . . .Ensure the individual(s) you are sharing the data with has a legitimate need to know.If you are sharing sensitive data outside DPI, contact the Pupil Data Policy Officer to verify a Memo of Understanding (MOU) or contract was created with the outside party.Before sharing verify if the data requested can be accommodated by using DPI Public tools (i.e. WINSS or WISEdash Public) --OR-- removing Sensitive PII by summarization, redacting, anatomizing, or obfuscation.Secure FTP or a secured application is used to transfer data between two servers.attachments with SPII should always be password protected.ing SPII outside of DPI should be encrypted and the password should be shared via a separate or given to the individual in person or over the phone. DPI uses a software package called Accellion for sending and receiving sensitive data, contact the DPI Help Desk if you need to use this software.
32How to Protect Sensitive PII When sharing SPII with others (continued) . . .Avoid faxing Sensitive PII if at all possible. If you must use a fax to transmit Sensitive PII, use a secured fax line, if available. Alert the recipient prior to faxing so they can retrieve it as it is received by the machine. After sending the fax, verify that the recipient received the fax.Seal Sensitive PII in an opaque envelope or container, and mail using First Class or Priority Mail, or a traceable commercial delivery service (e.g., UPS or FedEx).Encrypt Sensitive PII stored on CDs, DVDs, hard drives, USB flash drives, floppy disks, or other removable media prior to mailing or sharing.
33How to Protect Sensitive PII While travelingIf you must leave SPII in a car, lock it in the trunk so that it is out of sight. Do not leave your briefcase, laptop or Personal Electronic Device (PED) in a car overnight.Do not store a briefcase, laptop or PED in an airport, a train or bus station, or any public locker.Avoid leaving a briefcase, laptop or PED in a hotel room. If you must leave it in a hotel room, lock it inside an in-room safe or a piece of luggage.At airport security, place your briefcase, laptop or PED on the conveyor belt only after the belongings of the person ahead of you have cleared the scanner. If you are delayed, keep your eye on it until you can pick it up. Never place a PED in checked luggage.If your briefcase, laptop or PED is lost or stolen, report it immediately to your supervisor and the Help Desk.
34How to Protect Sensitive PII While traveling (continued) . . .If you plan to use a laptop or Personal Electronic Device (PED) in a public setting and want to connect to a network, check out a DPI mobile hotspot from the DPI Help Desk to ensure you have a secure connection. DO NOT connect your laptop or PED that has Sensitive PII to public wireless access found in coffee shops, airports or other public places. These public connections are unsecured.
35How to Protect Sensitive PII While working remote . . .DO NOT store or Sensitive PII to your personal laptop or personal electronic device. Use a secured shared drive, Google Drive or encrypted media to access documents.Use only secured network connections to access your work authorized applications.Make sure you secure Sensitive PII data when not in use.Limit the Sensitive PII taken outside the office. Take only the Sensitive PII you need to do your job.Ensure other individuals do not have access to see Sensitive PII at your remote location.Do not print Sensitive PII on your home or hotel printer.Make sure your phone conversations about Sensitive PII are private and not overheard.
36PII – Information Overload Do you feel you heard enough about PII and Sensitive PII?
37Additional PII Reference Material Refer to the following documents for additionalPII examples and quick reference:PII Safeguard Quick ReferenceAdditional Examples of PII
38PII – Questions?If you have any questions on Personally Identifiable Information?Ask your Supervisor.
39Personally Identifiable Information (PII) – Credits Information contained in this presentation are from:Wisconsin Department of Public InstructionUnited States Department of Homeland SecurityUnited States Department of Commerce - National Institute of Standards and Technology