Awareness - Protecting our Data Personally Identifiable Information (PII)

Awareness - Protecting our Data• Personally Identifiable Information (PII)

Learning Goals:

1) Ability to Identify Personally Identifiable Information (PII).

2) Determine the difference between Non-Sensitive PII and Sensitive PII.

3) Why we need to protect PII.4) Know What PII we have and Where PII exists.5) Individual actions to protect PII.

a) Sensitive PII you always need to protectb) Rules of Thumbc) Situations

Learning Goals: Goal 1





Personally Identifiable Information (PII) Basic Definition

• Information used to identify who an individual is.

Can you think of what kind of PII you may have on yourself right now? Possibly a …▫ Business Card▫ Driver’s License▫ Credit/Debit Card▫ Medical Insurance Card

Definition of PII - Distinguish and Trace

Any information that can be used to Distinguish or Trace an individual, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records (fingerprints, retina scan, image etc.).

Distinguish - is to identify an individual.

Trace - is to process sufficient information to make a determination about a specific aspect of an individual‘s activities or status. Just like how a detective can identify someone by clues.

Definition of PII -Linked and Linkable

• Individual information that is logically associated with other data to the individual.

Example: Combining information from the same application database i.e. linking student address information with student test score information by student number.

• Information collected from many unrelated sources.

Example: Combining enough information collected from a spreadsheet, public website and application database to determine an individual student.

Information that identifies a person through combining data is called Linked or Linkable, such as medical, educational, financial, and employment information.

Linked Linkable






Types of PII

•Some

• Not all Personally Identifiable Information should be treated the same. • Some personal information if lost, compromised, or disclosed without authorization can be used to cause harm by:

1. Embarrassment, identity theft or blackmail to the individual.

2. Financial losses, opportunity loss, or loss of public reputation for an organization.

Non-Sensitive PII

• Personally Identifiable Information that can be shared without concern is considered non-sensitive and can be shared publically. Examples:▫ Directory Information listed on a

public website▫ Your Business Card▫ Public Phone Book▫ Name Tag

Sensitive PII (SPII)• Personally Identifiable Information

that can cause harm to an individual or organization is sensitive information and cannot be shared or viewed with anyone unless the person receiving the information has a legitimate purpose to know.

Examples:▫ Social Security Number▫ Bank Account Number▫ Passport Number▫ Drivers License or State Id

Personally Identifiable Information (PII) – Context

• A student directory on a public website.

• A report listing students with a disability.

Some PII can be considered non-sensitive or sensitive based on the context of how the data is used or reported.

For example: In both situations below, we have PII of a student’s first name and last name. Depending on how the data is used or reported the data will be either non-sensitive or sensitive.

Non-sensitive

Sensitive






Why we Protect PII

Okay, I know there is PII around our workplace, but why should I care?

1. Federal Laws – Student Records - FERPA, Health Records - HIPAA, Individuals with Disabilities - IDEA, National School Lunch Act.

2. Wisconsin State Statutes – General Duties of Public Officials – Personal Information Practices Chapter 19 subchapter IV, Cooperative research on education programs; statewide student data system s. 115.297, Teachers Certificates and Licenses s. 118.19(1) and (10), Public School Pupil Records s. 118.125, s.118.126, s.118.127, s118.169.

Why we Protect PII Continued …

3. Department of Public Instruction Policy – Employee Work Rules and Code of Ethics 3.105, Medical Information 3.205, Acceptable Use of Technology 4.105, Student Data Access 4.300, Confidentiality of Individual Pupil Data and Data Redaction (Screening) 4.315.

4. Ethically. When you possess other individual’s personal information you are obligated to handle the information as it is your own so you will not cause harm to the individual or the organization you work for.






PII In our Work

Now that we understand . . . 1. The definition of Personally Identifiable

Information (PII).2. The different types of PII (sensitive and

non-sensitive).3. Our duty to handle PII safely.

• What kind of PII and SPII do we have?

• Where can we find PII and SPII in my work?

PII In our Work

• PII and Sensitive PII are used everyday as we perform our work activities. • Can you think of what PII and SPII is in your work environment?

• Can you think of where PII and SPII is located in your work environment?

What kind of PII do we find in our Workplace?

Financial• Bank Account Numbers• Tax Ids• Credit / Debit Card

Human Resources• Health Information• Applications• State ID Badge

Educator• Social Security Number• License Number• Fingerprints

Student• Wisconsin Student Number • Economically Disadvantaged Status• Primary Disability

PII In our Workplace

Where can we find PII and Sensitive PII (SPII) in our workplace?

Work Area• Computer Applications• PC, Laptop, Tablet, PDA• Network file server • Email and Instant Messages• Meetings• Phone (cell or landline)• Filing Cabinets and File Folders• Media (flash drive, disk, etc) • On top of desk

Common Use Areas • Copiers• Fax Machines• Network Printers• Phone• Meetings (formal or informal)• Projectors• Filing Cabinets• Break Room

PII Outside Our Workplace

Sometimes work PII and Sensitive PII (SPII) is taken outside our work place.

Places where work PII and Sensitive PII can be found outside work.• At Home, Conference, Hotel, Meeting Room • Vehicle, Bus, Taxi or Plane• Briefcase, Purse, Backpack• Laptop, Tablet, PDA, Phone• Removable Media





Learning Goals: Goal 5a

List of PII that always is SensitiveStudent Data • Wisconsin Student Number (WSN)• Attendance • Habitual Truancy • Suspension • Expulsion • Dropout • Course-Taking • Retention • Test Results (WKCE, AP, ACT, AA-SwD, ACCESS, etc.) • Primary Disability Category • Migrant Status • Homeless Status • English Language Proficiency Level • Educational Environment• Free and Reduced Lunch Eligibility Status

General Data• Social Security Number • Driver’s License or State ID Card• Passport Number• DNA Profile• Biometric Identifiers (x-ray, retinal scan fingerprints, etc.)• Medical Information• Authentication Information (passwords and information to re-enable passwords)• Financial Information (bank account, credit / debit card, etc.)• Sensitive context where PII data is used (queried or reported)



3) Drivers to why we need to protect PII.4) Know where PII exists.5) Individual actions to protect PII.


Learning Goals: Goal 5b

Protecting PII – Rules of ThumbIt is everyone’s responsibility to protect Sensitive Personally Identifiable Information of others. Listed on the next few slides are “Rules of Thumb” with actions bolded each of us need to take.

• Apply the “Golden Rule” - Treat other individual’s Sensitive PII as if it is your own. Example: You probably would not put your personal Debit Card and Social Security Card on your desk and leave for the day.• If you identify a data breach of Sensitive PII, report it to your Supervisor and Help Desk immediately.• When reporting a data breach do not send the breached information in email. This will only proliferate the breach.

Protecting PII – Rules of Thumb Continued . . . • Whenever possible, minimize the duplication and dissemination of electronic files and papers containing Sensitive PII.• As a best practice, every request you make for Sensitive PII outside the organization should be accompanied by a reminder of how to properly secure the information.

This will limit unnecessary dissemination of individual’s personal data, and will also allow the sender to be aware of what information is being collected, and purpose for collecting the information. A sample accompanying note is listed below:

“The information I have requested has Sensitive Personally Identifiable Information. To properly secure this information, please send it in an encrypted format and delivered in a secure manner.”

Protecting PII – Rules of Thumb Continued . . . • If you receive Sensitive PII in an unsecured format, do not forward or copy until you have safely secured the information.• Destroy all Sensitive PII once the need for the information is no longer needed.

• Ensure your departmental processes and procedures account for handling the various types of Sensitive PII.• Contact the Help Desk if you need a mobile hotspot, encrypted removable media (USB drive, CD), encrypt your disk drive, or create a secured shared network drive.• Limit the use of Sensitive PII and only access or use Sensitive PII when you have a “need to know” reason to perform your job. If you are unsure the Sensitive PII relates to your official duties, ask your supervisor.





Learning Goals: Goal 5c

How to Protect Sensitive PII

In my Office . . .• Never leave Sensitive PII unattended on a desk, network printer, fax machine, or copier.• Delete files and/or shred hard copy Sensitive PII when no longer needed.• Physically secure Sensitive PII (e.g., in a locked drawer, cabinet, desk, or safe) when not in use or not otherwise under the control of a person with a need to know.• If your office is open and unsecured, avoid discussing Sensitive PII in person or over the telephone when you’re within earshot of anyone who does not need to know the information. • If you must discuss Sensitive PII using a speakerphone, phone bridge or video teleconference, do so only if you are in a location where those without a needto know cannot overhear.


In my Office (continued). . . • Be alert to social engineering or phishing scams to any phone calls or emails from individuals claiming to be employees and attempting to get personal or non-public information or asking to verify such information about you. Legitimate operations procedures will not ask you to verify or confirm your account login, password, or personal information by email or over the phone.


On my Electronic Devices . . .• All Personal Electronic Devices and Laptops should have encryption software to store the data.• Always store Sensitive PII on a shared secure drive rather than your computer hard drive or shared unsecured drive.• Lock your computer screen when away from your computer by pressing “CTRL + ALT + DEL” then “Lock this Computer”.• Do not have your computer remember passwords. • Do not share account information, especially logins or passwords, with anyone. • Do not have login or password information accessible to others (e.g., on a sticky note on your computer). • When using Sensitive PII in a website or web application make sure the URL starts with HTTPS://.• Lock your laptop to your secured docking station at your desk.


When sharing SPII with others . . .• Ensure the individual(s) you are sharing the data with has a legitimate need to know.• If you are sharing sensitive data outside DPI, contact the Pupil Data Policy Officer to verify a Memo of Understanding (MOU) or contract was created with the outside party.• Before sharing verify if the data requested can be accommodated by using DPI Public tools (i.e. WINSS or WISEdash Public) --OR-- removing Sensitive PII by summarization, redacting, anatomizing, or obfuscation. • Secure FTP or a secured application is used to transfer data between two servers.• Email attachments with SPII should always be password protected.• Emailing SPII outside of DPI should be encrypted and the password should be shared via a separate email or given to the individual in person or over the phone. DPI uses a software package called Accellion for sending and receiving sensitive data, contact the DPI Help Desk if you need to use this software.


When sharing SPII with others (continued) . . . • Avoid faxing Sensitive PII if at all possible. If you must use a fax to transmit Sensitive PII, use a secured fax line, if available. Alert the recipient prior to faxing so they can retrieve it as it is received by the machine. After sending the fax, verify that the recipient received the fax. • Seal Sensitive PII in an opaque envelope or container, and mail using First Class or Priority Mail, or a traceable commercial delivery service (e.g., UPS or FedEx).• Encrypt Sensitive PII stored on CDs, DVDs, hard drives, USB flash drives, floppy disks, or other removable media prior to mailing or sharing.


While traveling . . .• If you must leave SPII in a car, lock it in the trunk so that it is out of sight. Do not leave your briefcase, laptop or Personal Electronic Device (PED) in a car overnight.• Do not store a briefcase, laptop or PED in an airport, a train or bus station, or any public locker.• Avoid leaving a briefcase, laptop or PED in a hotel room. If you must leave it in a hotel room, lock it inside an in-room safe or a piece of luggage.• At airport security, place your briefcase, laptop or PED on the conveyor belt only after the belongings of the person ahead of you have cleared the scanner. If you are delayed, keep your eye on it until you can pick it up. Never place a PED in checked luggage.• If your briefcase, laptop or PED is lost or stolen, report it immediately to your supervisor and the Help Desk.


While traveling (continued) . . .• If you plan to use a laptop or Personal Electronic Device (PED) in a public setting and want to connect to a network, check out a DPI mobile hotspot from the DPI Help Desk to ensure you have a secure connection. DO NOT connect your laptop or PED that has Sensitive PII to public wireless access found in coffee shops, airports or other public places. These public connections are unsecured.


While working remote . . .• DO NOT store or email Sensitive PII to your personal laptop or personal electronic device. Use a secured shared drive, Google Drive or encrypted media to access documents.• Use only secured network connections to access your work authorized applications. • Make sure you secure Sensitive PII data when not in use.• Limit the Sensitive PII taken outside the office. Take only the Sensitive PII you need to do your job.• Ensure other individuals do not have access to see Sensitive PII at your remote location.• Do not print Sensitive PII on your home or hotel printer.• Make sure your phone conversations about Sensitive PII are private and not overheard.

PII – Information Overload

Do you feel you heard enough about PII and Sensitive PII?

Additional PII Reference Material

Refer to the following documents for additionalPII examples and quick reference:

PII Safeguard Quick Referencehttp://wise.dpi.wi.gov/files/wise/pdf/PII%20Safeguard%20Quick%20Reference.pdf

Additional Examples of PIIhttp://wise.dpi.wi.gov/files/wise/pdf/PII%20list%20of%20Examples.pdf

http://wise.dpi.wi.gov/files/wise/pdf/PII%20Safeguard%20Quick%20Reference.pdf

http://wise.dpi.wi.gov/files/wise/pdf/PII%20Safeguard%20Quick%20Reference.pdf

http://wise.dpi.wi.gov/files/wise/pdf/PII%20list%20of%20Examples.pdf

PII – Questions?

If you have any questions on Personally Identifiable Information?

Ask your Supervisor.

Personally Identifiable Information (PII) – Credits

Information contained in this presentation are from:

• Wisconsin Department of Public Instructionhttp://dpi.wi.gov/• United States Department of Homeland Securityhttp://www.dhs.gov/• United States Department of Commerce - National Institute of Standards and Technologyhttp://www.nist.gov/information-technology-portal.cfm

http://dpi.wi.gov/

http://www.dhs.gov/

http://www.nist.gov/information-technology-portal.cfm

http://www.nist.gov/information-technology-portal.cfm

Documents

Awareness - Protecting our Data Personally Identifiable Information (PII)