Protecting Personally Identifiable Information (PII)

Many departments at the University of Delaware handle high-risk, sensitive, and confidential information--also known as personally identifiable information, or PII. PII includes all Social Security Numbers and health records. Safeguarding PII is imperative because of the high risk of identity theft or financial loss posed to individuals and to the University in the event of improper disclosure. It is the responsibility of all employees to identify PII in their care, securely erase unnecessary PII, and properly encrypt PII that must be retained:

Scanning
for PII
Encrypting
PII
Erasing
PII
All employees are encouraged to regularly scan their hard drives for PII using Identity Finder for Windows or Mac. If PII is absolutely necessary for the function of an employee's unit, University policy states you must encrypt it. PII that is not absolutely necessary for the function of an employee's unit must be securely erased.

Guidelines

Use the table below to learn more about the University of Delaware's PII guidelines:

PII Storage and Encryption         

        Encryption Key Management

  • Any files containing sensitive Personally Identifiable Information (PII), including, but not limited to, Social Security numbers and health information, must be stored safely, preferably on a central UD service that uses encryption.
  • Files containing sensitive PII stored on centrally managed servers, departmental file servers, personal computers, or other departmentally managed devices or storage must be encrypted.
  • You must always re-encrypt a file if you've made any changes to it.
  • Delete unencrypted copies of a file after you've made an encrypted version.
  • AES Crypt, like some other encryption software, makes an unencrypted copy when you open an encrypted file. Delete the unencrypted copy when you are done viewing a file.
  • Remember the key (password) you used to encrypt your files. If the key gets lost, there is NO way for IT, or anyone, to decrypt files encrypted with AES Crypt. They will remain encrypted and inaccessible forever. (Click Encryption Key Management below for more information.)
  • Contact your department's or college's IT Professional or the IT Support Center if you require assistance while working with encrypted files.
  • Work with your unit administrator to decide how you will select encryption keys. You will do one of the following:
    • If IT encrypted one or more of your files with AES Crypt, you can continue using the key IT provided.
    • If you choose to use your own key, you will need to choose a strong key that is impossible to guess. You are advised to use random letters, numbers, and symbols. Consider using a password generator to create a secure key.
  • Check with your unit administrator to understand how your unit will keep encryption keys secure and available for operational continuity. Your unit's encryption keys:
    • must be secured from loss, destruction, unauthorized access or modification at the same level as the data they protect
    • must not be stored or sent in clear text that identifies them as encryption keys or that identifies the file(s) they protect.
  • When sharing an encrypted file, send the key using a different communication channel from the one used to send or share the encrypted file. For example, do not send the key in the same e-mail message that contains a link to the encrypted file or that includes the encrypted file as an attachment. Instead, communicate the key using a separate e-mail, a phone call, or an in-person meeting.
  • Remember the key (password) you used to encrypt your files. If the key gets lost, there is NO way for IT, or anyone, to decrypt files encyrpted with AES Crypt. They will remain encrypted and inaccessible forever.
.