PII - Identity Finder

  • Proposed Personally Identifying Information (PII) Policy and Procedures

    To ensure proper handling of PII across campus, IUP is developing language to include in the current Acceptable Use Policy (AUP) that will address PII awareness, storage and remediation.

    Personally Identifying Information is defined by the National Institute of Standards and Technology as:

    “…any information about an individual maintained by an agency, including

    1. any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and
    2. any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

    What’s Happening Now

    The PII Language to be added to the AUP is in the process of being developed and going through the IUP shared governance process. More will follow as progress is made.

    What are examples if PII and how are they categorized?

    • High: Social Security numbers, credit/debit card numbers, bank account numbers, driver licenses, passport numbers 
    • Moderate: Banner ID numbers, health info, password entries
    • Low: Dates of birth, phone numbers, e-mail address, personal address

    How will PII be identified?

    A current software tool that can be used to locate and assist in the proper handling of PII across university machines is Spirion’s Identity Finder. The Identity Finder software runs like a virus scanner for file systems and can be configured by an end user to locate specific types of PII. After running a search on a specified set of directory paths, the Identity Finder software creates a report that describes PII located during the scan. The Identity Finder report presents options to assist the user in handling the PII found that include: shred, redact, encrypt, quarantine, and ignore. The software can be automatically scheduled, and can be integrated with e-mail clients.

    What happens if PII is found?

    PII data that is identified will be mitigated, redacted, encrypted, or quarantined.