In general, sensitive information is that which should not be made public and which should only be disclosed under limited circumstances. Some sensitive information is regulated by law (e.g., FERPA, HIPPA, GLBA, SOX, and data collected from human subjects). Other types of sensitive information which is integral to the business operations of the college is considered confidential but otherwise not subject to state or federal laws or regulations. Examples include: information maintained by the Office of the Provost, Alumni/Advancement information, Business Services, Employee Services, etc. Learn more about Macalester Sensitive Information.
Personal Information Requiring Notification (PIRN)
PIRN is a class of sensitive information requiring special protection because its loss or theft requires notification of the victims by virtue of Minnesota Law.
In Minnesota, PIRN is defined as a person’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such a person:
- Social Security number
- Driver’s license number or state-issued identification card number
- Financial account number, credit or debit card number, in combination with any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account
- Passport number
Information is not PIRN, however, if it includes data that is lawfully obtained from publicly available sources, or from federal, state or local government records lawfully made available to the general public.
STRONGLY RECOMMENDED FOR THE PROTECTION OF SENSITIVE INFORMATION
- PIRN, as defined above, should never be transmitted via email (regardless of domain) and should not be stored in Google Docs/Drive.
- Sensitive information that is not PIRN may be transmitted via email within the Macalester domain (i.e., from/to an @macalester.edu account).
- Sensitive information that is not PIRN may also be stored in Google Docs provided the “shared” settings only include those who absolutely need access to this information and only for a long as they need it.
- Sensitive information of any kind should not be transmitted via email to an external domain (i.e., a firstname.lastname@example.org account).
- Keep the definitive copy of sensitive information on a secure, professionally administered and backed-up system. It is strongly recommended that sensitive information only be kept on secure network drives and that access to folders on the G:/ drive containing sensitive information is appropriately controlled. Storing sensitive information in this manner not only allows you to recover lost information, but it can help you determine what information was stored on the machine if it is stolen or lost.
OTHER ACTIONS TO PROTECT SENSITIVE INFORMATION
- Make sure your computer is secure.
- If you keep copies of sensitive information on your personal computer, consider encrypting the computer, especially if it’s a laptop.
- Use only secure connections such as “https” for Web transactions.
- Remove the sensitive information as soon as you no longer need it.
- Follow the guidelines above for transmitting sensitive information via email.