-
The Department of Homeland Security defines personally identifiable information (PII) as “any information that permits the identity of an individual to be directly or indirectly inferred.” Further, with PII there can be “Sensitive PII” that “if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.”[1] For the purposes of the Nassau BOCES, both PII and sensitive PII are considered the same. PII includes, but is not limited to, student or employee IDs, social security number, driver’s license number, New York State Student Information System (NYSSIS) ID, full name, date of birth, medical information, ethnicity, free and reduced lunch eligibility status, credit card information, special education information, teach IDs, financial information, students’ grades, addresses, and phone numbers. View this document as a PDF.
Employee Responsibilities
When Do Don't Using PII in the Office - Prevent unauthorized persons from having access to PII. This includes co-workers.
- Keep PII information covered when it is on your desk.
- Keep PII locked in a desk drawer, file cabinet or office if you are away from your desk.
- Check your desk area at the end of the day to make sure there is no PII in plain sight.
- Email PII outside of Nassau BOCES unless it is done securely through OneDrive.
- Discuss PII near unauthorized co-workers.
- Release PII to anyone unless specifically authorized to do so.
- Forget to clear office equipment of printed paper or paper jams, especially if it contains PII.
- Access PII unless you have a need to know to perform your responsibilities.
When Do Don't Sharing PII - Encrypt all emails containing PII by using Office 365 online portal. Path to encrypt: Outlook → New Message →
(click on the three dots in the “Send” row) → Encrypt. - Validate that the recipient of the PII requires the PII for official purposes.
- Use caution when emailing to distribution lists or group emails.
- Share PII using your personal email.
- Share PII with anyone not authorized to have the PII.
- Forget, the receiver of a document/email may not be authorized to access the PII in the document/email.
- Post PII to shared work sites unless access controls are applied.
When Do Don't Securing PII - Store PII only on Nassau BOCES directories.
- Encrypt or send email through OneDrive.
- Shred paper documents containing PII when they are no longer needed.
- Lock your computer when away from your desk and log out of programs if you will be away for an extended period.
- Discuss PII in public with non-co-workers.
- Store PII in non-approved locations such as your car.
- Leave laptop computers or mobile devices in any vehicle.
- Use USB devices to store PII.
- Toss documents containing PII in the trash or recycling bins.
When Do Don't Working at Home - Access PII only through approved Nassau BOCES equipment.
- Prevent family and friends from having access to your work laptop or mobile device.
- Email PII to a personal email account (i.e. Gmail, AOL, Yahoo).
- Work from home and download PII on your personal computer.
- Take home paper or electronic information containing PII.
When Do Don't Reporting PII - Contact your immediate supervisor to report a breach in safeguarding PII.
- Also, contact our Customer Care Center to report a breach in safeguarding PII.
- Always take corrective action, if you can, to prevent a “breach” from occurring.
- Report known or suspected instances of any failure to protect PII.
- Avoid your responsibility to safeguard PII.
The above information follows the Nassau BOCES Board Policies: 8630 Computer Resources and Data Management; 4526 Computer Use in Instruction; 1120 Public Access to Records; 8635 Information Security Breach and Notification.
[1] Handbook for Safeguarding Sensitive Personally Identifiable Information, p. 4, available at dhs.gov/privacy.
