4:040 Personally Identifiable Information
|Austin Peay State
|Personally Identifiable Information (PII)
||March 25, 2017
||Vice President for Finance and Administration
Austin Peay State University is committed to protecting PII against inappropriate
access and use in compliance with applicable laws and regulations in order to maximize
trust and integrity.
Austin Peay State University creates, collects, maintains, uses, and transmits personally
identifiable information relating to individuals associated with the university including,
but not limited to, students, alumni, faculty, administrators, staff, and service
employees. The university is committed to protecting PII against inappropriate access
and use in compliance with applicable laws and regulations in order to maximize trust
-Personally Identifiable Information (PII)
-Personally Identifiable Information
-Government-Issued Personal Identifiers
-Other Externally-Assigned Identifiers and Other Personally Identifiable Information
-Responsibility for Maintenance and Access Control
-Theft or Loss of Data
||Data Custodians are university designees who have planning and policy-making responsibilities
for university data and the university Data Warehouse. The Data Custodians, as a group,
are responsible for overseeing the establishment of data management policies and procedures
and for the assignment of data management accountability.
||Minimum Necessary is the standard that defines that the least information and fewest
people should be involved to satisfactorily perform a particular function.
|Personally Identifiable Information (PII)
||Information which can be used to distinguish or trace an individual's identity, such
as their name, Social Security number, or biometric records, alone, or when combined
with other personal or identifying information which is linked or linkable to a specific
individual, such as date and place of birth, mother's maiden name, etc.
||Directory Information is determined by the university and is not considered PII.
- Members of the university community shall employ reasonable and appropriate administrative,
technical, and physical safeguards to protect the integrity, confidentiality, and
security of all personally identifiable information (PII), irrespective of its source
or ownership or the medium used to store it.
- All individuals who dispense, receive, and store PII have responsibilities to safeguard
- In adopting this policy, the university is guided by the following objectives:
- To enhance individual privacy for members of the university community through the
secure handling of PII and personal identifiers (PIDs);
- To ensure that all members of the university community understand their obligations
and individual responsibilities under this policy by providing appropriate training
that will permit the university community to comply with both the letter and the spirit
of all applicable privacy legislation.
- To increase security and management of Social Security numbers (SSNs) by:
- Instilling broad awareness of the confidential nature of the SSNs;
- Establishing a consistent policy about the use of SSNs throughout the university;
- Ensuring that access to SSNs for the purpose of conducting university business is
granted only to the extent necessary to accomplish a given task or purpose.
- To reduce reliance on the SSN for identification purposes as much as possible.
- To comply with all Payment Card Industry (PCI) standards
- To comply with HIPPA standards (if applicable)
- Data Custodians are responsible for oversight of personally identifiable information
in their respective areas of university operations. Activities of these officials
are aligned and integrated through appropriate coordination among these cognizant
||This policy applies to all members of the university community, including all full-
and part-time employees, faculty, students and their parents or guardians, and other
individuals such as contractors, consultants, other agents of the community, alumni,
and affiliates that are associated with the university or whose work gives them custodial
responsibilities for PII.
- Data Trustees
- Officials responsible for each of the following areas will be considered data custodians:
- Student Records
- Alumni and Donor Records
- Health Records
- Faculty and Staff Records
- Purchasing and Contracts
- Research Subjects
- Public Safety
- PII may be released only on a Minimum Necessary basis and only to those individuals
who are authorized to use such information as part of their official university duties,
subject to the requirements:
- That the PII released is narrowly tailored to a specific business requirement;
- That the information is kept secure and used only for the specific official university
purposes for which authorization was obtained; and
- That the PII is not further disclosed or provided to others without proper authorization
as defined above.
- PII may be handled by third parties with the strict requirement that the information
be kept secure and used only for a specific official authorized business purpose as
defined in a Business Associate Agreement with that third party.
- Exceptions to this policy may be made only upon specific requests approved by the
cognizant university official responsible for such information as specified in this
policy and only to the degree necessary to achieve the mission and business needs
of the university.
- Any and all exceptions made must be documented, retained securely, and reviewed periodically
by the appropriate cognizant university official or his/her designee.
- Directory Information, as defined by Federal and State law and university policy,
will be published following the guidelines defined by the university.
- Information that has been collected that conforms to the HIPAA standards of de-identification
or anonymization is not PII.
- Social Security Number
- Provision of Information
- The university collects SSNs:
- When required to do so by law;
- When no other identifier serves the business purpose; and
- When an individual volunteers the SSN as a means of locating or confirming personal
- In other circumstances, individuals are not required to provide their SSN verbally
or in writing at any point of service, nor are they to be denied access to those services
should they refuse to provide an SSN.
- Release of SSNs
- SNs will be released to persons or entities outside the university only:
- As required by law;
- When permission is granted by the individual;
- When the external entity is acting as the university’s authorized contractor or agent
and attests that no other methods of identification are available, and reasonable
security measures are in place to prevent unauthorized dissemination of SSNs to third
- When the appropriate Counsel has approved the release.
- Use, Display, Storage, Retention, and Disposal
- SSNs or any portion thereof will not be used to identify individuals except as required
by law or with approval by a cognizant university official for a university business
- The release or posting of personal information, such as grades or occupational listings,
keyed by the SSN or any portion thereof, is prohibited, as is placement of the SSN
in files with unrestricted access.
- SSNs will be transmitted electronically only for business purposes approved by the
university officials responsible for SSN oversight and only through secure mechanisms.
- The Data Custodians who are responsible for SSNs will oversee the establishment of
business rules for the use, display, storage, retention, and disposal of any document,
item, file, or database which contains SSNs in print or electronic form.
- Non-SSN Government-Issued Identifiers
- In the course of its business operations, the university will have access to, collect,
and use non-SSN government-issued identifiers such as driver's licenses, passports,
HIPAA National Provider Identifiers, Employee Identification Numbers (EIN), and military
identification cards, among others.
- The university shall follow the Minimum Necessary standard and strive to safeguard
- University ID Number
- Assignment Eligibility and Issuance
- The University id is a unique alphanumeric identifier assigned by the university to
any entity that requires an identifying number in any university system or record.
- The University ID is assigned at the earliest possible point of contact between the
entity and the university.
- The University ID is associated permanently and uniquely with the entity to which
it is assigned.
- Use, Display, Storage, Retention, and Disposal
- The University ID is considered PII by the university, to be used only for appropriate
business purposes in support of operations.
- The University ID is used to identify, track, and serve individuals across all university
electronic and paper data systems, applications, and business processes throughout
the span of an individual's association with the university and presence in the university's
systems or records.
- The University ID is not to be disclosed or displayed publicly by the university,
nor to be posted on the university’s electronic information or data systems unless
the University ID is protected by access controls that limit access to properly authorized
- The release or posting of personal information keyed by the University l ID, such
as grades, is prohibited.
- Any document, item, file, or database that contains University IDs in print or electronic
form is to be protected and disposed of in a secure manner in compliance with data
and Other Personally Identifiable Information
|The university shall follow the Minimum Necessary standard and strive to safeguard
any externally assigned identifiers which may be collected.
- University IDs are maintained and administered by the appropriate university office
in accordance with this policy.
- Other university offices may maintain and administer electronic and physical repositories
containing personal identification numbers for uses in accordance with this policy.
- Access to electronic and physical repositories containing PII will be controlled based
upon reasonable and appropriate administrative, physical, technical, and organizational
- Individuals who inadvertently gain access to a file or database containing PII should
report it to the appropriate authority.
||Violations of this policy resulting in misuse of, unauthorized access to, or unauthorized
disclosure or distribution of personal identification numbers may subject individuals
to legal and/or disciplinary action, up to and including the termination of employment
or contract with the university or, in the case of students, suspension or expulsion
from the university.
APSU Policy 4:040 – Issued: March 25, 2017
President: signature on file