Whenever you request or collect critical information from an individual or institutional source, stop and consider: Why do I need this information? Is it required for this situation? Can I fulfill my purpose without it?

  • If you do not absolutely need it, dispose of it securely.
  • If you received the information from another source, ask the source to avoid sharing it with you in the future.

Can you make the information less sensitive, and still fulfill your business need?

  • Collect only the last four digits of SSNs instead of the complete nine-digit number.
  • Convert SSNs to university ID numbers when possible and appropriate.
  • Remove columns of critical and other individually identifiable info prior to creating reports.

If you must access or collect critical information…

  • Inform your unit leader and ensure they approve of this use.
  • Consult with your departmental IT Professional(s) and/or the appropriate data steward(s) to ensure secure and appropriate handling.
  • Document the justification and approval.
  • Notify individuals that you are collecting their data and explain its intended purpose.
  • If appropriate, obtain the consent of the individuals, preferably in writing.
  • Determine if the information is subject to university policy, local, state, or federal laws. Consult with General Counsel if needed.
  • Destroy the information in a secure manner once you no longer require it.
  • Regularly review your decision and your protection measures to ensure the business need still exists and the protection measures are still optimal.