Personally Identifiable Information Policy

Listed below are policy documents from both the University of North Texas System and the University of North Texas at Dallas outlining the foundational policies from which all members of the UNT System and more specifically the University of North Texas at Dallas operates:

UNT System Information Security Handbook

UNT Dallas Policy 14.007 - Privacy

From these policies, the Registrar, custodian of all student academic data, functions, in coordination with all University data users.

Registrar Policy

Members of the University community shall employ reasonable and appropriate administrative, technical, and physical safeguards to protect the integrity, confidentiality, and security of all personally identifiable information (PII), irrespective of its source or ownership or the medium used to store it. All individuals who dispense, receive, and store PII have responsibilities to safeguard it.

The University is guided by the following objectives:

  1. To enhance individual privacy for members of the University community through the secure handling of PII and personal identifiers (PIDs);
  2. To ensure that all members of the University community understand their obligations and individual responsibilities under this policy by providing appropriate training that will permit the University community to comply with both the letter and the spirit of all applicable privacy legislation;
  3. To increase security and management of Social Security numbers (SSNs) by:
    1. inculcating broad awareness of the confidential nature of the SSNs;
    2. establishing a consistent policy about the use of SSNs throughout the University; and
    3. ensuring that access to SSNs for the purpose of conducting University business is granted only to the extent necessary to accomplish a given task or purpose.
  4. To use, throughout the University, a unique University ID (EUID) that serves as the primary identification element for persons associated with UNTD and is applicable across the entire UNT System enterprise, reducing reliance on the SSN for identification purposes.
  5. To not transmit, process, or store any complete credit card data on any University owned/controlled computers, servers, desktops, laptops, disks, flash drives, or other portable or mobile devices.

Data Trustees are responsible for oversight of personally identifiable information in their respective areas of University operations. Activities of these officials are aligned and integrated through appropriate coordination among these cognizant University officials.

Purpose

The University of North Texas at Dallas creates, collects, maintains, uses, and transmits personally identifiable information relating to individuals associated with the University including, but not limited to, students, alumni, faculty, administrators, staff, and service employees. The University is committed to protecting PII against inappropriate access and use in compliance with applicable laws and regulations in order to maximize trust and integrity.

Scope

This policy applies to all members of the University community, including all full- and part-time employees, faculty, students and their parents or guardians, and other individuals such as contractors, consultants, other agents of the community, alumni, and affiliates that are associated with the University or whose work gives them custodial responsibilities for PII.

Definitions

Data Trustees: Data Trustees are senior University officials (typically at the level of Vice President or higher) who have planning and policy-making responsibilities for University data and the University Data Warehouse. The Data Trustees, as a group, are responsible for overseeing the establishment of data management policies and procedures and for the assignment of data management accountability.

Minimum NecessaryMinimum Necessary is the standard that defines that the least information and fewest people should be involved to satisfactorily perform a particular function.

Personally Identifiable Information (PII): Information which can be used to distinguish or trace an individual's identity, such as their name, Social Security number, or biometric records, alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.

Personal Identifier (PID): A PID, a sub-category of PII, is a unique code assigned to or utilized by an individual to identify that individual. PIDs are used primarily, but not exclusively, for the purpose of electronic operations. University Identification Numbers (EUIDs) and NetIDs are examples of PIDs.

Requirements

  1. Data Trustees: Data Trustees will administer this policy in their respective areas of University operations. They will resolve the responsibility for the data, if any data elements overlap more than one area.
  2. Personally Identifiable Information
    1. PII may be released only on a Minimum Necessary basis and only to those individuals who are authorized to use such information as part of their official University duties, subject to the requirements:
      1. that the PII released is narrowly tailored to a specific business requirement;
      2. that the information is kept secure and used only for the specific official University [business] purposes for which authorization was obtained; and
      3. that the PII is not further disclosed or provided to others without proper authorization as defined above.
    2. PII may be handled by third parties with the strict requirement that the information be kept secure and used only for a specific official authorized business purpose as defined in a Business Associate Agreement with that third party.
    3. Exceptions to this policy may be made only upon specific requests approved by the cognizant University official responsible for such information as specified in this policy above and only to the degree necessary to achieve the mission and business needs of the University. Any and all exceptions made must be documented, retained securely, and reviewed periodically by the appropriate cognizant University official or his/her designee.
    4. Directory PII, as defined by Federal and State law and UNTD policy, will be published following the guidelines defined by the Office of the Vice President for Information Technology and Chief Information Technology Officer for UNTD Texas.
    5. Information that has been collected that conforms to the HIPAA standards of deidentification or anonymization is not PII.
       
  3. Government-Issued Personal Identifiers
    Social Security Number
    1. Provision of Information
      1. UNTD collects SSNs:
        1. when it is required to do so by law;
        2. when no other identifier serves the business purpose; and
        3. when an individual volunteers the SSN as a means of locating or confirming personal records.
      2. In other circumstances, individuals are not required to provide their SSN verbally or in writing at any point of service, nor are they to be denied access to those services should they refuse to provide an SSN.
      3. SSN collection must be approved by the appropriate campus official (see the "Policy" section, above). When an SSN is requested, UNTD informs the individual what uses will be made of the SSN and whether the disclosure is voluntary, or, if it is mandatory, by what authority.
    2. Release of SSNs
      SSNs will be released by UNTD to persons or entities outside the University only:
      1. as required by law;
      2. when permission is granted by the individual;
      3. when the external entity is acting as the University's authorized contractor or agent and attests that no other methods of identification are available, and reasonable security measures are in place to prevent unauthorized dissemination of SSNs to third parties; or
      4. when the UNTD Office of General Counsel has approved the release.
    3. Use, Display, Storage, Retention, and Disposal
      1. SSNs or any portion thereof will not be used by UNTD to identify individuals except as required by law or with approval by a cognizant University official for a University business purpose.
      2. The release or posting of personal information, such as grades or occupational listings, keyed by the SSN or any portion thereof, is prohibited, as is placement of the SSN in files with unrestricted access.
      3. SSNs will be transmitted electronically only for business purposes approved by the campus officials responsible for SSN oversight and only through secure mechanisms approved by the Chief Information Technology Officer.
      4. The Data Trustees who are responsible for SSNs will oversee the establishment of business rules for the use, display, storage, retention, and disposal of any document, item, file, or database which contains SSNs in print or electronic form.
  4. Non-SSN Government-Issued Identifiers
    In the course of its business operations, UNTD has access to, collects, and uses non-SSN government-issued identifiers such as driver's licenses, passports, HIPAA National Provider Identifiers, Employee Identification Numbers (EIN), and military identification cards, among others. UNTD follows the Minimum Necessary standard and strives to safeguard these identifiers.
  5. Texas University-Issued Identifiers
    1. University ID Number
      1. Assignment Eligibility and Issuance
        1. The EUID is a unique numeric identifier assigned by the University to any member of the University community who requires an identifying number in any University system or record.
        2. A EUID is assigned at the earliest possible point of contact between the individual and the University.
        3. The EUID is associated permanently and uniquely with the individual to whom it is assigned.
      2. Use, Display, Storage, Retention, and Disposal
        1. The EUID is considered PII by the University, to be used only for appropriate business purposes in support of University operations.
        2. The EUID is used to identify, track, and serve individuals across all University electronic and paper data systems, applications, and business processes throughout the span of an individual's association with the University and presence in the University's systems or records.
        3. The EUID is not to be disclosed or displayed publicly by the University, nor to be posted on University electronic information or data systems unless the EUID is protected by access controls that limit access to properly authorized individuals.
    2. NetID
      1. Assignment Eligibility and Issuance
        1. The NetID is a unique alphanumeric assigned by the University to an individual.
        2. The NetID is assigned to all persons who may require access to electronic services at the University, including students, faculty, alumni, administrators, staff, service employees, and other individuals (such as contractors, consultants, and affiliates) associated with the University.
        3. The NetID is permanently and uniquely associated with the individual to whom it is assigned.
        4. The NetID, alone, without a password, will not be used for access to UNTD's electronic network.
      2. Use, Display, Storage, Retention, and Disposal
        1. The NetID is used, in conjunction with an individually set password, as an authenticated identifier for online transactions and may be used, in addition to the EUID, to identify and track individuals within the University systems, applications, and business processes.
        2. Each member of the University community will be held fully responsible for any activity authorized by that individual's NetID and password.
        3. Under the Family Educational Rights and Privacy Act (FERPA), the NetID may be used as directory information as long as the identifier cannot be used standing alone (i.e., without a password) by unauthorized individuals to obtain sensitive, non-public (i.e., non-directory) information about an individual from education records.
        4. The release or posting of personal information keyed by the NetID, such as grades, is prohibited.
  6. Other Externally-Assigned Identifiers and Other Personally Identifiable Information
    UNTD has access to, collects, and uses various externally-assigned identifiers other than those indicated above in the course of its business operations. These identifiers include, but are not limited to credit and debit card numbers and bank account numbers. UNTD follows the Minimum Necessary standard and strives to safeguard these identifiers.
  7. Responsibility for Maintenance and Access Control
    1. The University-wide EUIDs and NetIDs are maintained and administered by UNTD Information Technology Services (ITS). Other University offices may maintain and administer electronic and physical repositories containing personal identification numbers for uses in accordance with this policy.
    2. Access to electronic and physical repositories containing SSNs, EUIDs, and NetIDs will be controlled based upon reasonable and appropriate administrative, physical, technical, and organizational safeguards.
    3. Individuals who inadvertently gain access to a file or database that contains SSNs or EUIDs for which they have not been authorized shall report it immediately to ITSS Technology Security Services.
  8. Enforcement
    Violations of this policy resulting in misuse of, unauthorized access to, or unauthorized disclosure or distribution of personal identification numbers may subject individuals to legal and/or disciplinary action, up to and including the termination of employment or contract with the University, or, in the case of students, suspension or expulsion from the University.