You are here

Personally Identifiable Information Guidelines

Policy

Not Applicable

Scope

This data handbook applies to all Temple University faculty and staff (“employees”) and Temple-related individuals (including business associates, or other third party entities) who, during the normal course of business may acquire, store, process, transmit or otherwise handle confidential, private information or regulatory protected information.

Purpose

Information protected or covered by regulations, such as FERPA, HIPAA, GLBA, PCI-DSS, Pennsylvania Breach of Personal Information Notification Act and other sensitive, private or personal information, must be protected at all times. In order to appropriately protect these information assets; measures must be taken to ensure that the confidentiality, integrity and availability of the data are not compromised. This procedure outlines those data elements that must be protected. This is a non-exhaustive list of data fields that should be considered confidential or private, and be protected in accordance to applicable federal, state and local regulations, as well as university policies.

Temple University has implemented other guidelines, procedures and policies regarding privacy and information security (see Appendix A). This handbook does not replace or supersede any of those guidelines, procedures and policies, but rather is intended to complement (and should be interpreted consistently with) other such university guidelines, procedures and policies.

Definitions

Terms defined in this handbook are intended to have the meaning ascribed to them by the respective University policies derived from federal, state or local regulations.

  • Confidential Information – any proprietary University business information or researchthat is non-public, or contains  sensitive, private or personal information, or is Regulatory Protected Information.
  • Education Records - any record stored or maintained by the University or an agent of the University that is directly related to a student unless noted under FERPA as an exception. Refer to the Policy Regarding Confidentiality of Student Records.
  • Non Public Information (NPI) – under the Gramm-Leach-Bliley Act (GLBA), personally identifiable financial information provided by a consumer, or information that results from, or information otherwise obtained by the university in order to provide a financial product or service from or through the university. Refer to the Comprehensive Information Security Program.
  • Protected Health Information (PHI) – information that should be given special protections to ensure it is not disclosed to anyone who is unauthorized under the Health Insurance Portability and Accountability Act (HIPAA).
  • Personally Identifiable Information (PII) – a subset of NPI, PHI or any other confidential information that can be used to uniquely identify single person or can be used with other sources to uniquely identify a single individual.Regulatory Protected Information – data that is protected by federal, state or local law and includes, but is not limited to, PHI, NPI, and Educational Records.

Guidelines

  • What needs to be protected?
    The following list contains examples of data elements that if used in non-production environments should be masked:
         - Social security number
         - National identification number
         - Driver’s license or state issued identification number
         - Birth date
         - Birth place
         - Tax ID number
         - Bank account information
         - Credit card account information
         - Medical records
         - Certificate/License numbers
         - Grades
         - Class lists
         - Disciplinary records
         - Student financial records
         - Payroll records
                i. For all employees
                ii. For students worker, assistantships, resident assistants programs
         - Vehicle identifiers and serial/registration numbers, including license plate numbers
         - Full face photographic images and any comparable images
  • Is there any student information that can be released without the student's permission?

Institutions are permitted to define a class of information as "directory information."FERPA permits public disclosure of directory information without the student's consent.

  • What is directory information?
    Directory information is information contained in a student's education record that wouldnot generally be considered harmful or an invasion of privacy if disclosed (Name, Email,College and Alternate Email). FERPA defines directory information as:
         - The student's name,
         - Street address,
         - Email address,
         - Confirmation of enrollment status (full-time/part-time)
         - Dates of attendance,
         - Degree received,
         - Awards received (e.g., Dean’s List),
         - Major field of study,
         - Participation in officially recognized activities and sports, and
         - Weight and height of members of athletic teams.

Temple University publishes the following in its Cherry and White Phone Directory:
     a. The student's name,
     b. Street address,
     c. Email address.

General Information

For any questions regarding this document, please contact the Office of the Chief Information Security Officer at 215-204-7077 or at CISO@temple.edu