Personally Identifiable Information Policy
This policy establishes the rules that govern the collection, storage and maintenance of Personally Identifiable Information (PII).
Date of Birth and Social Security Number Permissioning
Policy:
- All requests for reporting, editing, maintaining and viewing access to Date of Birth (DoB) or Social Security Number (SSN) in any Champlain College system needs to be approved by the President, the Vice President of Finance, or the Provost.
- Among other points of education, those with access to DoB and SSN should be aware of the following:
- Do not share your username and password with anyone.
- Do not email DoB or SSN or store it anywhere other than an IS approved location (for example, do not store DoB or SSN data on an external drive or upload to a non-approved cloud-based application)
- Purposefully and regularly clear your temp and download directories of any files or directories containing DOB or SSN. Users who need training or support in how to do this should contact the Champlain College Helpdesk.
Process:
- Request Process: Requestor should document what work is being done that requires access to DOB and/or SSN – and forward up the managerial chain for validation. Managers should first consider whether there is another way to accomplish the work or another person who already has access to this data could complete the work. A business process conversation with IS and with all other departments impacted should be expected as this will create the opportunity for crafting a process – both inter and intra-departmentally – that supports the fewest possible people needing access to PII data fields across the organization.
- Approvals: Once routed up the organizational chain – The President, Vice President of Finance or the Provost will review the recommendation and have the final decision on approval or denial. The request is approved with an email communication to the Chief Information Officer of the college.
- Approvals: If approved, the decision maker will notify the manager, the requestor, the IS Director of Enterprise Systems, the VP of Information Systems and the Director of Infrastructure. The VP of Information Systems will obtain a signature from the user and their manager on a confidentiality agreement before the access is provided.
- Denials: If denied, the decision maker will notify the manager and the requestor as well as the VP of Information Systems of the denial and the reasons for the denial.
- Incident Response: Refer to incident response procedure. For more information on this procedure, please contact the Director of Infrastructure in the Information Systems Department.