[CCoE Notice] Compliance review for handling of sensitive personal information

Charles John Young Jr. cjyoung at EGR.UH.EDU
Fri Jun 10 13:08:09 CDT 2011 

Dear Colleagues,

The University's Office of IT Security has initiated a review of all 
University computers to ensure compliance with applicable law and 
University policy for the storage and handling of "sensitive personal 
data", as defined by statute.  Such data includes social security numbers, 
payment card numbers, drivers license numbers, etc.  The University is 
required by law to provide for the secure handling and storage of any such 
data while it is in our custody.

To facilitate this review in the College, Engineering Computing is using 
University-provided commercial software to help identity such information 
on University-owned computers in the College, starting with those 
computers used primarily by faculty and staff.  When there is an 
indication that such sensitive personal information may exist on a 
University computer, we will notify the principal user of that computer 
and work with him or her to take any corrective action that may be 
appropriate.

There are a limited number of instances that require the storage of 
sensitive personal data, and in such cases, the primary requirement is 
that such data be properly protected.  Typically, this will involve the 
use of some approved form of encryption.  However, whenever possible, the 
safest course is to delete any such information as soon as it is no longer 
needed.

We have found that two of the most common sources of personal data are 
from legacy files dated prior to 2006, when social security numbers were 
being used as student ID numbers, and information that is cached while web 
browsing official sites (e.g., PeopleSoft) that might have pages 
containing such information.  In these instances, it is usually a simple 
matter to work with the user to delete such data from their computer.

It is our goal to conduct these reviews so as to be the least disruptive 
as possible.  To this end, we will try to conduct scans outside of normal 
business hours (evenings and weekends).


Best regards,

John Young
Engineering Computing

More information about the Engi-Dist mailing list