Non Public Personal Information Policy
SECTION I – Overview
As required by Rutgers, The State University of New Jersey, the Bloustein School has developed a school policy to safeguard non-public personal information (NPPI). The compromise of non-public personal information (NPPI) information is a far too common occurrence in the information age in which we live. According to the Privacy Rights Clearinghouse, over 232 million identities were exposed in 2011 alone. In order to reduce the probability of compromise, policies are needed to create guidelines for the use and protection of NPPI.
The intent of this policy is to minimize the possibility of the access or manipulation of sensitive information by unauthorized individuals or organizations. This document provides a set of guidelines related to the storage, usage, transportation, and transmission of electronic and hardcopy sensitive information. It also requires that any employee (or student) who is using sensitive data identify themselves as “data custodians” within the Bloustein School. Adherence to these policies by the members of the Edward J. Bloustein School of Planning and Public Policy community will ensure the confidentiality and integrity of sensitive information, while also making this information available to the individuals who may need to use it for administrative, instructional, or research-related functions.
1. Non-Public Personal Information (NPPI)
As outlined by the security policy at Rutgers University: NPPI shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media.” NPPI includes but is not limited to:
(1) Social Security numbers*
(2) Driver’s license numbers or state identification card numbers
(3) Credit or debit card numbers
(4) Medical records
(5) Student records
(6) Financial records
(7) Legal Records
(8) Police Records
(9) Studies or surveys using confidential or personally identifiable data*Social Security numbers (SSN) have become a widely used identifier and is well known as the root of identity theft. University departments should no longer collect or use the SSN (with the exception of temporary use to process a new employee). Instead departments should use alternative forms of identifying students, clients, employees, and faculty whenever possible. Requests to provide a SSN (if the department is legitimately required to store them) should be denied or, in the least, verified for legitimacy.Source: Rutgers University Department of Information Protection and Security Definition of Sensitive Information (Non Public Personal Information or NPPI): http://rusecure.rutgers.edu/nppi/who/department-responsibilities/department-definition-of-nppi
2. Classifications of Data
Classifications are helpful in determining the level of risk involved related to various forms of data.
Restricted Data (highest level of sensitive)
Restricted Data is the most sensitive information and requires the highest level of protection. This information is usually described as “non-public personal information (NPPI)” and is related to people or critical business, academic or research operations under the purview of the Owner/Data Custodian. Restricted data includes, but is not limited to, data that Rutgers is required to protect under regulatory or legal requirements. Unauthorized disclosure or inappropriate use of restricted information could result in adverse legal, financial or reputational impact upon the university, as well as individuals and organizations. Examples of Restricted Data include but are not limited to: sensitive student or employee identifiable information (i.e., Social Security Number, driver’s license number, etc.), credit card information, confidential research, and file encryption keys, as well as certain financial records, medical records, legal records, student records, police records.
Limited Access Data
Limited Access Data is information that does not meet the requirements of restricted data but requires a moderate level of sensitivity and protection from risk and disclosure. Limited Access Data is the default and should be used for data intended for use within the University or within a specific workgroup, department or group of individuals with a legitimate need-to-know. Limited Access Data may be information one unit decides to share with another outside their administrative control for the purpose of collaboration. Unauthorized disclosure or inappropriate use of Limited Access Data could adversely impact the university, individuals, or affiliates but would not necessarily violate existing laws or regulations. Examples of Limited Access Data include but are not limited to: incomplete or unpublished research, internal memos or reports, personal cell phone numbers, project data, data covered by non-disclosure agreements. Although most Limited Access data is not technically NPPI, in many cases, we will agree to protect it in the same manner in order to comply with the security requirements of organizations providing data as part of grant requests. In addition, if there is any concern that limited access data should be better protected, please contact the Information Technology Services group for assistance or guidance.
Public Data (low level of sensitivity)
Public data is information that may or must be open to the general public. It is information with no existing local, national or international legal restrictions on access or usage. Public data, while subject to University disclosure rules, is available to all individuals and entities both internal and external to the University. While the requirements for protection of public data are less than that of Restricted and Limited Access Data, sufficient controls must be maintained to protect data integrity and unauthorized modification or destruction. Examples of Public Data include but are not limited to: data on websites intended for the general public, course listings, press releases, marketing brochures, university maps, and annual reports. Typically, we do not protect any public data with NPPI restrictions or protections, nor are individuals required to register as a data custodian for the use of public data. If public data has been used to create new information that has value, then that information should be protected by centrally storing it on our systems at the Bloustein School.
A data custodian is anyone who has access to, stores, transmits, or uses NPPI at the Edward J. Bloustein School of Planning and Public Policy. This includes restricted data and limited access data that is being protected as restricted data for the purposes of grant requests or in order to provide better protection on that data.
SECTION II – Policy
Members of the Edward J. Bloustein School of Planning and Public Policy community are required to know what constitutes NPPI. In addition, if an individual meets the criteria for being deemed a data custodian, that individual should:
- Register as a data custodian with the Bloustein School by completing the form that accompanies this policy and submitting it to the Information Technology Services office. All registered data custodians will be included in a database for tracking sensitive information usage at the Bloustein School. Anyone who meets the criteria of a data custodian whether an employee, student, or affiliate member must register immediately upon becoming a data custodian.
- Maintain NPPI in a dedicated, centralized, and secured location.
- Electronic information should only reside on dedicated file servers (networked drives) within the Edward J. Bloustein School of Planning and Public Policy environment.
- Hard copy information should be stored in locked drawers or filing cabinets when it is not being used. When such sensitive information is being used, the material should not be left unattended, nor should any such information be left in a room that is unlocked. The information should not be left outside of its primary storage location overnight.
- Not store electronic NPPI on local systems, portable systems, portable devices, or systems being used for remote access to the Edward J. Bloustein School of Planning and Public Policy networks.
- Not store or transfer NPPI using university or personal email accounts.
- Not transport hard copy NPPI outside the confines of the school or center in which it is being held.
- Not publish NPPI to web sites or any internal or external file sharing systems other than the dedicated Edward J. Bloustein School of Planning and Public Policy file sharing servers. This includes files sharing systems like drop box and replication systems like iCloud.
- Not take any NPPI with you should you no longer be employed by, or no longer be associated with the Bloustein School.
- Appropriately discard unused/unnecessary NPPI as soon as possible by complying with the procedures outlined below under “Secure Removal and Disposal of NPPI.”.
- Notify Information Technology Services or the Business Services Office immediately if there are any possible threats related to the compromise of NPPI. This includes any security threats to computer systems using NPPI. For hardcopy information, this includes any possible breach of physical security to the locations where NPPI stored.
- Not remotely access NPPI on the secure servers at the Bloustein School through a VPN connection if they have any suspicion that the machine being used to connect to the information is infected with malware, spyware, or a computer virus.
Should it become necessary to store NPPI outside the parameters set forth in this policy, an exception request must be completed by the appropriate data custodian and, where necessary, be approved by the Dean’s office prior to the data leaving the School as listed below. This provision allows the Dean’s office to provide the requestor with advice on best practices for ensuring additional security measures are taken to protect the sensitive information.
- For electronic data, when accessing or storing data on any system other than the file servers within the Bloustein network, or transferring such information to individuals outside the Bloustein School, submit the form to the Information Technology Services office.
- For hard copy material that is transported outside the normal storage area or that cannot be secured, submit the exception request form to the Business Services Office.
Data custodians are responsible for storing all sensitive information on the designated systems within the technical environment of the Edward J. Bloustein School of Planning and Public Policy. The protection of these systems and the associated internal networks are the responsibility of the Information Technology Services staff of the Edward J. Bloustein School of Planning and Public Policy. If an individual is using sensitive information based on an exception request, then that individual is responsible for the safety and security of that data. Data custodians are expected to notify Information Technology Services or the Business Services Office immediately if any threats arise that may jeopardize the security of NPPI. It is also expected that any individuals acting under an exception request will adhere to any additional security related procedures recommended by the technical and business staff of Bloustein Dean’s office.
Should an individual associated with the school but not employed at the school become responsible for NPPI, he or she must register as a data custodian. The responsibility of notice in this regard will fall upon the area director or the principal investigator for grant related research. For centers this will be either the faculty director or the staff executive director.
Proactive Restricted Data Discovery Processes
The Information Technology Services unit of the Edward J. Bloustein School of Planning and Public Policy will use scanning tools to proactively try to identify Restricted Data that resides on systems within the organization to ensure that it is adequately protected. These scanning tools will be used on a regular basis and any restricted data that is discovered will result in communications with the owner of the data to ensure that the data should be stored in its current location, that it is adequately protected, and to ensure that the individual is properly registered as a data custodian. Similarly, the Business Services Office will periodically conduct in-person audits for hardcopy restricted data.
Secure Removal and Disposal of NPPI
Any system that houses NPPI requires special attention prior to its disposal. Specifically, NPPI will need to be securely removed so that there are no traces of that data left on the existing system or device. When such a device needs to be disposed of, the Information Technology Services staff at the Edward J. Bloustein School of Planning and Public Policy should be contacted to provide assistance with securely deleting such information through drive sanitization processes. This includes computers, copiers, fax machines, and portable storage devices.
Sensitive information in hardcopy form should be destroyed once it is no longer deemed necessary by school wide and university wide records retention policies. Hardcopy sensitive information should be cross shredded prior to disposal. Unnecessary NPPI should remain in a locked filing cabinet or desk until it is shredded. In addition, any credit card information recorded for the purposes of processing a transaction should be destroyed immediately after completing the transaction.
All members of the Edward J. Bloustein School of Planning and Public Policy are required to complete an online information security awareness training session and take a quiz associated with that training. If an individual scores below 85 percent in the training, an in-person training session will be required. In addition, individuals will be required to take this training at the beginning of their employment with the school and at least once every three years thereafter. These training requirements are also applicable to any registered data custodian whether he or she is part of the school or not.
Policy Modifications or Updates
This policy will be reviewed and modified or updated as necessary or if any major security issues arise related to the use of NPPI. This policy will also be reviewed annually and updated based on any relevant changes to the technical environment.Last Revision Date: November 2013
To: Bloustein School Faculty and Staff Members
From: James W. Hughes, Dean
Re: Shared Responsibility in the Protection of Non-Public Personal Information
As you are undoubtedly aware, there has been a large increase in the number of cyber-attacks throughout the United States. The Bloustein School is not exempt from these potential threats. As part of a university-wide effort, Rutgers University’s Internal Audit Department recently reviewed the Bloustein School’s security policies and procedures and recommended that because the school has a large number of researchers using sensitive human data, we must take measures to ensure the confidentiality, integrity, and availability of this data. With over $30 million in research work – much of it dealing with human data – being conducted at any one time, the Bloustein School is viewed as a prime unit (along with several other academic units) to implement such a policy. In this regard, the university is requiring that all units and individuals employed or affiliated with the university to safeguard non-public personal information (NPPI), including such data as social security numbers, financial and health information, and driver’s license numbers.
To assist researchers in the school to safeguard NPPI, we are doing the following:
- Providing a self-reporting form to assist the school in identifying which faculty, staff, and students work with NPPI and whether such data is in paper or electronic form
- Developing on-line instruction with guidance on how to safeguard NPPI
- Performing periodic audits, beginning with those centers, faculty, and staff who work with such data. Audits would include electronic scanning of computer hard drives and the network for strings of data that would identify the existence of unprotected social security, credit card, or drivers’ license numbers. Audits would also include offices where paper copies of NPPI are used.
The full policy, reporting form, and other relevant information is available on the school’s website at the following link: www.bloustein.rutgers.edu/nppi
The intent of this policy is to minimize access or manipulation of sensitive information by unauthorized individuals and ensure the confidentiality and integrity of this information while making it available to those who need it for administrative, instructional, or research-related functions.
You will be hearing further from Martin O’Reilly and Sharon Fortin-Kramer on details of implementation. They would also appreciate hearing from any faculty or staff members interested in volunteering to serve on an advisory committee on protecting NPPI in the school.
I appreciate your cooperation in advance, and am happy to answer any questions you may have regarding this policy and its implementation.
Community Members Responsibility
Dean’s office responsibility
- Office of the Dean
- Promote the importance of protecting NPPI through an annual (November) dissemination of the School’s NPPI policy.
- Provide mandatory online instruction to all faculty and staff, and any student or research assistant who is involved in any research/business that includes NPPI.
- Information Technology Services
- Securely maintain a database of NPPI “data custodians” for the School.
- Provide in-person instruction and guidance where necessary or requested.
- Perform electronic scanning for the existence of unprotected NPPI.
- Business Services
- Provide information on protecting NPPI in new employee orientation.
- Perform periodic audits of physical space (office, storage facilities, etc.) to ensure NPPI is stored in locked cabinets behind locked doors and is properly disposed of when no longer required for research or normal business. Sharon Fortin-Kramer and Fran Loeser will be tasked with NPPI audits of physical space.
- Office of the Dean
Center/Program Directors’ responsibility
- Promote the importance of protecting NPPI.
- Identification of NPPI users associated with areas of responsibility will be required on an annual basis and as individuals (faculty, staff, students, and other contingent participants) become responsible for NPPI material.
- Be cooperative with the individuals responsible for NPPI inventory and periodic audits.
Principal Investigator responsibility
- As endorsement forms for new grants/contracts are completed, identifying the use of NPPI will be required using the existing “Additional Information Needed Relating to Proposed Research” form.
- Be cooperative with the individuals responsible for NPPI inventory and periodic office/desk audit
- Register as a “data custodian” should NPPI be accessed or used. All faculty, staff, and students who are employed by the School or who participate in any activity that requires the use of NPPI must register as a data custodian with the dean’s office.
- Familiarize yourself with related University and School policies and other sources of information, and handle NPPI as prescribed for “data custodians”; they are as follows:
- Edward J. Bloustein School Non Public Personal Information Use Policy
- University Information Protection and Security (click here)
- Participate in mandatory online instruction provided by the school. Includes all faculty, staff and any student who may come in contact with NPPI.
- Maintain NPPI according to the policies of the school and the university.
- Be cooperative with the individuals responsible for maintaining NPPI inventory and performing periodic office/desk audits.
- Notify Information Technology Services or the Business Services Office immediately if you are aware of any possible threat related to NPPI.
Sign Off Form
Employee Agreement & Data Custodian Registration Form (Please contact the EJB Information Technology Services office for the link to the current form)
Training is provided on the KnowBe4 security awareness training platform. Users who register as data custodians, or who are onboarding to positions using sensitive data will receive information on the required training.