UC Davis Information & Educational Technology

UC Davis Cyber-Safety Program: Personal Information

If you are a computer user within an academic or administrative department on campus, you may have a Technology Support Coordinator (TSC) who is working to secure your system. Before taking any of the security steps listed below, please check with your TSC.

From the UC Davis Cyber-Safety Program Policy:

"Campus units must identify departmental computing systems and applications that house personal information (personal name along with Social Security number, California driver identification number, financial account information, health insurance information, or medical account information). Personal information must be removed from all computers for which it is not required. If the personal information cannot be removed from the computing system, the campus unit must develop a plan specifically outlining how the information and systems will be kept secure. Measures to protect the information could include removing several digits from the personal identifiers, moving the files to removable media and storing this media in a secure location apart from the computer, or encrypting the personal information.

Campus units providing electronic personal information as defined above, to any private party must do so by formal agreement. The agreement must include a provision that the party receiving the electronic personal information will abide by these data standards. A formal agreement is not necessary with governmental agencies that receive electronic personal information. However, campus units are encouraged to discuss the privacy and security requirements pertaining to the shared data with these agencies to ensure similar standards of compliance.

Campus units that develop network-based applications that host personal information must use secure application coding practices (see Web Application Security Standard within Level 2 Security Practices)."

Learn about Personal Information and Identity Theft | Back to Cyber-Safety Main

Information...

What is personal information?
Personal information includes your name, Social Security number, driver's license number and financial account information. The California Civil Code, Section 1798, establishes notification requirements if there is reasonable belief that an unauthorized party has acquired such personal identity information.

Other federal, such as HIPAA and FERPA, extend additional privacy protection for health and educational information, respectively.

In addition, section 320 of the campus policy and procedure manual defines policies for record privacy and access.

Why is this important?
With identity theft becoming increasingly more common, and the compromise of personally identifying information at educational institutions, large corporations, and information clearinghouses on the rise, safeguarding this valuable information is vital.

Removing personal information from computer systems reduces the chances that this information will be compromised if a system is hacked or stolen. Even if a system that houses this information is compromised, the use of encryption and removable media is a further guarantee this information will not be accessible or useful to identity thieves. Because data is frequently passed around in departments and users who possess personally identifying information may not even realize it exists on their computers, an annual review of all data contained on file servers, desktop computers, laptop computers, network storage drives and electronic drives is prudent for all campus units.

The campus recommends using Cornell Spider or Powergrep on a quarterly basis for computers running Windows operating systems to perform the discovery and reporting of personal identity information. Use of these two tools to enhance the security of personal identity information has been interpreted by campus legal counsel to be consistent with UC Davis privacy policies. To prevent the accidental release of this data when a computer is sent to salvage, transferred, or sold, the use of disk wiping software is also encouraged.

What is UC Davis doing to protect me?
Campus units have been encouraged to protect personal information by removing it from systems unless absolutely necessary and by increasing security on systems containing restricted data (see http://directives.ucdavis.edu/2006/06-116.cfm). Several tools, including Cornell Spider and PowerGREP are available to help find certain types of data.

In the event that the personal information cannot be removed, Pointsec encryption software is available to help the campus community protect restricted data.  For additional information about Pointsec encryption, visit http://security.ucdavis.edu/encryption.cfm.

Tools and Resources...

Campus sysadmins recommend...