Data Management Practices for PII

In general, the best way to protect PII is not to have it in the first place. Overarching data management practices for individuals who work with this type of information are:

  • Securely delete PII when there is no longer a business need for its retention on computing systems. Candidates for deletion include:
    • Drafts and old versions
    • Extra copies of files
    • Old emails and attachments
    • Anything that you no longer need for which you're not the office of record
    • Anything with Social Security number (SSN), if there isn't a legitimate business need for its retention.
    • Data that has exceeded its required retention period.
  • Always shred or otherwise destroy PII before disposing of it.
  • Truncate or de-identify PII that you must retain whenever possible.
  • Protect all intact PII that you must retain by only storing it on protected network drives. Encryption can dramatically reduce the risks associated with stored PII.
  • Restricted data, including PII, must be always encrypted during transmission.

UMass Chan data stewards with primary responsibility for the existence of PII are responsible for the security and use of that data in original systems as well as any downstream locations where the data may be sent. This includes ensuring appropriate education and training for employees with access to PII.