301: Personal Information Privacy

Information Security Policies & Procedures Manual
Section 300: User and Personal Information Security
Effective: 01/11/2010

Purpose

The purpose of this policy is to establish clear guidelines for handling specific data elements which pose a risk of Identity Theft to our community members, should those data elements be compromised through unauthorized access due to a breach of security.  These data elements are generally used in conjunction with other information, such as full name, which may constitute enough information to establish credit or perpetuate other forms of fraud associated with Identity Theft.

Scope

This policy is applicable to all OSU community members including all employees, students, contractors, consultants, agents, and vendors working on OSU’s behalf.  It is applicable to all OSU Information Assets, regardless of form or media. It applies to information gathering, protection, use, processing, storage, communications, and transit.

Policy

Each element below merits extra protections beyond any baseline.

Social Security Number:   All access and use at Oregon State University of the Social Security Number is prohibited except for meeting federal or state requirements, compliance and reporting.

VISA/Credit Card Numbers:  All access and use at Oregon State University of VISA/Credit Card numbers shall meet Procurement Card Industry (PCI) security standards and any system handling these numbers shall have a responsible party of record who will be accountable to the Director of Business Affairs for ensuring compliance. 

Bank Account Numbers:  All access and use of bank account numbers at Oregon State University is restricted to the following uses:

Business Affairs

Processing direct deposit transactions; both incoming and outgoing

Processing wire transfers

Department Personnel

Processing wire transfers – Paper copies of this data may be stored during the processing phase. They should be kept in a physically secure location with limited personnel access.  Departments are prohibited from storing electronic copies of this data.  Once verification of transfer is complete the paper copy should be redacted or destroyed through approved OSU confidential document destruction method.

Driver’s License Numbers and/or National Identification Numbers:   All access and use of state or national Driver’s License and/or National Identification Numbers for Oregon residents at Oregon State University will be reported to the Chief Information Security Officer and all reasonable precautions will be taken to ensure the integrity and confidentiality of this information.       

Under no circumstance shall Social Security Number, VISA/Credit Card Numbers, Bank Account Numbers, or Driver’s License/National Identification Numbers be stored in a non-redacted form on any portable electronic media including but not limited to laptops, flash drives, CDROMS.

Procedures

Specific procedures for handling these elements will be defined by the Records Custodians for student records, employee data, and business transactions.

Responsibilities

All members of the OSU community have a responsibility to protect these elements and ensure that they are handled with the utmost care.  All efforts should be made to avoid the direct storage and use of these elements unless required by business need.

Records Custodians with student record, employee data, or business transactions responsibilities have a responsibility to ensure that those business needs that require handling these elements are limited to the employees required to handle this information and that reasonable controls and precautions to protect these elements are in place.