Safeguarding Personally Identifiable Information (PII)

PII is information that, if discovered or inferred, would allow for the identification of the individual(s) to whom the information belongs. PII includes, but is not limited to SSNs, driver’s license numbers, name, addresses, telephone numbers, email addresses, geographic indicators, birth dates, credentials, passports, government IDs, biometrics, University IDs / N#... etc. Additionally, NYU PII generally falls into four buckets, including health, financial, educational and research data.

Because the loss of PII can be extremely detrimental to individuals, and NYU, there is a responsibility to protect it from exposure, loss and misuse. Therefore, only NYU employees and contractors with a need to know, in their assigned job duties and functions, should have access to PII. It’s the responsibility of each individual with access, to safeguard PII, and to refrain from negligent or careless conduct.


Some “Dos & Don’ts” for Handling PII

check mark - Do's

  • Secure PII when you step away from your work area by locking your screen and securing any paperwork containing PII
  • Use a privacy screen in public areas when using your computer and viewing PII data
  • Use NYU Box or Google Drive (Team Drive within a team) to store and transmit PII
    • The data classification determines whether to use NYU Box vs. Google Drive
    • For a review of how data in the different risk categories should be stored and shared, see NYU’s File Storage Services Comparison and NYU’s Data and System Security Policy
    • Make sure your sharing permissions are correctly set, and revoke access when the access of others is no longer required
    • Use Google Team Drive and control access limited to the team only that will work with the data
  • Remember that with respect to HIPAA data, even chatting about PII or EPHI is restricted
  • Use a well-reviewed password manager to store and create passwords
    • Download from a trusted source only, such as Google Play or the App Store
  • Confirm that employees who are off-boarded have their access revoked
X mark - Dont's

  • Email PII, which is Medium & High Risk data. For information on how to classify data, see the Electronic Data and System Risk Classification Policy
  • Share Medium and High Risk data with individuals who are not authorized to view it
  • Transmit PII using Google Chat or SMS text messages
  • Store High Risk data on personally owned machines or remote third party cloud storage systems other than NYU Google Drive or NYU Box
  • Give PII or IAM data access to individuals who do not have a need to know, including groups such as Torch Tech and other Google or email groups
  • Screen capture PII
  • Take photos of PII
  • Share PII on speakerphone calls
  • Share passwords or save them to a browser
  • Leave hard copies of PII unattended on copiers or printers
  • Share PII in a mailing lists or systems that act like mailing lists e.g. Google Groups

Additionally, please see NYU’s Policy on Personal Identification Numbers for specific guidance on how to use, display, store, retain and dispose of this information.