Contact Info

Help Desk

Cybersecurity

Information Technology

Protecting Sensitive Information

Aims Community College is committed to protecting the privacy and security of personal information entrusted to us by our students, faculty, colleagues, alums, donors, and community. Protecting sensitive information is a shared responsibility. You are responsible for ensuring that you handle sensitive information in a way that complies with laws, regulations, and policies where applicable.

Please refer to Aims' Acceptable Use of Information Technology procedure and referenced Data Classification Standards for additional information on the requirements for protecting information of various sensitivity levels and permitted services.

Personally Identifiable Information (PII)

Data that could be used to identify a particular person is considered to be personally identifiable information, or PII. This type of data is of the utmost importance to protect as a disclosure of PII could cause harm to the victim and the College. PII is regulated by state and federal regulations due to these risks.

Examples of PII include, but are not limited to, a first name or first initial and last name in combination with any one or more of the following data elements that relate to an individual:

Social security number
Student, employee, military, or passport identification number
Other indirect identifiers such as date of birth, gender, race, ethnicity, or nationality
Driver's license number or identification card number
Medical information
Health insurance identification number
Biometric data
Photos, videos, and voice recordings
Financial information

The following are also considered PII:

A username or email address, in combination with a password or security questions and answers, that would permit access to an online account
An account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account

Tip
The best way to protect PII is not to have it in the first place. If PII is a requirement of your business process, ensure that you are taking the appropriate steps to protect it.

FERPA Directory Information

Directory information is student data contained in education records that would not generally be considered harmful or an invasion of privacy if disclosed. Student data that is not classified as directory information may only be released with proper consent.

The following data is identified as directory information by Aims Community College:

Student Name
Enrollment Status (E.g., Full Time, Three-Quarters Time, Half Time, etc.)
Dates and Terms of Enrollment at Aims Community College.
(This does not include individual course attendance.)
Major Fields of Study.
Degree(s) and/or Certificate(s) Earned.
Honors or Awards Received

FAQs

Please refer to Aims’ Acceptable Use of Information Technology procedure and referenced Data Classification Standards. If the data or service is not listed, please contact cybersecurity@aims.edu.

No. These services are not approved for PII.

Please report it to cybersecurity@aims.edu and remind your colleague that PII is not permitted in the service.

Yes. PII should be removed from any service where it is not permitted.

Documents containing PII should only be retained if they are currently essential to performing the duties of your employment. If the documents must be retained, it must be stored in a locked file cabinet or desk drawer.

Paper or electronic documents containing PII must be properly disposed of or destroyed when it is no longer needed unless otherwise required by state or federal law or regulation.

Utilize a document shredder or a vendor that provides secure onsite shredding. For either option, you must be able to observe that all documents have been properly and securely shredded.

Please get in touch with your department admin if you need help finding a shredder or vendor to perform secure onsite shredding.

Advise the sender that email is not approved for sending PII and delete the email from your inbox.

Visit the FERPA FAQ page for additional guidance.

Aims is required by law to ensure that third-party service providers implement and maintain reasonable security procedures and practices appropriate to the nature of the PII shared with the third-party service provider. To facilitate this, prospective vendors must complete the Aims Vendor Security Risk Assessment, and it must be approved by the Registrar (when student data will be shared) and Information Security. This shall be completed prior to procurement or before any institutional data is shared with the service. The Aims contact listed on the assessment submission will receive an email notification after each reviewer has completed their assessment and decision.

Various laws and regulations regulate the protection and handling of PII. They include, but are not limited to:

Family Educational Rights and Privacy Act (FERPA)
Colorado’s Data Breach Notification Law (HB 18-1128)
Gramm-Leach-Bliley Act (GLBA)

Contact Info

Related Links

Related Resources

Protecting Sensitive Information

Personally Identifiable Information (PII)

FERPA Directory Information

FAQs

What systems are permitted for sensitive information including PII?

Can PII be in email, calendar, Slack, or other messaging services?

What should I do if a colleague uses PII in an unapproved service?

Should I remove PII in unapproved services?

How should I store physical documents containing PII?

How long can, or should, PII be retained?

How should I dispose of physical documents containing PII?

What should I do if I receive an email containing PII?

How do I best protect student academic information?

What if I share PII with a third-party service?

What laws and regulations mandate how PII is managed and protected?