Protecting Personally Identifiable Information PII
A colleague in a district far, far away asked me to write up some advice to campus webmasters, and the following is the result. The problem? Apparently some of the campus folks were sharing personal information about themselves and there was concern that could be used against them. My colleague didn't quite know how to craft the letter, so asked me to help out. The main challenge involved stopping unnecessary sharing of info without "shutting them down."
To get in the right frame of mind, I did a quick Google search and relied on the National Institute of Standards and Technology's Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) by Erika McCallister, Tim Grance, and Karen Scarfone and published by the U.S. Department of Commerce (Special Publication #800-122).
Let me know what you think...over the top? Too obvious? Impractical? I certainly welcome feedback, constructive criticism. It may be that my colleague will read your remarks with keen interest.
To: Campus and District Webmasters
Re: Unnecessary Display of Personally Identifiable Information on Web Sites
Preventing the unnecessary display of personally identifiable information (PII) on web sites is a priority for the SCHOOL DISTRICT. Individual harms from the unnecessary display of PII on district/campus web presences may result in identity theft, embarrassment or make one the target of social engineering. This weekly memo provides you with 1) An overview of what is unnecessary PII and 2) offers specific guidelines you should review with your staff about protecting against the publication of personally identifiable information online via the Internet and elsewhere.
WHAT IS UNNECESSARY PERSONALLY IDENTIFIABLE INFORMATION?
To better protect SCHOOL DISTRICT staff, campuses and departments should avoid public displays of personally identifiable information that is not appropriate for a professional setting. Examples of these include--but are not limited to--the following:
1. Names such nicknames, maiden name, mother’s maiden name, or alias.
2. Personal identification numbers, such as social security numbers, passport number, driver’s license number, taxpayer identification number, financial account or credit card number.
3. Home mailing address information, such as street address or personal email address.
4. Your years of marriage, the name of your spouse and/or children, as well as relatives.
5. Date of birth, place of birth, race, religion, weight, activities, geographical indicators, medical information, financial information.
Do not post the information for any individual staff member—or student as defined in the Family Educational Rights and Privacy Act (FERPA)--on the Web.
SPECIFIC GUIDELINES ABOUT PERSONALLY IDENTIFIABLE INFORMATION
Campuses and departments often choose, as a organizational group, whether to post staff photographs online. This kind of decision should be made as a campus. Information that may be shared online via a staff web page includes the following:
A professional photograph of staff member.
The name of the staff member as it would be used with other professional staff, students and parents.
The work email address of the staff member as it would be shared with the campus/department community.
The phone number of the organization where the staff member works.
A mission statement for the organization or instructional resources appropriate for the audience (e.g. staff, students).
As a general recommendation, you are encouraged to discuss what information would be appropriate as a group. If you have questions, please don't hesitate to make contact.