Personal Confidential Information

Recommended By
Administration and Finance
Ruben Armiñana, President
Issue Date
Tuesday, August 16, 2005
Current Issue Date
Tuesday, August 16, 2005
Effective Date
Tuesday, August 16, 2005
Contact Office
Information Technology
Policy number
  1. Purpose 
    The purpose of this policy is to ensure proper handling of personal confidential information (PCI), to adhere to state and federal laws, and to comply with CSU policies. The consequences of inappropriate handling of personal confidential information can be detrimental and expensive to individuals and the university.
  2. Policy 
    Sonoma State University employees must have approval from the Information Security Officer (ISO) to keep PCI, as defined below. To request approval, send an email to describing the need. The ISO will validate and document the requirement and, working with Police Services and SSU/IT User & Workstation Services, provide guidelines for handling this information.
  3. Personal Confidential Information 
    Personal Confidential Information is defined as a person’s name in combination with any one or more of the following:
    1. Social Security number
    2. Driver license number or California identification card number
    3. Bank account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
    4. Medical information.
  4. Partial List of Guidelines
    1. Electronic PCI must be encrypted as specified by SSU/IT when not in use or on central SSU/IT servers.
    2. PCI must not be emailed or transferred unencrypted across shared networks.
    3. Computers with PCI must adhere to SSU’s “Computer & Network” official policy.
    4. PCI (whether in electronic or other form) must be kept in a physically secure environment. Paper-based PCI must be kept in a locked, physically secure storage. Laptop computers must be locked down. Unattended offices must be locked to ensure the physical security of computers with access to personal confidential information. Computers must use a password protected screen saver to prevent unauthorized access when unattended.
    5. Data files with PCI must be purged from computers after a three-year retention.
    6. Removable media, such as CDs, thumb drives, etc. containing Personal Confidential Information must be handled and stored in a secure manner.
    7. Any suspected loss of Personal Confidential Information must be reported immediately to both the Campus Police and the Information Security Officer.
    8. Exceptions to the guidelines must be documented and approved by the Information Security Officer.

Updated August 16, 2005 by