BEST PRACTICES FOR HANDLINGSSN DATA OR OTHER PERSONALLY IDENTIFIABLE INFORMATION (“PII”)

  1. General -- Best Practices
  2. Review and follow relevant University Policy, particularly AD53 and ADG08. Policy highlights include:
  3. SSNs and PII fall under the restricted data category and access must be restricted and controlledto those with a need to know this information as required by his or her official Penn State duties.
  4. SSNs must be encrypted when they are stored or transmitted over a network. For guidance about how to email encrypted files using SecureDoc’sWinMagic Self-Extractor, see Appendix A.
  5. Do not store SSNs in any manner, any system or any medium without approved authorization from the Privacy Office. This includes any third party cloud storage services.
  6. SSNs should be stored on secure computers that meet the requirements of the University's Security Policies. See AD20 and AD23.
  7. Storage of SSNs on Penn State portable computing devices or any other mobile electronic device is strongly discouraged. If storage on such a device is unavoidable, the data must be protected with encryption. For additional information about encrypting data and devices, visit security.psu.edu/services/data-loss-prevention/encryption/.
  8. Any electronic departmental storage of SSNs (e.g., data available through shared network drives, local servers or PCs) must be encrypted. For additional information about encrypting data and devices, visit security.psu.edu/services/data-loss-prevention/encryption/.
  9. Off-line storage of physical records containing SSNs is only permitted if the Privacy Office grants authorization.
  10. Safeguarding SSNs and/or PII while in the Office
  11. Physically secure SSNs and/or PII (e.g., in a locked drawer, cabinet, desk or safe) when not in use or not otherwise under the control of a person with a need to know.
  12. Store SSNs in a space where access control measures are employed to prevent unauthorized access by any person without a need to know (e.g., a locked room or floor or other space where access is controlled by a guard, cipher lock or card reader).
  13. Never leave SSNs and/or PII unattended on a desk, printer, fax machine or copier.
  14. Use a privacy screen if you regularly access SSNs or PII in an unsecured area where those without a need to know or members of the public can see your screen, such as in a reception area.
  15. Lock your computer when you leave your desk.
  16. Do not permit your computer to remember passwords.
  17. Never share your password(s) with anyone.
  18. Avoid discussing SSNs and/or PII in person or over the telephone when you’re within earshot of anyone who does not need to know the information.
  19. Only discuss SSNs and/or PII using a speakerphone or video teleconference when you are in a location where those without a need to know cannot overhear.
  20. SSNs and/or PII are most securely discussed in an office or conference room behind a closed door.
  21. Remember that some places that seem private can pose a risk for unauthorized disclosure. Conversations are easily overheard between cubicles.
  22. Never transfer files to your home computer or personal storage devices.
  23. Never upload files to your personal cloud storage accounts, email accounts or websites.
  24. Never print University records, containing SSNs and/or PII, on your home printer.
  25. Never browse files containing SSNs or PII out of curiosity or for personal reasons.
  26. Keep computer desktops / virtual machines clean, free of SSNs and PII.
  27. Run IdentityFinder regularly. For guidance, visit security.psu.edu/2010/09/14/identity-finder-penn-state/.
  28. Regularly clear downloads folder / regularly delete contents of downloads folder.
  29. Routinely empty desktop recycling bin.
  30. Minimize proliferation, duplication and dissemination of SSNs and PII by any means, electronic or paper.
  31. Only print, extract or copy documents containing SSNs and/or PII when the risk is justified by an official need that is not easily met using other means.
  32. Only share SSNs and/or PII if the recipient’s need for the information relates to his or her official Penn State duties.
  33. Do not create unnecessary or duplicative collections of SSNs and/or PII, including information stored on backup servers, network drives, your desktop or paper files.
  34. Be reluctant to scan or copy documents containing SSNs and/or PII.
  35. Before scanning, emailing, printing or making paper copies, redact SSNs or PII that are not necessary for your immediate use or for a recipient to see.
  36. Securely destroy any data, documents or records containing SSNsand/or PII when they are no longer needed; refer to AD35 for guidance about retention as needed.
  37. Paper records may be securely destroyed by utilizing shredding services.
  38. Recycling of paper records containing SSNs or PII is prohibited.
  39. Electronic information may be securely destroyed using secure individual file deletion or secure disk wipe utilities.
  40. W9s
  41. General
  42. W9s contain SSNs or TINs/EINs.
  43. Collect W9s directly from the individual when possible.
  44. If someone sends you a W9 in an unprotected manner, once you receive it, you must protect it in the same manner as all SSN data Penn State handles.
  45. Securely dispose of or delete any unprotected W9s that were sent to you by an outside party.
  46. One office should be the repository of the W9s, but if an official university record is being stored by a unit/department they can keep the file contents provided they are protected per the requirements of University policy/practices when such record contains PII.
  47. Contact the Privacy Office () for authorization to store W9s in any medium, including any third party cloud storage services.
  48. In Paper Form
  49. Do not take W9 paperwork from your work area unless appropriately secured.
  50. Paper documents containing SSNs and/or PII must be under the control of an employee or locked in a secure file drawer when not in use.
  51. Never leave paper copies of W9sunattended or unsecured.
  52. In Electronic Form
  53. W9s should only be accessed via Penn State equipment. Personally owned computers, devices, equipment and services are strongly discouraged from being used to access, save, store or host W9s.This does not apply to incoming email from those external to PSU.
  54. Only store W9s on authorized systems and devices with approved security controls.
  55. Transmission -- Best Practices
  56. Email
  57. Encrypt all attachments if sending SSNs and/or PII via email internally within the University or externally to outside parties. Provide password separately. For guidance about how to email encrypted files using SecureDoc’sWinMagic Self-Extractor, see Appendix A.
  58. Never include SSNs and/or PII in the subject line of any email or as an identifier.
  59. Delete any email containing SSNs and/or PII immediately after transmitting/viewing/obtaining document(s).
  60. Empty deleted items folder in Outlook to ensure you are not storing any SSNs and/or PII.
  61. Interoffice
  62. Consult your supervisor about your office’s accountable interoffice mail procedures.
  63. Alert the recipientthat a document(s) containing SSNs and/or is being sent via interoffice mail.
  64. Verifythe recipient received the information.
  65. Whenever possible, hand deliver the document(s)directly to the recipient in person.
  66. Fax
  67. Avoid sending SSNs and/or PII by fax if at all possible.
  68. If possible, scan and then encrypt the document(s) and email it.
  69. If SSNs or PII must be sent by fax, first, alert the recipient to arrange for receipt of the fax.
  70. Use a fax cover sheet to ensure privacy.
  71. Never include SSNs and/or PII on a fax cover sheet.
  72. Double check the fax number after entering it and before sendingthe fax.
  73. Confirm the fax was received by the intended recipient or ask the recipient to verify receipt.
  74. Require any unintended recipient to destroy everything faxed to them in error.
  75. Note: All Multi-Function Printers (MFPs) acquired under the Ricoh campus agreement, with a hard drive, have the DataOverwriteSecuritySystem (DOSS) module. It is to be enabled at install and should remain enabled for the life of the machine. If a device with a hard drive is obtained outside the Ricoh campus agreement the ability to securely overwrite the hard drive should be enabled.
  76. Outgoing Mail
  77. For mailings containing a small amount of SSN and/or PII data like those directed to individual containing his or her own information only:
  78. Seal SSN and/or PII materials in an opaque envelope or container.
  79. Mail using U.S. Postal Service’s First Class Mail, Priority Mail or an accountable commercial delivery service (e.g., UPS or FedEx).
  80. For large data sets, database transfers, backup tape transfers or similar collections or portfolios of SSNs and/or PII:
  81. Encrypt data (if possible) and use a receipted delivery service (i.e., Return Receipt, Certified or Registered mail) or a tracking service (e.g., UPS or FedEx) to ensure secure delivery is made to the appropriate recipient.

Appendix A

This appendix will outline how to encrypt sensitive data using SecureDoc’sWinMagic Self-Extractor. This tool is free for use on all University owned systems. The person on the receiving end of the data can decrypt the sensitive data without needing to install the application. The recipient can be internal or external to Penn State.

Section 1 – Downloading and Installing the Self-Extractor (Note, this only needs completed one time.)

  1. Using a web browser, navigate to You will need to log-in with WebAccess if you are not already logged in to a Penn State web resource.
  2. Find and expand the Security Tools section. In the list you will find “WinMagic Self-Extractor”. Click the link to the right of it that says “Windows”.
  3. On the next page, towards the middle left of the screen you will see “Version: 1.0” as a link. Click that and save the downloaded file to an area you can access. (Note: To install Self-Extractor Application you will need to contact your local IT/system administrator.)
  4. When the download finishes, double click the file to install the Self-Extractor Application.
  5. When you are prompted by the install wizard, you will click the following to complete the installation:
  6. Next, Install, Finish.
  7. The Self-Extractor is now installed. Proceed to section 2 for day to day tool usage.

Section 2 – Day to day tool usage

  1. Using the Windows start menu or home screen, navigate into the SecureDoc Self-Extractor folder and then click “SecureDoc Self Extractor”.
  2. The below screenshot breaks down how to navigate the tool’s interface:

Send

  1. Send the resulting file from the “create” button to the destination.
  2. Once you provide them the password, they will simply double click the file, enter the password, and the data will be extracted back to plain-text.