Dear Curry School Colleagues:

Some types of materials containing SSN or credit card information on employeecomputers include:

  • EWPs
  • W-2’s
  • Grant applications (successful and unsuccessful)
  • Invoices for work performed
  • Hiring decision documents
  • Faculty performance evaluations
  • Account # with collection documents
  • Employee role changes
  • Pay Action requests
  • Faculty salary recommendations
  • Worksheets for classified staff salary adjustments
  • Purchase requests
  • Other HR docs
  • Personal travel reimbursements and requests
  • Credit score data from ITC sponsored credit monitoring
  • Vendor software invoices with credit card information

Many of these documents are considered permanent or semi-permanent records under the State Public Records Act or University policy. For example, most personnel records are to be kept for a period ranging from three to fifty years from the date an employee leaves state employment. Successful grant applications, and many procurement or financial records are to be retained for substantial periods determined by the granting agency (sometimes up to fifty years) or the state’s complex records schedules found at:

For many of these records, simply deleting the SSN from the permanent record is not appropriate as the SSN may serve as the only reliable identifier of the individual in question. However, maintaining electronic versions of this information is not allowed under University policy and is not good practice in a world beset by identity theft. Given the diversity of materials found by many of you, I think the simplest course is to ask all of you to:

  • Review any computer files that are tagged as including prohibited confidential information.
  • Make a paper copy of any final non-draft, non-trivialHR or personnel documents, financial or procurement documents, or other records that document important processes or transactions, unless you are confident that an appropriate department (such as University HR) already has a copy of the record.
  • Err on the side of inclusion, but do use your judgment—you do not need to keep everything, and you do not need to keep a duplicate of a record that you know is already stored elsewhere.
  • Protect your own confidential information that may be stored on your computer as a result of reimbursement requests, purchases, etc.
  • You should now delete all confidential information from all your personal computer files as directed by the ETO.
  • If you have questions, feel free to contact the Educational Technologies Office at 924-7086.

Procedure to scan MacOS computers with Identity Finder

Note: An Identity Finder scan may take several hours to run. We recommend starting the scan at the end of the day and letting it run overnight. It might also take several hours to review the scan results. Please schedule time the next morning to review and remove any sensitive data found.

  1. Before starting please review these instructions, including the informationabove on record retention.
  2. Install Identity Finder on your MacOS system from


After downloading the program, please install Identity Finder for Mac if it does not automatically install.

Note: If asked to update Identity Finder, say NO. UVa's version of Identity Finder has been configured for the University's computing environment. Do not upgrade Identity Finder from the vendor's website as this will reset these configurations, causing problems.

  1. Identity Finder requires that you set a profile password to protect any personal information found. Remember the password you choose.
  2. From the Identity Finder menu choose Locations, Files, File Locations, Custom
  1. On the Folder line enter

/Users

and click the Add button

  1. Click OK.
  2. To begin your scan click the green button labeled Start on the upper left hand side of the page.
  3. A Status window will appear. This means your scan has been started.
  4. If thescan will be running overnight set “Put the computer to sleep when it is inactive for:” to Never under Energy Saver in System Preferences and then lock your screen. Otherwise continue.
  5. When the scan completes save your scan results by clicking File, Save in Identity Finder. The saved file will contain identity match information. Resave the file any time during the following steps and you will be able to pick up where you left off.
  6. If you need to resume working from saved results, open Identity Finder, click File, Open, and browse to your saved results file. Your saved results will open and you can resume working.
  1. After a completed scan the left pane of the main Identity Finder page shows which documents have been identified as potentionally containing “Sensitive Data” (such as SSN, Credit Card or Bank Account).When a document in the left pane is selected, the right pane highlightsthe suspected Sensitive Data.

  1. Select (single left-click) the first file in the left pane and preview the document in the right pane. Determine if the document contains Sensitive Data (such as SSN, Credit Card or Bank Account).
  2. You must take one of the following actions for every document listed in the left pane:
  3. Files that have been erroneously ID’d should be marked as “IGNORE” in the program: With the target file name highlighted in the left pane, Select the IGNORE buttonfrom the top toolbar, then click on This Item Location and the file name will be removed from the results list and all future results.
  4. Files that DO contain Sensitive Data need to be examined further. Refer to information above for specific advice on retaining documents for the State Public Records Act or University Policy by creating a permanent or semi-permanent paper copy of any important documents.
  5. After any necessary paper copies have been created you need to decide whether to securely delete the electronic file or keep the electronic file but edit it to remove sensitive data.
  6. To securely delete the electronic file: Press the SHRED button from the top toolbar. This will ensure that the entire document is securely erased.
  7. To keep the electronic file but edit it to remove sensitive data: Double left click on the entry to open the file. Once the document is open find the location of the sensitive information and in it’s place put X’s (for example replace 123-45-6789 with XXX-XX-XXXX). Save the document.
  8. Continue to the end of the flagged files, repeating the above step for each file. Don’t forget to save your progress periodically and again when you are finished!
  9. We know there may be hundreds or even thousands of files to check. The University of Virginia is commited to protecting sensitive information like Social Security Numbers and only you can determine which files you want or need to retain and which may be safely deleted. Thank you for your help and remember the identity saved from theft may be your own.
  10. Once you have completed the Identity Finder scan and taken all appropriate actions, go to the following web page and click the “Submit” button to affirm completion.

Additional documentation for using Identity Finder can be found in the help file by selecting the small question mark in the upper right corner of the Identity Finder application and also here:

If you need assistance with Identity Finder please submit an ETO help request at .

Thank you for helping improve the safety of the Curry Schoolcommunity.

Curry school of Education SSN Initiative