Summary
This article provides information for USNH employees regarding the best practices of communicating personally identifiable information (PII) through e-mail or other technology resources.
Content
Users should transmit personally identifiable information (PII) by email or fax only when no other practical options are available, and the communication serves a legitimate business need. Users mailing or faxing PII classified as restricted (protection mandated by state or federal laws) must incorperate appropriate protections such as file encryption or secure fax service, for example. Transmission of sensitive PII (protection required by university policy or contract) by email or fax is generally not recommended by Cybersecurity; however, where this conflicts with established business practices, it is not prohibited. ET&S Cybersecurity recommneds alternative data sharing, such as through Microsoft Teams and SharePoint.
The USNH Data Classification Policy prohibits sending social security numbers (SSN) through email unless encrypted or reduced to the last four digits as an example of restricted data protection. ET&S Cybersecurity discourages sending the last four digits of a social security number only when un-encrypted, as identity thieves can reconstruct SSNs with other obtainable information.
All service providers and agencies should have a provision that restricted or protected information by unprotected email in their publicly available privacy policy. Service providers and agencies that routinely need to receive such information as part of their business should communicate additional information about how to do so safely.
When sending such information by fax, it is essential to ensure that it is a secure fax transaction. At a minimum, the sending party should ensure that the recipient is expecting it and will ensure that the document does not stay on the receiving fax machine for unauthorized persons to see. Preferably, the receiving party will provide a dedicated fax device in a location not accessible to unauthorized persons to receive restricted information.
The question of emailing sensitive data such as a person’s date of birth (DOB) is more complicated. While it is not listed as protected PII in current privacy laws, DOB is often used to change or recover passwords, set up bank accounts, or gain access to accounts and medical services. Many individuals consider it highly sensitive for personal reasons. Cybersecurity recommends that users protect DOB in the same way as an SSN where practical; however, the transmission of DOB, the USNH ID, or other sensitive information via unencrypted email within the University System for legitimate business reasons is acceptable. As stated above, ISS urges departments to consider alternative means of sharing data, such as through Microsoft Teams and SharePoint
Further Readings
USNH Cybersecurity Policy
USNH Privacy Policy
USNH Information Classification Policy
Family Educational Rights and Privacy Act (FERPA) - The U.S. Department of Education
Health Information Privacy (HIPAA) - The U.S. Department of Health and Human Services
Need additional help?
Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request. For password issues you must call or visit the Help Desk in person.