The Use of E-mail with Personally Identifiable Information (PII)

Summary

This article provides information for USNH employees regarding the best practices of use of e-mail communication with personally identifiable information (PII).

Body

Summary

This article provides information for USNH employees regarding the best practices of communicating personally identifiable information (PII) through e-mail or other technology resources.

 

Content

Users should transmit personally identifiable information (PII) by email or fax only when no other practical options are available, and the communication serves a legitimate business need. Users mailing or faxing PII classified as restricted (protection mandated by state or federal laws) must incorperate appropriate protections such as file encryption or secure fax service, for example.  Transmission of sensitive PII (protection required by university policy or contract) by email or fax is generally not recommended by Cybersecurity; however, where this conflicts with established business practices, it is not prohibited. ET&S Cybersecurity recommneds alternative data sharing, such as through Microsoft Teams and SharePoint.

The USNH Data Classification Policy prohibits sending social security numbers (SSN) through email unless encrypted or reduced to the last four digits as an example of restricted data protection. ET&S Cybersecurity discourages sending the last four digits of a social security number only when un-encrypted, as identity thieves can reconstruct SSNs with other obtainable information.

All service providers and agencies should have a provision that restricted or protected information by unprotected email in their publicly available privacy policy. Service providers and agencies that routinely need to receive such information as part of their business should communicate additional information about how to do so safely.

When sending such information by fax, it is essential to ensure that it is a secure fax transaction. At a minimum, the sending party should ensure that the recipient is expecting it and will ensure that the document does not stay on the receiving fax machine for unauthorized persons to see. Preferably, the receiving party will provide a dedicated fax device in a location not accessible to unauthorized persons to receive restricted information.

The question of emailing sensitive data such as a person’s date of birth (DOB) is more complicated. While it is not listed as protected PII in current privacy laws, DOB is often used to change or recover passwords, set up bank accounts, or gain access to accounts and medical services. Many individuals consider it highly sensitive for personal reasons.  Cybersecurity recommends that users protect DOB in the same way as an SSN where practical; however, the transmission of DOB, the USNH ID, or other sensitive information via unencrypted email within the University System for legitimate business reasons is acceptable.  As stated above, ISS urges departments to consider alternative means of sharing data, such as through Microsoft Teams and SharePoint

 

Further Readings

USNH Cybersecurity Policy 

USNH Privacy Policy 

USNH Information Classification Policy 

Family Educational Rights and Privacy Act (FERPA) - The U.S. Department of Education 

Health Information Privacy (HIPAA) - The U.S. Department of Health and Human Services 

 

Need additional help?

Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request.  For password issues you must call or visit the Help Desk in person.  

Details

Details

Article ID: 1190
Created
Fri 7/19/19 5:54 PM
Modified
Thu 5/30/24 11:16 AM