MCC's Personally Identifiable Information (PII) Policy



Introduction

The MCC Institutional Data Security Team is charged with ensuring the College’s compliance with (1) federal, state, and local laws associated with the protection of Personally Identifiable Information (PII) and individual privacy and (2) industry standards for protecting the privacy of financial information.

The Team has four broad responsibilities relating to the statutes and regulations:

  • Ensuring that the College has a complete set of written information security policies that apply to both paper and digital records.
  • Ensuring that all staff in any position to access sensitive data receive training on the proper handling of sensitive information.
  • Ensuring the protection of all paper and digital records containing sensitive data.
  • Developing and executing a plan of action in the case of any breach.

What constitutes Personal Identifying Information (PII)?

Per the Office of Massachusetts Attorney General and the Massachusetts Data Security Laws, PII or Personally Identifiable Information is defined as:

  • First name and last name or first initial and last name of a resident in combination with one or more of the following:
    • Social Security Number
    • Driver’s license number or state-issued card id number; or
    • Debit / credit card number or personal financial information

PII Data Management Guidelines

  1. PII collection must be approved by the MCC Institutional Data Security Team.  Access to PII data must be requested by an individual’s supervisor or area administrator.  Supervisors and administrators are responsible for maintaining their area’s secure work processes with PII and requesting removal of access to PII data when an individual’s employment or responsibilities change.
  2. All employees must comply with Middlesex’s Computer Use Policy.
  3. Middlesex employees are to refrain from asking students their social security number unless required by tasks and responsibilities associated with their job.
  4. Collecting, accessing and disseminating PII data is strictly prohibited unless required by tasks and responsibilities associated with an employee’s job at Middlesex. 
  5. Electronic transmission by e-mail and/or other social media of PII data by Middlesex employees is prohibited unless software and/or method of transmission has been approved prior by MCC’s IT Department. 
  6. It is prohibited to leave PII data unattended in a non-secure environment. 
  7. It is prohibited to store PII data in a non-secure environment. 
  8. MCC employees who have permission to work with PII Data are not permitted to download files containing them to portable media (e.g., flash drives, PDA’s), laptops and/or College Office PC hard drives. 
  9. MCC employees are prohibited from discarding paper documents that are not “cross-shredded” and containing PII data into trashcans or unsecured paper recycling containers. 
  10. MCC employees are required to adhere to the Facility Department’s procedures pertaining to the archiving and/or destruction of documents containing confidential information to ensure proper handling of documents containing PII data.
  11. MCC employees are required to notify their immediate supervisor if they suspect a breach of security associated with procedures and/or processes containing PII data. Supervisors are then required to notify a member of MCC’s Data Security Team.  A breach of security is defined in MGL regulations as the unauthorized acquisition or, unauthorized use of unencrypted data or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by an agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth.
  12. All contracts entered with third-party providers and MCC management personnel are required to contain appropriate acknowledgement of security measures for personal information protection by the third party.

MCC’s Disciplinary Measures for Violations of MCC’s PII Policy

  1. Violations of any part of this policy resulting in the misuse, unauthorized access, or unauthorized disclosure or distribution of PII Data will be subject to College disciplinary procedures, up to and including the termination of employment or contract with the College. When appropriate, law enforcement will be contacted.

Last Modified: 12/5/16