Protecting Sensitive Data

You’ve probably heard about protecting sensitive data. It is now part of the CSU standards that the Cal Poly campus will be following. Among other things, the standards define how businesses and other entities should handle selected types of personal information.

An example of protected data includes a person’s name combined with a Social Security (SSN), a driver’s license or California-issued ID number, or a financial account number, including credit and debit card numbers. If protected data is exposed, CPC must notify the affected individual(s).

Knowing Where It Is

We should all pay special attention any time protected data crosses our desks – either in paper or electronically – and we should note when it shows up in areas where it may not be needed for business purposes. The WISP broadly describes roles and responsibilities for managing protected data. For instance, it requires reviews of business processes and systems to understand when protected data is required, who needs to see it, and how long it needs to be retained. If you have a question about why you are seeing protected data, or whether you need to keep it, please talk with your manager or send an e-mail to security@calpoly.edu.

  • You Cannot Lose What You Do not Have
  • There are three easy ways to reduce risk with respect to personal data:
    • Avoid collecting protected data unless you know it is required. Provide feedback to those who give you unsolicited protected data.
    • Redact (obscure or cut out) protected data from paper or electronic files that are no longer needed.
    • Securely destroy any files that are no longer needed.