TCU Sensitive Personal Information (SPI) Policy

Securing Sensitive Personal Information

The purpose of this document is to describe the responsibilities one assumes when one undertakes the collection, processing, storage, or dissemination of other people’s sensitive personal information. SPI Data is classified as Confidential Data according to the TCU Data Classification Policy.

Sensitive Personal Information (SPI)

SPI is defined as an individual’s name, address, or telephone number combined with any of the following:

  • Social security number or taxpayer ID number
  • Credit or debit card number
  • Financial/salary data
  • Driver’s license number
  • Date of birth
  • Medical or health information protected under HIPAA
  • Biometric Markers (e.g. fingerprint, retina, voice, heartbeat, grip)
  • Student related data protected under FERPA

SPI will not be disclosed except as provided by University policy and procedure or legal disclosure requirements. SPI will be protected and secured in accordance with the following standards.

How to Protect Sensitive Personal Information

Electronic Storage and Disposal

  • Do not store SPI on a PDA, laptop computer or desktop computer’s hard drive, USB drive, CD, flash memory card, floppy drive or other storage media.
  • Do not store SPI in public files accessible via the Internet.
  • Do not download SPI from TCU databases unless legally required or for a standard TCU business practice.
  • Do not transmit SPI to external parties via email or the Internet unless the connection is secure or the information encrypted.
  • Do not transmit SPI via PDA, laptop or any other wireless technology.
  • Discard media (such as disks, tapes, hard drives) that contain SPI in a manner that protects the confidentiality of the information.

Physical Storage and Disposal

  • Do not publicly display SPI or leave SPI unattended, even on your desk or on the desk of a co-worker.
  • Do not take SPI home.Shred SPI when it is no longer needed.
  • Do not discard SPI in the trash.

Security

  • Lock your computer when unattended.  Using Control, Alt, Delete or engaging a password-protected screensaver are efficient ways to accomplish this.
  • Lock offices, desks, and files that contain SPI when unattended.
  • Eliminate the use of forms that ask for SPI whenever possible.
  • Password-protect all SPI and accounts with access to SPI according to the TCU guidelines for passwords.
  • Do not share passwords and do not document passwords.
  • Familiarize yourself with TCU information security guidelines and best practices via the TCU Technology Resources website http://security.tcu.edu/.
  • The Gramm-Leach-Bliley act, FERPA and HIPAA laws should be followed when dealing with confidential or private information.  See http://security.tcu.edu/ for further information.

Legal Disclosure Requirements

  • Do not share SPI documents or information with anyone unless required by government regulations, specific TCU job responsibilities or business requirements.  Be prepared to say “no” when asked to provide that type of information.
  • Do not communicate confidential student information designated by the FERPA flag.
  • Notify TCU Information Technology Information Security Services Director, Jim Mayne at 817-257-6843 or j.mayne@tcu.eduimmediately if you suspect SPI may have been compromised.