Personally Identifiable Information (PII) and Cyber Awareness
Personally Identifiable Information (PII) Process
PII is information that can be used to distinguish or trace someone’s identity. It is information about an individual maintained by Mid Michigan College. PII includes, but it not limited to, educational, financial, medical, criminal, or employment records.
It can include information such as (but not limited to)
- Social Security Number
- Username and Password to Mid Account
- Passport Number
- Mother’s Maiden Name
- Driver’s License or State ID #
- Health Insurance ID#
- Credit Card Number
- Banking Information
- Criminal, Medical, and Financial Records
- Educational Records
- Photos, Video, or Audio Recordings including any of the items above
PII is often found on
- Office Personnel Lists
- Medical Records
- Rolodex Cards
- Electronic-Based Systems (i.e. SMART, Colleague, etc.)
Even if the individual pieces of information seem harmless, one or two pieces of information can be combined with other information to compromise someone’s identity. For example, the social security number, if associated with other PII, can create a high risk to the identity protection of an individual.
PII is a subset of sensitive information. If you handle PII, you are the first line of defense in preventing identity theft. It is your responsibility to protect any PII entrusted to you. All of us at the College have the responsibility of protecting PII and mitigating the damage when PII is lost or stolen.
Reasonable steps must be taken to minimize the risk of access to PII by unauthorized personnel.
Here are some reasonable steps used to minimize risk
- When you step away from your computer for any reason, lock your computer.
- You can do this by clicking on the Windows key and the L key on your keyboard at the same time.
- Always use two-factor authentication for account access when available.
- If you receive a call/walk- in asking for specific information, (i.e. student record, employee record, etc.) ensure to ask the individual to verify at least two (2) pieces of identifying information (ex. social security number, birth date, address/former address, etc.). The type of information may differ by department based on access to specific systems.
- If at any time you feel unsure that the person you are speaking with is actually the owner of the information, politely inform them that the information they have provided cannot be verified and continue asking verifying questions.
- If verification over the phone cannot be confirmed, inform the individual they will need to physically come to the campus. If there is a reason (i.e. online student and lives 3 hours away, physically unable to travel, etc.) that a student cannot physically come to the campus, you may offer a zoom session with them where they would need to show you physical documentation (i.e. drivers license, state ID, passport, etc.) for you to validate their identity.
- Never share PII over email.
- If you receive a request via email and need to verify the identity of the individual, explain this to them and ask that they call to verify their information over the phone so that it is not in writing within an email.
- When meeting with students, make sure that your desk and the computer screen is free and clear of all PII information pertaining to another student.
- PII Maintenance
- All PII must be shredded in accordance with the Mid Michigan College Retention Policy.
- Any physical PII that is not part of a physical file that is in a locked cabinet must be shredded.
- Ensure all physical files containing PII are secured in a locked cabinet when not in use.
- Employees must ensure when they are away from their workstation that the area is free of physical documents that contain PII and their computer is locked.
- If you are working with physical documents that contain PII and need to leave your workstation for a short period of time, please take reasonable steps (ex. if in an office, locking the door while you are out of the room; putting PII documents into a drawer; etc.) to minimize the risk of access to the information.
(updated FEBRUARY 18, 2021)