Personal Information Sweep (IS-P301)

The Personal Information Sweep is currently under development by the Information Security Office and the Information Security Liaisons for the Colleges of Engineering, Agriculture and Life Sciences, and Social and Behavioral Sciences. This webpage is for use by the departments piloting the Personal Information Sweep. Some links may not be active for materials under development.

Protection of personal information is of utmost importance at The University of Arizona. The Personal Information Sweep is a program designed to assist people who electronically store UA information.

Why Secure Personal Information?

Personal information on a lost, stolen or hacked computer can be harvested and used to steal identities. When the security of personal information is believed to be breached, hundreds of hours of staff time and considerable financial and reputational cost can be involved in investigating and repairing the breach and in notifying those affected.

Concerns about identity theft have spurred several industry and legislative responses that address the types of personal information used and stored at UA. In addition, UA employees are required to retain and dispose of records that may contain personal information in accordance with legal requirements. Failure to meet these requirements can result in costly penalties.

The Information Security Policy and the Policy on Acceptable Use of Computers and Networks make it clear that access to UA data, computers and networks is a privilege conditioned on users' compliance with laws and UA policy. To achieve compliance, a computer user must protect personal information while it is still in use and securely delete it when it is no longer needed. While the requirement seems simple, many computer users do not know whether their computers contain personal information. Even if they do know that they have stored personal information, they may not know where it is located. Some databases leave behind “temporary” files that contain personal information that the user believed had been deleted, or old spreadsheets with personal information may be buried in an obscure or seldom used subdirectory.

What is Personal Information?

Personal information includes first name or initial and last name accompanied by:

Social Security Numbers (including historical Student ID numbers that did not begin with an “S” or “889”)
Arizona driver’s license numbers
Arizona nonoperating identification license number (State ID card)
credit card, debit card or bank account number with any required security code or password

This information can potentially be used to uniquely identify a single person and is generally kept private.

Who is Responsible for Securing Personal Information?

UA personnel are responsible for the security of UA information stored, sent or displayed using computing and communications resources, whether or not those resources are owned by the University. If you work with personal information, you must be aware of and comply with applicable legal requirements and policies.

Perform the Personal Information Sweep on each computer or storage device used to store UA information.

Which Information is Affected?

This procedure applies to UA information stored in -

all systems used by UA personnel, other than those centrally housing UIS, IIW, SPINS, FRS, PSOS, SIS and Matrix.
personally owned computers and external media with UA information on them.

Note that accessing your UA computer desktop through a remote desktop program does not transfer personal information stored there to your off-campus computer.

While not within the scope of the Personal Information Sweep, paper documents with personal information should also be secured. Additional requirements outside the scope of the Personal Information Sweep may apply if you process payment card data or engage in certain electronic transactions involving protected health information.

Why Can't IT Staff Do This for Me?

You may or may not be assisted by your unit's IT staff in the technical aspects of this process, such as installing software and helping you with the clean up process. However, you yourself must ultimately decide which files to delete or retain, given your own duties and needs. In addition, the scanning tool may find sensitive information that you should keep private even from IT staff. That means that all decisions about what to do with personal information should be made by you. The assurance that sensitive personal information is secured is your responsibility.

Assistance with the technical aspects of the process is available from your local IT staff, the 24/7 IT Support Center (626-TECH) or the Information Security Office (621-UISO).

How Do I Secure Personal Information?

The Personal Information Sweep is a program designed to assist UA personnel in addressing requirements and policies. This process will guide you through the steps you need to take: