This is the next in a series of monthly articles about digital records management from Digital Records Supervisor David LaGarde.
Personally Identifiable Information (Pii) 2CFR 200.79 is an integral part of all business operations, especially public schools whose records incorporate student files, financial documents, transportation records, health records and more.
Information that would disclose the personal identity of an individual to whom the information applies, or that could be reasonably inferred by either direct or indirect means, falls under the scope of (Pii).
Records containing (Pii) are generated everyday during the normal course of business in the district through paper and electronic records. Desktop files, Emails, Skyward, Alchemy, TreeNo and dozens of other programs and applications are all mediums used to generate and house data that must be managed and stored on a daily routine basis.
What constitutes Personally Identifiable Information?
Pii is defined as information:
(a) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or
(b) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator and other descriptors).
Additionally, information that would permit the physical or online contact of a specific individual is the same as personally identifiable information(Pii). This information can be maintained in paper, electronic or other media.
School employees who come in contact with data containing (Pii) are considered stewards of these records when conducting school business. It is the collective responsibility of all school employees to protect data that may contain sensitive information during the course of conducting school business or activities whether it be in paper, electronic or other district provided technology mediums. The important factor with all data is to remember that only individuals who have a “need to know” in their official duties capacity should have access to sensitive student or employee information not subject to The Washington State Public Records Act or other laws governing the disclosure of Public Information.
Consequences of inappropriate access or sharing of Pii
The loss of (Pii) can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. Because regular school employees and contracted staff may have access to personally identifiable information concerning individuals and other sensitive data, we have a responsibility to protect that information from loss and misuse. There have been an increasing number of lawsuits over data breaches and sharing of (Pii) in recent years and interestingly enough, the legal landscape has focused on organizations keeping too much data which can lead to greater opportunities for records to be compromised.
5 ways to protect (Pii) in daily records management
- Simply take inventory
Identify the documents that you create in your daily workflow that contain Pii (these can be paper or electronic). Know what records are housed in other systems or locations and avoid reproducing paper copies if you can manage your work electronically. Printing out documents creates additional opportunities to open the door to improper disclosure issues and also creates additional storage concerns in determining how a paper copy is to be managed and whether it must be saved or archived.
Let’s face it. Paper costs a lot to purchase, as does the process to copy, store and dispose of. Paperwork is slowly becoming obsolete. Keeping too many records poses a higher risk of a data breach and can complicate the process of retrieval when records are needed.
Knowing the records retention policies for your assigned workflow, and getting yourself in the habit of managing only those documents you need to keep is part of a “Best Practice” of daily task management philosophy. Identifying documents that you can easily manage and file electronically, as opposed to printing out, scanning and resaving will greatly reduce generating unnecessary paperwork and your need to manage it a second or subsequent time. The less times a document is handled, the less opportunity for improper disclosure of (Pii). A good place to start is to ask yourself, “Is there a value in printing this document?”
Take precautions to secure paper and electronic records containing Pii by restricting access. When you leave your work area, be sure to lock your computer and close files in use. Manage your emails to delete those without a direct business relevance. Create folders to sort and store emails and documents for business reference and learn to redact information when forwarding items to other parties where sensitive information is not pertinent. Keep sensitive information locked waiting for shredding so it is not left out for others to see. Shred bins should not be left open or be kept in areas where sensitive information can readily be accessed.
4. Don’t hoard
Learn to save your records to labeled folders on your computer to move routinely to archival records as you create them or get in the habit of filing records electronically during your processes. Process paper documents regularly that need to be shredded according to established OSD procedures. This is done by shredding documents if they contain any (Pii), recycling or discarding/recycling if there is no (Pii). This can be done on your own terms but should be routinely managed to avoid accumulating records under your desk for shredding.
5. Map your files
Are you prepared to reproduce a document if needed? The reality is that nearly 90% of stored records are never referenced again once they are filed. However, the 10% that are needed should be readily accessible. If you have a sound records management procedure and workflow in place, this should never be an issue. Consistency and continuity is key, and knowing what gets saved, where it should be filed, how to properly label the file for search and retrieval are all essential.
If you have questions about Pii (Personally Identifiable Information) in regard to student records, please contact Chief Information Officer, Marc Elliott, at Ext. 6172.
For additional information on records management, please contact Digital Records Supervisor David LaGarde at firstname.lastname@example.org.