According to MSU's Institutional Data Policy (IDP, http://eis.msu.edu/documents/institutional_data_policy_dec10.pdf), student and employee ID numbers are examples Institutional Data that are classified as Confidential Data. Institutional Data may be accessed and used "only for University purposes" and "must be used, stored, transferred, disseminated, and disposed of in ways that minimize the potential for their improper disclosure or misuse." The restrictions are tighter for Confidential Data: "Records that contain Confidential Data shall be properly secured to minimize the risk that the Confidential Data will be accessed, either intentionally or inadvertently, by individuals who do not need to see or use the Confidential Data for University purposes." The IDP does not define "properly secured." There are links to Securing Institutional Data in Appendix III (http://eis.msu.edu/sid/index.html) where you can find more links to best practices. Our office has been instructed that A-PIDs cannot be transmitted via e-mail in combination with a student's name. Combining the two elements provides enough information to lead to identity theft. The Registrar's Office can provide more information about policies and securing A-PIDs, and Human Resources can give you more info about Z-PIDs. http://www.reg.msu.edu/ http://www.hr.msu.edu/ Gene -- Gene Willacker, PCIP, PCI ISA PCI Compliance Officer Controller's Office 110 Administration Building Michigan State University 517-884-4110 On 4/24/2013 9:29 AM, Tim Heckaman wrote: > > I was wondering if someone had a quick link to the campus policies in > regard to storing zipd/apid's. I'm sure if it is even allowed that > they would need to be encrypted but I haven't seen anywhere in my > searching where it says it is allowed. I've read a lot on IT services > site but nothing clear. Most of what I found was from here > http://vplits.msu.edu/guidelines-policies/index.html > > Thanks >