According to MSU's Institutional Data Policy (IDP, http://eis.msu.edu/documents/institutional_data_policy_dec10.pdf), student and employee ID numbers are examples Institutional Data that are classified as Confidential Data.

Institutional Data may be accessed and used "only for University purposes" and "must be used, stored, transferred, disseminated, and disposed of in ways that minimize the potential for their improper disclosure or misuse."

The restrictions are tighter for Confidential Data:

"Records that contain Confidential Data shall be properly secured to minimize the risk that the Confidential Data will be accessed, either intentionally or inadvertently, by individuals who do not need to see or use the Confidential Data for University purposes." The IDP does not define "properly secured." There are links to Securing Institutional Data in Appendix III (http://eis.msu.edu/sid/index.html) where you can find more links to best practices.

Our office has been instructed that A-PIDs cannot be transmitted via e-mail in combination with a student's name. Combining the two elements provides enough information to lead to identity theft.

The Registrar's Office can provide more information about policies and securing A-PIDs, and Human Resources can give you more info about Z-PIDs.

http://www.reg.msu.edu/
http://www.hr.msu.edu/

Gene

--
Gene Willacker, PCIP, PCI ISA
PCI Compliance Officer
Controller's Office
110 Administration Building
Michigan State University
517-884-4110

On 4/24/2013 9:29 AM, Tim Heckaman wrote:
[log in to unmask]" type="cite">

I was wondering if someone had a quick link to the campus policies in regard to storing zipd/apid’s. I’m sure if it is even allowed that they would need to be encrypted but I haven’t seen anywhere in my searching where it says it is allowed. I’ve read a lot on IT services site but nothing clear. Most of what I found was from here http://vplits.msu.edu/guidelines-policies/index.html

 

Thanks