Handling Confidential Information
Information in ASR
Information communicated through the ASR System must adhere with all policies of the University, State and Federal Laws. The information communicated must be work appropriate and necessary for completion of duties. Since ASR is not 100% secure some information may not be directly communicated through this system. This information is being classified by the CSU as Level 1 Data.
The following information that should not be entered into ASR tickets.
Personally Identifiable Information
- Birth date combined with last four digits of a Social Security Number.
- Tax identification with name.
- Driver’s license number, state identification card, and other forms of national or international identification in combination with name; e.g. passports, visas.
- Social Security Number and name.
- Multiple Social Security Numbers.
- Credit card numbers with or without cardholder name.
- Bank account or debit card information.
- Health Information.
- Medical records related to an individual.
- Psychological Counseling records related to an individual.
Human Resources record
- Performance evaluation reports.
- Disciplinary action reports.
Law Enforcement Information
- Law Enforcement Records related to an individual.
It is understood that some of this information may be required to complete work as assigned. If in the case that this information is needed to work through a problem, this information should be stored on an agreed upon file share on the SSU Network. All efforts to secure this information must be made, and again state and federal guidelines should be followed by all users.
Passwords, PIN numbers used by the Federal Government, or encryption keys must also not be communicated through the ASR. Although these items are not considered Level 1 Data, this information may in some cases allow unauthorized access to employees. These pieces of information should be safeguarded.
Grades, employee identification numbers and campus specific information may be communicated through the ASR system. Screen-shots depicting this information are also considered appropriate.
The general rule of thumb is to use common sense. Also, keep in mind that although information contained on the ASR system is limited to the users of the system, make sure that any information you communicate is information that is allowed to be viewed by the person(s) working to remedy the problem. For questions on this portion please contact the CMS Security Administrator via email at email@example.com.