Protecting data is easier if you know where it is. It could reside in email, on external hard drives or in folders on your computer that have been saved over the years, sometimes many years. Some data (such as passwords) could also reside in cached web files. Doing a simple search using the computer's built-in search utility tool will not find all of these sensitive pieces of information if you don't know what exactly to search for.
Scanning your computer for instances of sensitive data is a good idea for anyone who suspects that such data might be stored on a computer. This step is an important one when trying to find out what kinds of data you have.
MIT offers a scanning tool called Spirion (formerly Identity Finder), which is licensed for use by faculty and staff at MIT. It helps to find instances of data that could be sensitive. In particular it looks for passwords, credit card and bank account numbers, passport and driver's license numbers and Social Security numbers.
Whenever you are requesting or collecting data from a person or source, STOP and CONSIDER: Why do I need this info? Is it REQUIRED for this situation? Can I fulfill my purpose without it?
- If you do not absolutely need it to transact that business, dispose of it securely
- If you received the information from another source, direct the source not to provide it to you anymore.
If You Must Collect
- Inform your supervisor/manager and ensure they approve of this use
- Document the justification and approval to collect it
- Notify the individual that you are collecting their data and explain its intended use
- If appropriate, obtain the consent of the individual, preferably in writing
- Consult with your departmental computing professionals and/or the appropriate data stewards to ensure you are handling it securely and appropriately
- Destroy the information in a secure manner once you no longer require it
- Regularly review your decision and your protection measures to ensure that the business need still exists and that the protection measures are still optimal.
Making Data Less Sensitive
- Collect the last 4 digits of SSNs or credit cards instead of a full number
- Remove columns of critical information prior to making reports
- Convert SSNs to MIT IDs for students, faculty and staff.