The information included on this page as well as the related section in the WISP can be used as a reference by employees at MIT when determining where to look for sensitive data and which actions they can take to mitigate risk.
Processes such as the ones listed below are just a few places where employees at MIT may come across personal information. Be sure to take note of other places to look where storage of sensitive data may not be obvious at first glance.
Note: Now that some of the processes listed below are being transferred to an electronic online format, this shall minimize the collection of paper records by local Departments, Labs and Centers.
Data resides in one of four process-oriented areas of the Institute:
- Employee-oriented processes
- Student-oriented processes
- Financially-oriented processes
- Miscellaneous processes, including medical and notary.
Regardless of the kind of personal information you come across at MIT, here are some general business practices that can guide you to handling, processing, storing, transmitting and disposing of data with an acceptable level of protection and control.
Establish Business Rules
Establish business rules for the use of PIRN within a business process:
- Understand and document the legal/policy reason to collect or use PIRN
- Explain consequences if PIRN is not provided
- Define criteria for authorizing access to PIRN
- Define allowable use (e.g., how much can be seen, what can be downloaded, any limits from work at home, etc)
- Define records retention requirements for PIRN (which may be shorter duration than for the rest of the record)
- Define controls
- Explore process changes that could further mitigate risk
Work with the System Owner
It is important to work with the business System Owner:
- To align system(s) with business rules (to the extent technically feasible)
- To establish monitoring and other controls (e.g. quarterly list of authorized individuals to detect/block unauthorized access or inappropriate access by authorized individuals
- To explore ways technology could facilitate protections without impeding business process objective
Work with Process Participants
It is also important to work with business process participants to:
- Communicate business rules and provide on-going training
- Remind the community that there are minimum standards that must be in place if PIRN is used/stored electronically (reference Minimum Security Standards, unless other rules apply)
- Remind community of potential for disciplinary action, up to and including termination, for policy violations
- Monitor controls on authorization, access, usage, retention
- Ensure contracts with any 3rd parties with PIRN have appropriate language