Understanding Where PIRN Is
Each Business Process Owner or System Owner is expected to:
- Understand why PIRN is needed, and to limit the amount of PIRN that is collected to that which is reasonably necessary to accomplish the legitimate purpose for which it is collected.
- Understand the data flows, including hard copy and electronic, where data is stored, used or transmitted, whether files are distributed or centralized.
- Determine appropriate record retention for PIRN (which may be for a shorter time period than other information in the record).
- Ensure that when electronic and hard copy records are redacted, deleted or destroyed, this is done in such a way that PIRN can not be practicably read or reconstructed. Appendix C sets forth specific legal requirements for the deletion or destruction of records that contain PIRN.
- When a new business requirement for handling PIRN develops, Business Process Owners are expected to update processes and protocols as appropriate and keep Business Process Executives informed. Business Process Owners or System Owners may delegate the above responsibilities to one or more individuals who have received training or education in information security and privacy.
The following diagram illustrates the framework for risk management:
Limiting Access to PIRN
Each Business Process Owner or System Owner will establish a protocol that defines the rules, processes and/or systems for:
- Limiting access to only authorized and authenticated individuals who need PIRN to conduct MIT business. (Limits on access should not preclude cross-departmental collaborations and data exchanges on an as-needed basis; authorized sharing of information from a single source has lower risk of exposure compared to duplicative data stores.)
- Removing access when it is no longer needed, such as in the event of employment termination or job change.
- Periodically reviewing who has access to ensure it is in alignment with current business needs, done at least annually.
- Updating each individual's authentication key (e.g., password, certificate, etc.) at least annually.
- Determining whether remote access will be allowed and, if so, ensure controls exist to protect the security and confidentiality of PIRN.
- Securing electronic and hard copy files when stored or during transmission, as well as understanding that electronic files that contain PIRN should not be transmitted over MITnet or the Internet unless secured. (To remain compliant, electronic files that contain PIRN must be encrypted during transmission over MITnet or the Internet.
See Appendix D.)
- Logging and monitoring access to detect unauthorized attempts to access PIRN, as well as inappropriate access by authorized individuals.
Business Process Owners and System Owners may delegate the above responsibilities to one or more individuals who have received training or education in information security and privacy.