University of Michigan - Flint

University of Michigan-Flint

Best Practices Guide for Information Collection/Manipulation

Introduction - What is Personal/Private Information?

Identity theft is a very real threat in today's technology dependent society.  UM-Flint employees must do their part to avoid endangering personal information.  To help the campus community towards this goal, ITS provides this guide to advise users on some safety measures that should be employed when working with electronic forms.  It is also recommended that form designers refer to UM-Ann Arbor's Privacy Matters campaign.  This guide is not designed to cover every legal aspect of gathering personal information by electronic means, but merely to begin to educate form designers.

Private Personal Information (PPI) is any information about a person that can be used to identify, contact, or locate the person.  All of the items listed below are considered Private Personal Information and should be treated as highly confidential, especially when gathered together:

  • Full Name
  • Address
  • Birth Date
  • Gender
  • SSN (or other national identification number)
  • Driver's License Number
  • Credit Card Number
  • Student Records
  • Patient Health Information that can be used to indentify an individual
  • Human Subject Research that can be used to identify an individual

The above list outlines some examples of PPI, but there may be others not included on the list.  When creating your form, ask yourself - could I use this information to identify, contact, or otherwise locate this person?  If the answer is yes, you're working with PPI.

back to top

Collecting PPI - Do you really need it?

When creating your form you should make every effort to only require information that is absolutely necessary.  For example, if you aren't sure you'll ever need to know the user's birthdate - don't ask for it.  Storing PPI that will never be used places it at an unnecessary risk - even when the most strict security guidelines are in place. 

back to top

Accessing and Saving PPI

When it is necessary to gather PPI employ these tips to keep the information safe:

  • Don't export response results from FormAssembly unless it is absolutely necessary to work with the data.
  • If you must export response results make sure they are stored in a secure location and don't leave multiple copies lying around.
  • Do NOT store files containing PPI on departmental drives or where unauthorized persons could potentially access them.
  • After you are done working with exported results delete them as soon as possible using one of these secure methods for deletion:
    • For Windows computers:
    • For Mac computers:
      • Use "Secure Empty Trash" command.
      • Use file shredder software such as ShredIt.
  • If you must make paper print-outs of PPI make sure that they are properly disposed of - cross-cut shredders are the preferred method.  Do not leave print-outs lying around a meeting room after they are used.
  • Don't discuss PPI in public areas where other people might hear your discussion.

back to top

CMS Web Guide