Dealing with PII in OneDrive
Information Security Procedure
Information Security Procedures (ISPR) are developed to provide the steps needed to implement a specific Information Security Best Practice (ISBP).
This ISPR directly supports the ISBP for sharing files and folders in OneDrive.
Remediating PII Notifications from OneDrive
In today’s evolving threat landscape, we must protect ourselves from those that would perpetrate fraud against us by constantly questioning how we store and transmit confidential information.
To prevent the accidental sharing of sensitive information, a data loss prevention (DLP) policy has been implemented in OneDrive. If this policy detects an attempt to share personally identifiable information (PII) with someone outside the institution, it will email a warning notification, including the suspected data type, to both the sender and IITS.
Note: At times these security systems generate false positives (looks like confidential information but isn’t).
If the File Contains Confidential Information
If it is necessary to share the file with someone outside the institution as part of an authorized business process defined by your department in concert with IITS, you may need to find another method to deliver the data; for instance, by using a fax machine, an encrypted USB, etc.
Please contact the IITS Help Desk for assistance if you cannot find an appropriate alternative.
If the need to share the file with someone outside the institution is legitimate but the sensitive data is not required, remove or redact the offending data, find an alternative delivery method, or stop sharing the file or folder.
If the Data Has Been Misidentified
If you still intend to share the file with someone outside the institution, you can either remove or redact the offending data, find an alternative delivery method, or contact the IITS Help Desk for guidance.
If you no longer intend to share the file with someone outside the institution, remove the unnecessary permissions.
Securing File and Folder Shares in OneDrive
To insure access to PII is being properly restricted from within OneDrive, see Information Security Procedure for Sharing Files and Folders.
Non-Business Related Information
Users should be aware that all communications conducted on or from district systems whether electronic or otherwise are subject to review and disclosure outlined by the California Public Records Act, current case law, as well as other Federal and/or State laws and regulations. Therefore, users should exercise extreme caution in using electronic communications to communicate or store information of a confidential or sensitive nature ().
Furthermore, using District systems to transmit personal taxes, refinance forms, medical verification forms, or anything else containing your confidential information puts you at risk should your account, or the account of the business you deal with, become compromised.