The University of Arizona
Home » Projects & Initiatives

Personal Information Sweep

The Personal Information Sweep is currently under development by the Information Security Office and the Information Security Liaisons for the Colleges of Engineering, Agriculture and Life Sciences, and Social and Behavioral Sciences. This webpage is for use by the departments piloting the Personal Information Sweep. Some links may not be active for materials under development.

Protection of personal information is of utmost importance at The University of Arizona. The Personal Information Sweep is a program designed to assist individuals who electronically store UA information.

Why Secure Personal Information?

Personal information on a lost, stolen or hacked computer can be harvested and used to steal identities. When the security of personal information is believed to be breached, hundreds of hours of staff time and considerable financial and reputational cost can be involved in investigating and repairing the breach and in notifying those affected.

Personal information should be protected while still in use and securely deleted when no longer needed. While the requirement seems simple, many computer users do not know whether their computers contain personal information. Even if they do know, they may not know where it is located. Some databases leave behind “temporary” files that contain personal information that the user believed had been deleted, or old spreadsheets with personal information may be buried in an obscure or seldom used subdirectory.

What is Personal Information?

Personal information includes first name or initial and last name accompanied by:

  • Social Security Numbers (including Student ID numbers that do not begin with an “S” or “889”)
  • Arizona driver’s license numbers
  • Arizona nonoperating identification license number (State ID card)
  • financial account number or credit or debit card number with any required security code or password that would permit access to a financial account

This information can potentially be used to uniquely identify a single person and is generally kept private.

Who Must Secure Personal Information?

UA personnel are responsible for the security of UA information stored, sent or displayed using computing and communications resources, whether or not those resources are owned by the University. If you work with personal information, you must be aware of and comply with applicable legal requirements and policies.

All UA personnel must complete the Personal Information Sweep on each computing or storage device used to store UA information.

Which Information Must be Considered?

This procedure applies to UA information stored in all systems used by UA personnel, other than those centrally housing UIS, IIW, SPINS, FRS, PSOS, SIS and Matrix. It applies to your personally owned computer or external media if you have UA information on it.

While not within the scope of the Personal Information Sweep, paper documents with personal information should also be secured.  Additional requirements outside the scope of the Personal Information Sweep may apply if you process payment card data or engage in certain electronic transactions involving protected health information.

Why Can't Technical Support Staff Do This for Me?

You may or may not be assisted by your local technical support staff in the technical aspects of this process, such as installing software and helping you with the clean up process.  However, you yourself must ultimately decide which files to delete or retain, given your own duties and needs. In addition, the scanning tool may find sensitive information that you should keep private even from technical support staff. Therefore, all decisions about what to do with personal information must be made by you. The assurance that sensitive personal information is secured is your responsibility.

How Do I Secure Personal Information?

The Personal Information Sweep is a program designed to assist UA personnel in addressing requirements and policies. This process will guide you through the steps you need to take:

  • LOCATE personal information
  • DELETE unneeded files
  • SECURE all other personal information
  • SCAN computing and storage devices
  • DELETE unneeded files
  • SECURE all other personal information
  • COMPLY with applicable standards
  • COMPLETE the Critical Device Identification Form
  • CERTIFY your completion of the Sweep
  • SUBMIT the Certification

Print a checklist to help you keep track of your progress.

The University Information Security Officer must approve exceptions to this procedure. Refer to the Exceptions Procedure for more information.

Step 1 – Locate personal information