• Social security number, passport number, driver's license number, taxpayer identification number, patient identification number, and financial account or credit card number;
• Personal home address, home (landline) phone number, or personal mobile phone number (not used for work);
• Biometric records such as photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, retina scan, voice signature, facial geometry; and,
• Information that -- when combined with the information listed above -- can then be used to identify a specific individual. For example, date of birth, place of birth, race, religion, geographical indicators, employment information, medical information, education information, financial information.

PII does NOT include:

• Things commonly found on a person's business card, such as employer name, work landline number, work mobile number (or personal mobile number used for work), work email address, or rank/title; or,
• CAC number (publicly visible in digital signatures).

Data Stored by NDU Faculty, Staff and Students in Cloud Systems

Cloud Storage NDU systems include any application, mobile or browser based, that is hosted by a third party through the Internet and outside the NDU and DoD network boundaries. Applications such as Blackboard and Microsoft Office365 are examples of cloud systems. The following data are PROHIBITED IN CLOUD STORAGE SYSTEMS: 

• Personally Identifiable Information (PII) as defined in Reference (d). Exceptions: Per DoD CIO instruction: faculty, staff and student work email, work phone numbers and other Government or Corporate data are not considered PII and are allowable.
• Controlled Unclassified Information (CUI) in accordance with Reference (h).
• Any data not directly related to programs and functions supporting the approved NDU mission statement.
• Personal data not in compliance with References (e) and (k).
• Data not directly related to academic instructional or research programs provided at NDU.
• Any course content that is not Section 508 compliant (Reference (m)).
• Data files that exceed 10 MB. Judicious selection and compression of high quality learning assets is required.

Data Stored by NDU Faculty, Staff and Students in On-Premises Systems

On-premises NDU systems include all applications and data storage that reside inside the NDU networks. Examples include Microsoft Office (desktop versions), and university shared drives for file storage. The following data are PROHIBITED IN ON-PREMISES SYSTEMS: 

• Personally Identifiable Information (PII) and other Controlled Unclassified Information (CUI) that are not encrypted and stored in accordance with the NDU Governance and Privacy Program Policy and Procedures (AR-1) (Reference (i)) and other DoD guidance. Exceptions: Per DoD CIO instruction, faculty, staff and student work email, work phone numbers and other Government or Corporate data are not considered PII and are allowable.
• Any data not directly related to instructional or research programs and functions supporting the approved NDU mission statement.
• Any course content that is not Section 508 compliant (Reference (m)).
• Data files that exceed 10 MB. Judicious selection and compression of high quality learning assets is required.

Removal of NDU Faculty, Staff or Student Data Deemed in Violation of Usage Policy

All data currently stored in any NDU systems that are in violation of DoD and NDU data policy shall be electronically deleted from the system by the owner. 

• Account holders are ultimately responsible to manage their own data and should periodically perform a self-check and immediately purge any data not compliant with the guidelines.
• If any NDU account holder is in receipt of data prohibited by NDU policies, the receiving user is responsible for removing the information from the NDU environment and notifying the sender to cease transmitting.
• ITD will periodically review NDU systems for well-known non-compliance issues and an ITD POC will provide notification to individuals who are not compliant within three (3) working days.
• If any identified data compliance issue is a "false positive," meaning that an automated tool or manual review has identified a file as being non-compliant when in fact it is compliant, the user must provide explanation to the ITD POC that contacted them within three (3) days of the notification as verified by email receipt.

When PII and Sensitive Information Must be Exchanged

NDU recognizes that their are times when NDU IT System users will have a legitimate need to exchange unclassified, PII, sensitive or FOUO data. Examples include: International students making arrangements with NDU's International Student Management Office (ISMO) for their children to attend public school; or a US civilian student submitting his immunization record to NDU Health and Fitness.

In addition, DoD policy requires digital signatures and/or encryption for emails containing the following: