Data Usage

 

NDU's Privacy Program 

NDU's Privacy Program provides information on the following topics:

NDU's Memorandum on Data Usage (13 April 2018) -- the source document for the citations referenced below unless otherwise noted -- provides specific guidance for all NDU faculty, staff, and students who use NDU's IT System for processing, storing, displaying, communicating or conducting research.

Definition of PII

PII includes:

  • Social security number, passport number, driver's license number, taxpayer identification number, patient identification number, and financial account or credit card number;
  • Personal home address, home (landline) phone number, or personal mobile phone number (not used for work);
  • Biometric records such as photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, retina scan, voice signature, facial geometry; and,
  • Information that -- when combined with the information listed above -- can then be used to identify a specific individual. For example, date of birth, place of birth, race, religion, geographical indicators, employment information, medical information, education information, financial information.
PII does NOT include:
  • Things commonly found on a person's business card, such as employer name, work landline number, work mobile number (or personal mobile number used for work), work email address, or rank/title; or,
  • CAC number (publicly visible in digital signatures).

Data Stored by NDU Faculty, Staff and Students in Cloud Systems

Cloud Storage NDU systems include any application, mobile or browser based, that is hosted by a third party through the Internet and outside the NDU and DoD network boundaries. Applications such as Blackboard and Microsoft Office365 are examples of cloud systems. The following data are PROHIBITED IN CLOUD STORAGE SYSTEMS: 

  • Personally Identifiable Information (PII) as defined in Reference (d). Exceptions: Per DoD CIO instruction: faculty, staff and student work email, work phone numbers and other Government or Corporate data are not considered PII and are allowable.
  • Controlled Unclassified Information (CUI) in accordance with Reference (h).
  • Any data not directly related to programs and functions supporting the approved NDU mission statement.
  • Personal data not in compliance with References (e) and (k).
  • Data not directly related to academic instructional or research programs provided at NDU.
  • Any course content that is not Section 508 compliant (Reference (m)).
  • Data files that exceed 10 MB. Judicious selection and compression of high quality learning assets is required.

Data Stored by NDU Faculty, Staff and Students in On-Premises Systems

On-premises NDU systems include all applications and data storage that reside inside the NDU networks. Examples include Microsoft Office (desktop versions), and university shared drives for file storage. The following data are PROHIBITED IN ON-PREMISES SYSTEMS: 

  • Personally Identifiable Information (PII) and other Controlled Unclassified Information (CUI) that are not encrypted and stored in accordance with the NDU Governance and Privacy Program Policy and Procedures (AR-1) (Reference (i)) and other DoD guidance. Exceptions: Per DoD CIO instruction, faculty, staff and student work email, work phone numbers and other Government or Corporate data are not considered PII and are allowable.
  • Any data not directly related to instructional or research programs and functions supporting the approved NDU mission statement.
  • Personal data not in compliance with References (e) and (k).
  • Any course content that is not Section 508 compliant (Reference (m)).
  • Data files that exceed 10 MB. Judicious selection and compression of high quality learning assets is required.

Removal of NDU Faculty, Staff or Student Data Deemed in Violation of Usage Policy

All data currently stored in any NDU systems that are in violation of DoD and NDU data policy shall be electronically deleted from the system by the owner. 

  • Account holders are ultimately responsible to manage their own data and should periodically perform a self-check and immediately purge any data not compliant with the guidelines.
  • If any NDU account holder is in receipt of data prohibited by NDU policies, the receiving user is responsible for removing the information from the NDU environment and notifying the sender to cease transmitting.
  • ITD will periodically review NDU systems for well-known non-compliance issues and an ITD POC will provide notification to individuals who are not compliant within three (3) working days.
  • If any identified data compliance issue is a "false positive," meaning that an automated tool or manual review has identified a file as being non-compliant when in fact it is compliant, the user must provide explanation to the ITD POC that contacted them within three (3) days of the notification as verified by email receipt.

When PII and Sensitive Information Must be Exchanged

NDU recognizes that their are times when NDU IT System users will have a legitimate need to exchange unclassified, PII, sensitive or FOUO data. Examples include: International students making arrangements with NDU's International Student Management Office (ISMO) for their children to attend public school; or a US civilian student submitting his immunization record to NDU Health and Fitness.

In addition, DoD policy requires digital signatures and/or encryption for emails containing the following: 

Examples of Email that Must be Digitally Signed Examples of Email that Must be Digitally Signed AND Encrypted
  • Messages containing formal direction to government employees or contractors;
  • Messages stipulating an official NDU position;
  • Messages that commit to, authorize or deny the use of funds; and,
  • Messages that contain an embedded hyperlink or attachment, as these are often used to conceal malware or viruses.
  • Controlled Unclassified Information (CUI)
  • For Official Use Only (FOUO)
  • Personally Identifiable Information (PII) – Examples include social security numbers (SSNs), alien registration numbers, biometric identifiers, and financial account numbers.
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Proprietary Data
  • Contracting Data


Transmitting PII and Sensitive Data

Alternative methods to email for exchanging sensitive data include delivering it via the AMRDEC Safe Access File Exchange (SAFE), in person, by courier, or by using a secure Fax machine.

See the NDU Privacy Program page, "Transmitting PII and Sensitive Data" for detailed instructions and guidance.

NDU's Collection and Use of Student PII

NDU's Server Access Authority Request (SAAR) Form 2875 does NOT collect PII/Sensitive/FOUO data; however, NDU does collect and maintain PII/Sensitive/FOUO data from students via  questionnaires sent to enrolled, IA compliant students by the University's Registrar and Institutional Research components. Student data is collected and/or uploaded into NDU's University Student Management System (USMS) for the purpose of sorting students into diverse seminar groups; tracking course grades and completion; reporting to academic accreditation bodies; and issuing diplomas and academic transcripts. NDU files all necessary System of Record (SORN), Privacy Impact Assessment (PIA) and OMB Paperwork Reduction Act documentation for its USMS. See NDU's Privacy Program links (top right of this page) for more information.