Data Cleanup

Data Cleanup

Personal Responsibility

Each individual is the custodian of the data wherever that individual can write -- whether on computers or file storage devices -- and is held personally responsible for it by the University.

Attestation -- affirming that you've removed all confidential data -- is handled along HR lines: if you're paid by the Arts College, they're the ones you have to satisfy.

The College of Arts and Sciences is taking a hard line: NO confidential data (SSNs, credit card numbers, etc.) may be kept on any Cornell computer systems under their purview, not even encrypted. This includes removable storage devices like USB thumb drives. If you have a strong business need for the sensitive data, you must make this need known, in writing, to the Dept. Computer Support Staff, Manager and Chair. The Department must then present this exception request to the College for approval. In general, only HR staff have such a business need.

Personally owned computers and smartphones are not involved in Cornell's cleanup program. You personally, not the University, are liable if data on them gets compromised. A reduced-functionality version of Identity Finder can be downloaded for free from their web site. Find_SSNs is also available for free. Do NOT use any Web-based scanner. You don't know who will be seeing the data.

Well Known Files

These types of files are known to usually contain SSNs. Any which do must be securely cleaned or securely deleted. ( Scrubbed or Shredded in the terms used by Identity Finder).

Grant Proposals
- SSNs wanted for all the people involved
- Supposedly the NSF no longer requires valid SSNs to be provided. Actual submission in LEPP is usually handled by Monica Wesley, who also is the Lab's HR representative. She can insert SSNs as necessary and follows appropriate procedures for their protection.

Student Grade Records
- SSNs once were used to identify students. Senior faculty will have many of these.

Job Applications
Job Performance Appraisals

Identity Finder and Find_SSNs are only the start

The scanning tools aren't perfect. There are many types of files they cannot scan or cannot redact (Scrub). You must do your best to find and eliminate the things they miss.

Web links

http://datacleanup.cornell.edu/ -- University description of the program
https://wiki.lepp.cornell.edu/lepp/bin/view/Computing/CmpGrp/Obsolete/RunningIdentityFinder
https://wiki.lepp.cornell.edu/lepp/bin/view/Computing/LnxConfidentialData

Attesting that you've cleaned everything you can

A preliminary version of the Research Division's Online Attestation Form is below. The Arts attestation is similar.

Text of letter from the Dean to the Arts Faculty

All Faculty members in the College of Arts and Sciences should have received a copy of this memo from the Dean.

Dear Arts and Sciences Faculty,

President Skorton has asked everyone at Cornell to examine our computers, determine where confidential data exists, delete unnecessary data, and properly secure data we must retain. The College of Arts and Sciences fully supports this effort.

We have asked the College’s IT Director, Frank Strickland, to lead our data cleanup process, and we are asking you to scan and clean all Cornell-owned computers and data storage devices under your care. This is not a job that can be delegated to someone else because it involves scanning and examining your files and deciding which files to delete. We are also under a strict time constraint. Your department manager and IT support person will contact you in the near future with details about how the scanning and cleanup will proceed, with tools provided by the College.

For the purposes of this effort, confidential/sensitive data is defined as:
                Social Security Numbers
                Credit Card Numbers
                Bank Accounts
                Driver’s License Numbers

This is a massive undertaking, which we hope to complete by May 1st, 2011. Meanwhile, the university will ask us for periodic status reports. Once you have completed removing confidential data from your computer(s), the College will need an electronic attestation (via a web site provided by your local IT support staff) from you to the effect that:

You have taken appropriate steps to understand all confidential data in your care, and you have properly deleted or secured any confidential data discovered on your systems. (Should you need to retain sensitive data you MUST explain your need to your IT support person. The College MUST then approve your retention of the data.)

We appreciate your cooperation.

Sincerely,

This topic: Computing > Computing/CmpGrp > CmpgrpLinks > DataCleanupPresentation
Topic revision: 07 Feb 2019, AdminDevinBougie

Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding CLASSE Wiki? Send feedback