Amherst College Policy to support:
201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH
Effective March 1, 2010  and in compliance with the “Standards for the Protection of Personal Information of Residents of the Commonwealth,” Amherst employees may only store personally identifiable information , “PII,” on specific file folders noted below. PII may no longer be stored on user or department network drives (I and U), local (C:) drive removable storage devices or any mobile device including but not limited to smart phones and tablets. The College has identified secure network drives by department where all files that contain PII data must be stored. The Department Information Steward  will be responsible for ensuring that their department complies with this policy.
The Department Information Stewards will inform employees in their area to delete all files  containing PII that are no longer needed. For files that must be retained, employees must either delete any PII data that is not required in the file or move that file to the secured area. As an example, an Excel spreadsheet may be needed for College records; however, if the file has the Datatel id then SSN may be deleted. However if the PII data must be retained, that file must be stored in this more secured network area. To facilitate moving files from personal directories, the information steward should create a new file folder on the department’s drive (e.g., “Dept PII”) to temporarily house those files until they can be moved to the secure archive location. The information steward will instruct employees to move all files to that temporary folder and to make sure that the original files are deleted. 
Department Information Stewards must then move the ‘Dept PII’ folder to the secured network drive shared with Database Services (e.g., Shared-DASE-ADMI.) The information steward must contact Monica LaCroix or Doug Meneke to notify them when all files that contain PII have been relocated to the secure archive location, manage user access to the secure network share , and to discuss any concerns or problems with implementing this College policy.
 Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
 Identifying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information.