Each individual is the custodian of the data wherever that individual can write -- whether on computers or file storage devices -- and is held personally responsible for it by the University.
Attestation -- affirming that you've removed all confidential data -- is handled along HR lines: if you're paid by the Arts College, they're the ones you have to satisfy.
The College of Arts and Sciences is taking a hard line: NO confidential data (SSNs, credit card numbers, etc.) may be kept on any Cornell computer systems under their purview, not even encrypted. This includes removable storage devices like USB thumb drives. If you have a strong business need for the sensitive data, you must make this need known, in writing, to the Dept. Computer Support Staff, Manager and Chair. The Department must then present this exception request to the College for approval. In general, only HR staff have such a business need.
Personally owned computers and smartphones are not involved in Cornell's cleanup program. You personally, not the University, are liable if data on them gets compromised. A reduced-functionality version of Identity Finder can be downloaded for free from their web site. Find_SSNs is also available for free. Do NOT use any Web-based scanner. You don't know who will be seeing the data.
Well Known Files
These types of files are known to usually contain SSNs. Any which do must be securely cleaned or securely deleted. ( Scrubbed or Shredded in the terms used by Identity Finder).
SSNs wanted for all the people involved
Supposedly the NSF no longer requires valid SSNs to be provided. Actual submission in LEPP is usually handled by Monica Wesley, who also is the Lab's HR representative. She can insert SSNs as necessary and follows appropriate procedures for their protection.
Student Grade Records
SSNs once were used to identify students. Senior faculty will have many of these.
Job Performance Appraisals
Identity Finder and Find_SSNs are only the start
The scanning tools aren't perfect. There are many types of files they cannot scan or cannot redact (Scrub). You must do your best to find and eliminate the things they miss.
A preliminary version of the Research Division's Online Attestation Form is below. The Arts attestation is similar.
Text of letter from the Dean to the Arts Faculty
All Faculty members in the College of Arts and Sciences should have received a copy of this memo from the Dean.
Dear Arts and Sciences Faculty,
President Skorton has asked everyone at Cornell to examine our computers, determine where confidential data exists, delete unnecessary data, and properly secure data we must retain. The College of Arts and Sciences fully supports this effort.
We have asked the Colleges IT Director, Frank Strickland, to lead our data cleanup process, and we are asking you to scan and clean all Cornell-owned computers and data storage devices under your care. This is not a job that can be delegated to someone else because it involves scanning and examining your files and deciding which files to delete. We are also under a strict time constraint. Your department manager and IT support person will contact you in the near future with details about how the scanning and cleanup will proceed, with tools provided by the College.
For the purposes of this effort, confidential/sensitive data is defined as:
Social Security Numbers
Credit Card Numbers
Drivers License Numbers
This is a massive undertaking, which we hope to complete by May 1st, 2011. Meanwhile, the university will ask us for periodic status reports. Once you have completed removing confidential data from your computer(s), the College will need an electronic attestation (via a web site provided by your local IT support staff) from you to the effect that:
You have taken appropriate steps to understand all confidential data in your care, and you have properly deleted or secured any confidential data discovered on your systems. (Should you need to retain sensitive data you MUST explain your need to your IT support person. The College MUST then approve your retention of the data.)
We appreciate your cooperation.