General Guidance and Best Practices for Handling and Safeguarding
Proprietary, Confidential, or Controlled Information (PCCI)

(such as information under an NDA, marked as export-controlled, or controlled via Technology Control Plan)

General Guidance on Primary Recipient Responsibilities

  • The Primary Recipient is the individual identified at contract or TCP (“Technology Control Plan”) execution who is the control point for access to Proprietary, Confidential, or Controlled Information (PCCI).
  • The Primary Recipient is responsible for:
    • Determining who has a legitimate “need to know”, consistent with the specific purpose for which the PCCI was shared.
    • In some cases, the Export Controls Officer will require that personnel with access to PCCI to sign a Personal Acknowledgement Form documenting their responsibilities.
    • Ensuring that any contract specific measures are understood and followed.
    • Keeping any necessary records (such as summaries of PCCI received orally or visually)

General Guidance on Marking and Identification

  • PCCI, depending on the specific form it takes, may have regulatory or contractual requirements for document marking.
  • In general, when in possession of hard copy PCCI documents use cover sheets that appropriately label the document as the appropriate kind of PCCI. Include specific notice of restrictions on the use of the data or information.
  • In general, electronic files containing PCCI should be identified as such either in file name, or
    within the document itself such as on a cover page or banner.

General Guidance on Proper Use

  • Limit PCCI use to only the intended purpose.
  • PCCI should not be used for design, or reverse engineering, or any other use other than that which was specified per contract or TCP, absent written permission of the disclosing party.

General Guidance on Determining Access and Export Control Implications

  • Limit PCCI access to only those WSU personnel who have a legitimate “need to know”, consistent with the specific purpose for which the PCCI was initially shared, and/or consistent with relevant TCP guidance or direct guidance offered by the Export Controls & Compliance Office.
    • “Need to know” is defined as “A determination made by an authorized holder of PCCI that a prospective recipient requires access to specific PCCI in order to perform or assist in a lawful and authorized contract function.”
    • Special consideration of the Export Control implications must be given if PCCI access is sought for a non-U.S. Person, or is to be discussed or taken internationally. Prior to granting access, contact the Export Controls Office at exportcontrols@wichita.edu, if this situation occurs.
    • Note: PCCI shall not be shared with a non-WSU person without the approval of the Export Controls Officer, and only after it is determined that such disclosure is authorized by the agreement under which the information was shared. Such disclosure may require an additional agreement binding the new party.

General Guidance on Physical Controls

  • When not in use, PCCI in the form of physical items (documents, materials, posters, hardware,
    etc.) should be secured in locked cabinets or rooms with access limited to those with need to know and/or approved via controlling TCP.
  • In general, it is best to follow the logic of “at least one controlled barrier” (such as a locked cabinet, or occluded space not visible except for those with badge access, etc.) to limit PCCI from being accessed to those not permitted per contract or TCP. 

General Guidance on Electronic/Digital Controls

  • Store electronic files containing PCCI on WSU or IDP secure network drives, and follow specific
    TCP guidance on storage when applicable. In general, avoid locally storing PCCI on devices.
  • Limit processing of PCCI to WSU- or IDP- managed devices rather than personal devices.
  • When available, it is generally a best practice to encrypt electronic files containing PCCI.
  • In general, do not email PCCI “out in the open,” even within the WSU network. If you need to
    share files securely, consider secure methods as outlined in the relevant contractual terms or TCP.

General Guidance on Conversation Controls

  • When discussing PCCI, make sure that only those WSU personnel with a “need to know”, and who understand their confidentiality and compliance obligations, can hear.
  • When PCCI is being shared, make the participants aware and remind them of their obligations.

General Guidance on Disposition of PCCI when Access is No Longer Needed

  • Ensure that all copies (physical or digital) are destroyed or returned appropriately per relevant
    contractual terms or TCP.
  • When an individual no longer has a need-to-know or a need to be involved with the PCCI, the
    Primary Recipient should ensure both physical and electronic access is terminated.

General Guidance on Publications or Presentations (Formal or Informal)

  • Be aware of any approvals required by a specific project agreement and allow for the required time
    for the relevant external party to review the proposed publication or presentation.
  • When presenting information formally or informally, give special care to ensure the PCCI is not
    disclosed.
  • For Industry sponsored research, consider if it is necessary to identify the name of sponsor.

If you have any questions or concerns regarding the contents of this form, or safeguarding PCCI in general, please reach out via e-mail to exportcontrols@wichita.edu or via phone to (316) 978-COMP. Thank you!