Sensitive Data Types
Attorney - Client Privileged Information
Confidential communications between a client and an attorney for the purpose of securing legal advice. For the privilege of confidentiality to exist, the communication must be to, from, or with an attorney.
Credit Card or Payment Card Industry (PCI) Information
Information related to credit, debit, or other payment cards. This data type is governed by the Payment Card Industry (PCI) Data Security Standards. Credit or debit card numbers cannot be stored in any electronic format without the expressed, written consent.
College restrictions do not apply to your own personal credit card information. However, it is recommended that you follow the same precautions with regard to your own personal information as you would with university data.
Export Controlled Research (ITAR, EAR)
Data Type Description
Export Controlled Research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. The International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) govern this data type. Current law requires that this data be stored in the U.S and that only authorized U.S. persons be allowed access to it.
- Examples
- Chemical and biological agents and toxins
- Military electronics
- Documents detailing work on new formulas for explosives
- Military or defense articles and services
- Dual use technologies (technologies with both a military and commercial application)
- Encryption technology
- Nuclear technology
- Space technology and satellites
- Laws/Regulations/Policies
- U.S. Department of Commerce Export Controls
Federal Information Security Management Act (FISMA) Data
The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for information technology systems and store the data on U.S. soil. This means that, under some federal contracts or grants, information universities collect or information systems that a university uses to process or store research data need to comply with FISMA.
Whether data is regulated by FISMA is typically called out in a Request for Proposal (RFP) or in contract or grant language. It is important that researchers review grant and contract language closely to identify FISMA or other information security requirements.
IT Security Information
IT Security Information consists of information that is generated as a result of automated or manual processes that are intended to safeguard IT resources. It includes settings, configurations, reports, log data, and other information that supports IT security operations.
Other Sensitive Institutional Data
Data will typically be classified as sensitive if any of the following are true:
- Unauthorized disclosure may have serious adverse effects on the college’s reputation, resources, or services or on individuals
- It is protected under federal or state regulations.
- There are proprietary, ethical, or privacy considerations.
Personally Identifiable Information (PII)
Personally Identifiable Information (PII) is a category of sensitive information that is associated with an individual person, such as an employee, student, or donor. PII should be accessed only on a strictly need-to-know basis and handled and stored with care.
PII is information that can be used to uniquely identify, contact, or locate a single person. Personal information that is “de-identified” (maintained in a way that does not allow association with a specific person) is not considered sensitive. Note that student or employee ID numbers by themselves are not considered sensitive or personally identifiable information. While Social Security numbers are a type of PII, the legal requirements for protecting them are much more stringent than for other PII.
College policies, contractual obligations, and federal and state laws and regulations require appropriate protection of PII that is not publicly available. These regulations apply to PII stored or transmitted via any type of media: electronic, paper, microfiche, and even verbal communication.
PII does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Protected Health Information (HIPAA)
Protected Health Information (PHI) is regulated by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the
- Past, present, or future physical or mental health or condition of an individual.
- Provision of health care to the individual by a covered entity (for example, hospital or doctor).
- Past, present, or future payment for the provision of health care to the individual.
Researchers should be aware that health and medical information about research subjects may also be regulated by HIPAA.
Social Security Numbers
Social Security numbers are unique, nine-digit numbers issued to U.S. citizens, permanent residents, and temporary (working) residents for taxation, Social Security benefits, and other purposes. Social Security numbers are a primary target for identity thieves. While Social Security numbers are a type of Personally Identifiable Information (PII), the legal requirements for protecting them are much more stringent than for other PII.