Handling Sensitive University Data

• U of A
• IT Services
• Accounts and Security
• Cybersecurity
• Handling Sensitive University Data

Your Responsibility

While performing your job at the university, you will likely encounter many types of data, some of which may be considered sensitive (e.g., student grades, enrollment status) or restricted (e.g., social security numbers). It is important to understand your responsibilities for identifying, transmitting, redistributing, storing, or disposing of this kind of sensitive information.

To handle data properly, you need to know what kind it is and what laws or standards, if any, might govern its use. Some data must be kept private under laws such as FERPA (which protects many kinds of student data) and HIPAA (which protects personal health information). Some data is governed by industry standards such as PCI (which protects credit card holder information). Some data is legally public under laws like the Open Records law. However, just because data is subject to open records request doesn’t mean it doesn’t need to be protected!

For further information about your responsibilities for protecting restricted data, see the university policy on Highly Sensitive Data Clean Desk and Clear Screens.

Best practices

• If you work with data that has not been classified, it should be considered highly sensitive  until the data owner assigns the classification.
• Questions about classifying or handling the information should be directed to the data owner, your supervisor, or the Office of the Chief Information Security Officer (CISO). The Office of the CISO can assist you in developing appropriate controls and processes to protect sensitive or restricted data.
• Report the misuse or compromise of systems that handle, store, or propagate restricted or highly sensitive data to the Office of Cybersecurity.
• Question any business requirements that require the use, storage, or propagation of restricted or highly sensitive data.
  
  

Data Classifications

The University of Arkansas has classified its institutional data assets into risk-based categories for determining who is allowed to access institutional data and what security precautions must be taken to protect it against unauthorized access. See the university policy on Data Classification for additional information.

Highly Sensitive

Data should be classified as restricted when the unauthorized disclosure, alteration, loss, or destruction of that data could cause a significant level of risk to the university, affiliates, or research projects. Any file or data that contains personally identifiable information (PII) of a trustee, officer, agent, faculty, staff, retiree, student, graduate, donor, or vendor may also qualify as highly sensitive. Some examples include, but are not limited to:

• Student records (except for that information designated by the university as directory information under Family Educational Rights and Privacy Act) and other non-public student data,
• Unique identifiers such as Social Security numbers or university ID numbers,
• Payment card numbers and related elements as defined by the Payment Card Industry and governed by the University of Arkansas payment card policy series (309.0-309.3),
• Certain personnel records such as benefits records, health insurance information, retirement documents and/or payroll records
• Health information, also known as protected health information (PHI). See the university policy on Data Classification for more information about PHI.

Internal

Internal data is sensitive institutional information restricted to personnel who have a legitimate need for accessing it. This mainly includes information made available through open records requests or other formal or legal processes. Some examples of internal data include, but are not limited to:

• Employment data
• Business partner information where no more restrictive confidentiality agreement exists
• Internal directories and organization charts
• Planning documents

Public

Data is considered public prior to being displayed on websites or when published without access restrictions; and when the unauthorized disclosure, alteration, or destruction of that data would result in little or no risk to the university and its affiliates. Some examples of public data include, but are not limited to:

• Press releases
• Schedules of classes
• University maps, newsletters, newspapers, and magazines
• Telephone directory information