Administrative Procedures Handbook

Sensitive Data Handling Procedures

University policy requires that controls be in place to manage risk to the confidentiality, integrity and availability of sensitive data in any form and represent a minimum standard for protection of this data. Additional controls required under applicable laws, regulations, or standards governing specific forms of data (e.g., health information, credit cardholder data, student), may also apply.

Each individual who creates, uses, processes, stores, transfers, administers, and/or destroys sensitive university information is responsible and accountable for complying with these standards.

Security Classifications

Categories of university information based upon intended use and expected impact if disclosed. Data classifications are defined by data owners with two exceptions SSNs and credit card data that are explicitly defined and protected by policy.

  • Public
    Information intended for public use that, when used as intended, would have little to no adverse effect on the operations, assets, or reputation of the university, or the university's obligations concerning information privacy. Information typically found on the Internet. 
  • Internal
    Information not intended for parties outside the university that, if disclosed, could have adverse effect on the operations, assets, or reputation of the university, or the university's obligations concerning information privacy. Information typically found on an Intranet.
  • Sensitive
         Information intended for limited use within the university that, if disclosed, could be expected to have a serious adverse effect on the operations, assets, or reputation of the university, or the university's obligations concerning information privacy.

Creation

University employees create records as part of the normal course of conducting the business of the university. These records document the decisions and activities of our complex educational and business enterprise. It is essential that they be created and maintained appropriately throughout their entire life cycle.

Sensitive information contained in university records constitutes an area of critical concern because of the severe risk to the university should records be mishandled or information inappropriately accessed or disclosed. As a consequence, records containing sensitive information should exist only in areas where there is a legitimate and justifiable business need.

Campus Units should work to identify and track all university records through their life cycle by way of records retention schedules (prepared in collaboration with administrative offices such as the Business Office and university Archives) as defined by state law. A first priority in this effort should be the identification of sensitive information. Records schedules will document the existence of these materials, the rationale behind keeping them, and help ensure their availability during the period in which they are vital as either active administrative or historical records. Record retention schedules also will work to ensure the timely disposal of non-permanent, inactive records, thereby mitigating the risk of exposure of information when it no longer serves an active administrative or historical function.

Access

Sensitive information requires strict control, very limited access and disclosure, and may be subject to legal restrictions. In some cases, information is sensitive because it has been aggregated into a single document.

Only university employees who have authorization from the data owner(s), and have a signed confidentiality agreement on file, may have access to sensitive information. Any other disclosure of sensitive information requires the written approval of the appropriate Officer of the university, in consultation with general counsel as necessary. Things to remember when working with sensitive data:

  • As a general rule, employees are not allowed to take sensitive data off campus (or to make unofficial copies)
  • Where access to sensitive data has been authorized, use of such data shall be limited to the purpose required to perform university business.
  • Users will respect the confidentiality and privacy of individuals whose records they access, observe ethical restrictions that apply to the information they access, and abide by applicable laws and policies with respect to accessing, using, or disclosing information.
  • Notification of a user’s termination or removal of authorized access to sensitive information must be conveyed immediately to University Technology.

Use, Transmission and Disposal

The following controls are required when using, transmitting or disposing of sensitive information.

  • Do not discuss or display it in an environment where it may be viewed or overheard by unauthorized individuals.
  • Do not leave keys or access badges for rooms or file cabinets containing such information in areas accessible to unauthorized personnel.
  • When printing, photocopying or faxing it, ensure that only authorized personnel will be able to see the output.
  • Store paper documents in a locked drawer and in a locked room, or in another secure location approved by the Data Owner.
  • Properly identify such information as sensitive to all recipients, by labeling it “Sensitive," providing training to personnel, explicitly mentioning the classification, or similar means.
  • Storage of sensitive data on mobile devices (i.e. removable media, mobile phones, laptops, tablets, etc.) is prohibited unless approval is obtained from University Technology
  • Do not send this information via email, instant message, chat or unsecured file transfer (such as FTP) unless it is encrypted.
  • Follow an established and documented software development lifecycle when building applications that process sensitive information.

Transport

The following controls are required when transporting sensitive information:

  • When sending such information by mail (including U.S. Postal Service, DHL, UPS, FedEx, etc.), the sender must obtain secure, certified, tracking and signature confirmation services and use a tamper-evident sealed package. It is highly recommended that obfuscation or encryption of the sensitive data items be done before hand.
  • Do not send unencrypted sensitive information by campus mail or email.
  • Do not remove sensitive information from an approved secure location without prior approval of the data owner, appropriate VP area or legal counsel.
    • As a general rule, employees are not allowed to remove sensitive data from the university.
    • In the event that an individual employee or job responsibility requires sensitive information to be removed from the university, the information (whether electronic or paper) must be protected at all times from inappropriate disclosure. Each department that has individual employees or positions requiring sensitive data to be removed from the university must have appropriate procedures in place for protecting the data while outside the university and destroying the data when it is no longer required to perform the job.
  • University Technology approved tape media containing sensitive data should be encrypted using an approved encryption method before being sent offsite. Where feasible, alternatives to mail delivery must be utilized such as a secured, encrypted online transmission. These transmissions that utilize passwords to encrypt or decrypt data must have their own unique identifier or password.

Disposal of Records, Computers and Media

  • Department managers are responsible for educating and training employees as to the purpose of this policy and how to dispose of information properly.
  • University records should be destroyed in accordance with University record retention guidelines.
    • For approved instances of sensitive data residing on electronic devices, ensure destruction occurs using physical destruction techniquese or by using a DOD approved wiping method. Reformatting a hard drive is not sufficient to securely remove all data.
    • Shred (crosscut shredding recommended) or pulp all highly sensitive information in paper form. This includes all transitory work products (e.g., unused copies, drafts, notes).
  • Ensure that obsolete computers and electronic media (anything that can store data such as CDs, DVD, thumb drives, diskettes, iPods, etc.) are disposed of properly to ensure that no data remains. This may entail physical destruction of the computer’s hard drive (or electronic media) or may instead entail electronic measures such as erasing the hard drive via a DOD approved method. University Technology (uTech) has procedures and technologies in place to dispose properly of old university computers. Contact University Technology (uTech) for details.