Search
eHelp  

eHelp » Security » Faculty and Staff » Defining Sensitive Data

• How do you define sensitive data?
• Confidential Information
• Internal-Use Only
• Unrestricted Information
• Important Notes

How do you define sensitive data?

A lot has been said about how you should secure your data, but little attention has been given to what data needs securing.

• How do you know what should and should not be stored on your laptop?
• How do you classify the security of your Access database?
• What types of documents should be secured and what types should not?
• Are you legally responsible for the confidential data you store?

The term Electronic Protected Information (or "ePI") appears frequently in laws and regulations. In keeping with state and federal legislation, Cal Poly Pomona classifies "ePI" into three categories: Confidential, Internal-use-only and Unrestricted.

Confidential Information

Confidential Information requires the highest level of protection. This category pertains to any and all sensitive information about students, faculty, staff and the University. Good examples include: financial information, social security numbers and passwords. This information should be treated very carefully and should never be left open to attack (i.e. left on a traveling laptop or left unencrypted). Here's a quick list of the most sensitive confidential data:

•  Social Security Number
•  Income tax records
•  Date of birth
•  Financial Information
•  Place of birth
•  Drivers license numbers
•  Mother's maiden name
•  Credit card numbers
•  Bank account numbers
•  Personal address
  
  

A good rule of thumb

The type of information that is requested by an operator when you call your bank or credit card company is the type of information that you should consider confidential.

Click here to learn how to remove confidential information from your computer.

Internal-Use Only

Internal-use only information is the kind of data that warrants moderate protection. Those who house this information (the data owners) should take steps to limit the distribution of this information.

Internal-use only data includes:

• Internal memos
• Internal emails
• Any documents whose distribution is limited to the data owner and/or those the data owner offers access.

Unrestricted Information

Unrestricted information is the type of data that can be freely disseminated to anyone as it has already been made publicly available. Examples include:

• Public web content
• BroncoName
• CPP email address
• University/campus information
• Job titles
• Published documents
• Office locations

Important Notes

It must be noted that mistreament and mis-storage of confidential/sensitive data is not only against university policy, it can also be a legal issue. There are laws and regulations that govern specific types of data.

The Family Educational Rights and Privacy Act (FERPA), protects personal information about current and former students.  See CPP FERPA for more details.

The Health Insurance Portability and Accountability Act (HIPAA), governs the use of protected health information. See CPP HIPAA for more details.

The Gramm-Leach-Bliley Act (GLB Act), protects personal financial information.  Visit the Federal Trade Commission's site for more details on the Gramm-Leach-Bliley Act (GLB Act).

Under federal law, violations of HIPAA, GLB Act and FERPA may result in civil monetary penalties of up to $250,000 per year and criminal sanctions including fines and imprisonment.

Know your data: Determining which category your data falls into is the first step towards securing it.