Handling and Securing Sensitive University Data

While performing your job at the university, you will likely encounter many types of data, some of which may be considered sensitive (e.g., student grades, enrollment status) or restricted (e.g., social security numbers). It is important to understand your responsibilities for identifying, transmitting, redistributing, storing, or disposing of this kind of sensitive information. University employees have a legal responsibility to protect personal data for all students, faculty, and staff. Unprotected data can lead to identity theft and put the university at risk. 

To handle data properly, you need to know what kind it is and what laws or standards, if any, might govern its use. Some data must be kept private under laws such as FERPA (which protects many kinds of student data) and HIPAA (which protects personal health information). Some data is governed by industry standards such as PCI (which protects credit card holder information). Some data is legally public under laws like the Open Records law. However, just because data is subject to open records request doesn’t mean it doesn’t need to be protected!

For further information about your responsibilities for protecting restricted data, see the university policy on Highly Sensitive Data Clean Desk and Clear Screens.

Best practices

• If you work with data that has not been classified, it should be considered highly sensitive  until the data owner assigns the classification.
• Questions about classifying or handling the information should be directed to the data owner, your supervisor, or the Office of the Chief Information Security Officer (CISO). The Office of the CISO can assist you in developing appropriate controls and processes to protect sensitive or restricted data.
• Report the misuse or compromise of systems that handle, store, or propagate restricted or highly sensitive data to the Office of Cybersecurity.
  Report Misuse or Compromise of Systems that Handle, Store, or Propagate Restricted or Highly Sensitive Data to the Office of Cybersecurity
  https://help.uark.edu/CherwellPortal/ITHelpPortal2/Command/OneStep.LaunchOneStep?Name=InfoSecResponseInvestigateIncident
• Question any business requirements that require the use, storage, or propagation of restricted or highly sensitive data.
• If you or your department needs to store data considered highly sensitive, please contact storage@uark.edu to discuss solutions.

• Use email encryption when sending and receiving sensitive data. 
• Only store grades in Blackboard Learn, UAConnect, or a secure university file storage solution (OneDrive).
• Protect your UARK account with safe password management. 
• Never leave devices unattended unless locked by password and physically secured in locked cabinets, etc.  
• Encrypt files on all external storage media, for example, hard drives, USB flash drives, etc. 
• Follow the steps to report lost or stolen devices immediately. 
• Use SANS Web Application Security Checklist.

University Policies

• Research Compliance Policies
• Employee and Student Data: Use and Security
• Data Management, Use and Protection
• Multi-Factor Authentication Policy
• NIST Cybersecurity Framework
• Code of Computing Practices
• Data Classification Policy
• Computer and Network Security Policy

Federal Laws and Regulations

• Gramm Leach Bliley Act (GLBA) Safeguards Rule
• Payment and Credit Card Industry (PCI) Data Security Standards
• Family Educational Right and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)

Data Classifications

The University of Arkansas has classified its institutional data assets into risk-based categories for determining who is allowed to access institutional data and what security precautions must be taken to protect it against unauthorized access. See the university policy on Data Classification for additional information.

Highly Sensitive

Data should be classified as restricted when the unauthorized disclosure, alteration, loss, or destruction of that data could cause a significant level of risk to the university, affiliates, or research projects. Any file or data that contains personally identifiable information (PII) of a trustee, officer, agent, faculty, staff, retiree, student, graduate, donor, or vendor may also qualify as highly sensitive. Some examples include, but are not limited to:

• Student records (except for that information designated by the university as directory information under Family Educational Rights and Privacy Act) and other non-public student data,
• Unique identifiers such as Social Security numbers or university ID numbers,
• Payment card numbers and related elements as defined by the Payment Card Industry and governed by the University of Arkansas payment card policy series (309.0-309.3),
• Certain personnel records such as benefits records, health insurance information, retirement documents and/or payroll records
• Health information, also known as protected health information (PHI). See the university policy on Data Classification for more information about PHI.

Internal

Internal data is sensitive institutional information restricted to personnel who have a legitimate need for accessing it. This mainly includes information made available through open records requests or other formal or legal processes. Some examples of internal data include, but are not limited to:

• Employment data
• Business partner information where no more restrictive confidentiality agreement exists
• Internal directories and organization charts
• Planning documents

Public

Data is considered public prior to being displayed on websites or when published without access restrictions; and when the unauthorized disclosure, alteration, or destruction of that data would result in little or no risk to the university and its affiliates. Some examples of public data include, but are not limited to:

• Press releases
• Schedules of classes
• University maps, newsletters, newspapers, and magazines
• Telephone directory information