Handling sensitive university data

Your responsibility

Last updated February 11, 2017

While performing your UW–‍Madison job, you will likely come into contact with many types of information or data, some of which may be considered sensitive (e.g., student grades, enrollment status) or restricted (e.g., social security numbers). It is important to understand your responsibilities for identifying, transmitting, redistributing, storing or disposing of this kind of sensitive information.

To handle data properly, you need to know what kind of data it is and what laws or standards, if any, might govern its use (or misuse). Some data must be kept private under laws such as FERPA (which protects many kinds of student data), HIPAA (which protects personal health information), Section 895.507 of the Wisconsin Statutes (which requires notification if a data breach occurs). Some data is governed by industry standards such as PCI (which protects credit card holder information). Some data is legally public, under laws such as the Wisconsin Open Records law. (Be careful though… just because data is subject to open records request doesn’t mean it doesn’t need to be protected!)

For further information about your responsibilities, see the Universities of Wisconsin policy.

Data classifications

UW–‍Madison has classified its institutional data assets into risk based categories for determining who is allowed to access institutional data and what security precautions must be taken to protect it against unauthorized access and use.

Restricted

Data should be classified as restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects.  Data should be classified as restricted if:

  • protection of the data is required by law or regulation or
  • UW–‍Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed

Sensitive

Data should be classified as sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects.  Data should be classified as sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.

Internal

Data should be classified as internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates, or research projects.  By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as internal data.

Public

Data should be classified as public prior to display on web-sites or once published without access restrictions; and when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates.

Best practices

  • If you work with data that has not been classified, it should be considered internal until the data owner assigns the classification.
  • Questions about classifying or handling the information should be directed to the data owner, your supervisor or IT Security. The data security triage form (.doc) can help you identity restricted data. IT Security can assist you in developing appropriate controls and processes to protect sensitive or restricted data.
  • Report the misuse or compromise of systems that handle, store or propagate restricted or internal data to the Office of Cybersecurity.
  • Question any business requirements that require the use, storage or propagation of restricted or internal data.

Data-type definitions

Restricted: Restricted information are data elements associated with a specific individual that are identified and protected by federal, state, local laws, regulations or adopted standards. Restricted information includes (but may not be limited to) the following kinds of information that can be linked to an individual:

  • Social security numbers
  • Driver’s license number or state identification number
  • Financial account number (including credit/debit card) or any security code, access code or password that would permit access to an individual’s financial account
  • Deoxyribonucleic acid profile, as defined in S. 939.74(2d)(a)
  • Unique biometric data, including fingerprint, voice print, retina or iris image or any other unique physical representation
  • Protected health information (any information about the health status, provision of health care, or payment for health care)

Risk impact: An assessment of the impact to the organization if the information is mishandled leading to the compromise of the information’s confidentiality, integrity or availability.

  • High: A high risk impact is an event that would cause severe and long-term interference with the mission of the University or a business unit, or would result in major financial loss, or would result in severe harm to an individual’s life or livelihood.
  • Moderate: A moderate risk impact is an event that would cause significant interference with the mission of the University or business unit, result in significant financial loss; or result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
  • Low: A low risk impact is an event that would cause some interference with the mission of the University or business unit or result in minor harm to an individuals well being.