Confidential data refers to business sensitive, personally identifiable information (PII) or otherwise regulated data not intended for disclosure outside the organization.
The University of Dayton is required to comply with regulations such as:
- Family Educational Records Protection Act (FERPA)
- Health Information Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standards (PCI-DSS)
Members of the UD community have a responsibility to:
Understand if your files contain sensitive data
Faculty and staff at UD use a wide variety of electronic information to facilitate University business. While much of this information is public, misuse of restricted or sensitive data could substantially damage UD’s reputation or put our institution at legal and financial risk.
- Regulated or Personally Identifying Information (PII): Information to which access must be restricted due to contractual or legal/regulatory considerations. Examples: student academic record (FERPA), social security numbers, credit card data (PCI), personal health information (HIPAA)
- Business Sensitive: Information of value to UD or which, if lost, might adversely impact our environment. Examples: Proprietary research, pay scales and donor data
- Public: Information with no existing local, national or international legal restrictions on access. Public information may or must be open to the general public. Examples: course catalog, directory information
See UD's Electronic Use of Confidential Data Policy for more information about classifying the types of data you use.
Locate Personally Identifiable Information (PII)
Tools that assist in finding personally identifiable information include:
Cornell Spider - http://www.it.cornell.edu/services/spider/howto/index.cfm
IdentityFinder - http://www.identityfinder.com/us/Home/Free (personally owned machines only, free version may not be used on UD owned computers or laptops)
Store Data Appropriately
If you work with regulated or business sensitive data, take measures to ensure it’s stored properly.
Tips for storing Regulated and Business Sensitive data
- DO NOT use consumer cloud solutions such as Dropbox, SkyDrive, etc. for UD data.
- DO use Google Apps for Public, Business Sensitive and for FERPA data.
- DO NOT over share - make sure you’re only sharing files and folders with those authorized to see the content.
- DO store University of Dayton data on UD’s Novell and other servers specifically identified to process and store UD data.
- DO store Regulated and Business Sensitive data on encrypted computing devices – laptops, external hard drives, flash drives, etc.
- DO NOT store UD data on personal devices.
- If in doubt, contact your unit’s IT support staff or UD’s Help Desk.
Report an IT Security Breach
An IT Security Incident is any adverse event which compromises some aspect of computer or network security.
Security incidents that must be reported include:
- Compromise of user credentials (when there is reason to believe this has led to unauthorized access or loss of confidential data)
- Lost or stolen laptop
- Lost or stolen removable media containing sensitive UD information (CD, DVD, USB flash drive, external hard drive, smart cards)
- Malware or virus-infected computer (when there is reason to believe this has led to unauthorized access or loss of confidential data)
All incidents should be taken seriously and reported according to UD's policy on IT Incident Handling. When in doubt, report it!