Guidelines for Identifying Sensitive and Legally-Protected Data
How can I tell if there is sensitive data on the machine?
- Pay attention to the work that the individual does. For example, if the person is a researcher, ask about research data that may contain names or other identifying tags. Ask if the research data should be secret and known only to the department. For example, if the person works in Procurement, think about tax IDs, which can be Social Security numbers.
- Ask this question: "If data on the drive was in the newspaper, would it be embarrassing for you or the department?"
- Contact the supervisor of the individual and ask about the type of work performed by this person.
- Be aware of the types of legally protected data:
- Sensitive University Data as defined in the Administrative Access Policy. (Examples)
- FERPA
- HIPAA
- GLBA
- Be aware of agreements with external parties such as data covered under Non-Disclosure Agreements, Confidentiality Agreements, Proprietary Information Agreements, or otherwise restricted from distribution. Examples of third parties include Department of Homeland Security, Department of Defense, and National Institute of Health. Also, be aware of International Traffic in Arms Regulations and Export Administration Regulations.
- If you do not feel confident in the answers provided and feel the drive needs further investigation, contact the IT Security and Policy Office where a copy of the drive can be made. The copy will be given to the department for further searching.