Examples of Sensitive Information

Introduction

For the purposes of clarity, remember there are only two classifications of information with respect to information security at UNC-Chapel Hill. There is sensitive information and there is public information. see the University’s Information Security Policy (http://its.unc.edu/ccm/groups/public/@its/documents/content/ccm1_033440.pdf) for guidance on the classification of sensitive information. Below are the definitions as they are written in policy.

Sensitive information is defined as data that is protected against unwarranted disclosure. Access to sensitive information should be safeguarded. Protection of sensitive information may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations.

Sensitive information includes all data, in its original and duplicate form, for which there is either a legal, ethical, or contractual requirement that it be protected or access-restricted. The most prevalent examples of sensitive information legislation include HIPAA, FERPA, and the NC Identity Theft Protect Act, but there are others.

Sensitive information also includes any data that is protected by University policy from unauthorized access. This information must be restricted to those with a legitimate business need for access. Examples of sensitive information may include, but are not limited to, some types of research data (such as research data that is personally identifiable or proprietary), public safety information, financial donor information, information concerning select agents, system access passwords, information security records, and information file encryption keys.

Public information is simply all information made or received by the University that does not constitute sensitive information. Sensitive information that is disclosed without proper authorization does not, by virtue of its disclosure, become public information. Some examples of public information might include most purchase contracts, many accounting records, some forms of de-identified research data, etc.

PII PHI Employee Data FERPA Non-public Information
Sensitive (Y/N) Y Y Y Y Y
Applicable Lawsand Regulations NC Identity Theft Protection ActGramm Leach Bliley Act (GLBA) Health Insurance Portability and Accountability Act of 1996 (HIPAA) GLBAState Personnel Act Family Educational Rights and Privacy Act (FERPA)
Requires Encryption (Y/N) Y Y N N N
Has Applicable Security Standards (Y/N) Y Y Y Y Y
SAI Applicable for Servers (Y/N)1 Y Y Y Y Y
Examples 1. Social security or employer Tax ID Numbers.2. Driver’s license, State identification card, or passport numbers.3. Checking account numbers.4. Savings account numbers.5. Credit card numbers.

6. Debit card numbers.

7. Personal Identification (PIN) Codes used to authorize electronic use of a Financial Transaction Card.

8. Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names.

9. Digital signatures (an electronic representation that is unique to an individual that is very difficult to fake since it utilizes an encryption process to ensure uniqueness).

10. Any other numbers or information that can be used to access a person’s financial resources.

11. Biometric data.

12. Fingerprints.

13. Passwords.

14. Parent’s legal surname prior to marriage.

Note: Electronic mail names are only considered Personal Identifying information (PII) when they are stored in a context that would allow access to a person’s financial information or assets.

1. Names.2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code.3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age> 90.4. Phone numbers.5. Fax numbers.

6. Electronic mail addresses.

7. Social Security numbers.

8. Medical record numbers.

9. Health plan numbers.

10. Account numbers.

11. Certificate/license numbers.

12. Vehicle identifiers and serial numbers, including license plates.

13. Device identifiers and serial numbers.

14. Web Universal Resource Locators (URLs).

15. Internet Protocol (IP) address numbers.

16. Biometric identifiers, including finger and voice prints.

17. Full face photographic images and any comparable images.

18. Any other unique identifying number, characteristic, or codes.

Note: the 18 identifiers are considered PHI when stored in combination with health information.

1. Dependent financial information.2. Credit rating / history.3. Non-banking related financial information.4. Income levels, financial worth statements, and sources, etc.5. Work plans and fitness reports. 1. Non-directory information such as grades.2. Student application information.3. Student Financial Services information.4. Wire transfer information.5. Payment history.

6. Financial aid / grant information.

7. Student tuition bills

1. Information covered by non-disclosure.2. Information that if released causes reputational damage to the University.3. Contracts.4. Configuration details for information resources with access to restricted data,5. Usernames and password stores,

6. Donor information.

7. Lab animal care information.

8. Copyright protected information.

9. Patent protected information.

10. Research data classified as sensitive by an IRB.

Relevant Help Pages: http://help.unc.edu/help/securing-sensitive-information/; http://help.unc.edu/help/what-is-sensitive-data/

Relevant Policies: http://its.unc.edu/ITS/about_its/its_policies/index.htm ; Policy Summaries

Note1: Any servers containing sensitive information must be registered with the Information Security Office. These servers will be monitored and reviewed as part of the System Administration Initiative (SAI). Please contact 962-HELP for assistance with registering.

Directory information (Name, PID, Email Address, Telephone Number, etc.) is not considered sensitive unless accompanied by information from one or more of the above categories