Securing sensitive information

Definition of Personal Data

G.S. 14 113.20(b) defines personal data as a person’s first name or first initial and last name in combination with identifying information. Personal information does not include information in publicly available directories which an individual has voluntarily consented to have publicly disseminated or listed. Please note that UNC-Chapel Hill permits students to define that any or all of the directory information may not be publicly disclosed. The University Registrar handles such requests and determines which student information will become part of the directory.

Directory Information

  • the student’s name
  • address (local and grade/billing address)
  • student e-mail address
  • telephone listing (local and grade/billing telephone numbers)
  • date and place of birth
  • major field of study
  • class (freshman, sophomore, etc.)
  • enrollment status (full-time, half-time, part-time)
  • personal ID number (PID)
  • anticipated graduation date
  • participation in officially recognized activities and sports
  • weight and height of members of athletic teams
  • dates of attendance, degrees and awards received
  • the most recent previous educational agency or institution attended by the student
  • the county, state and/or U.S. territory from which the student entered the University

Identifying Information under G.S. 14 113.20(b):

Social security or employer taxpayer identification numbers.

Drivers license, State identification card, or passport numbers.

Checking account numbers.

Savings account numbers.

Credit card numbers.

Debit card numbers.

Personal Identification (PIN) Code as defined in G.S. 14-113.8(6).

Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names.

Digital signatures.

Any other numbers or information that can be used to access a person’s financial resources.

Biometric data.

Fingerprints.

Passwords.

Parent’s legal surname prior to marriage.

Definition of Legally Protected Data under HIPAA, FERPA and GLBA

Consult the document What is Sensitive Data? for information on what constitutes sensitive information. Sensitive information is defined by state and federal laws and is subject to specific procedures for safeguarding and disclosure. If you suspect that a computer harboring sensitive information may have been compromised, please contact 962-HELP immediately and ask for ITS Security to be notified of the suspected compromise. To minimize the compromise, disconnect your computer from the network by either physically unplugging the network cable or disabling the wireless connection or both.

Definition of Health Insurance Portability and Accountability Act (HIPAA) Data

HIPAA regulations, specifically the HIPAA Privacy Rule, address the use and disclosure of an individual’s health information (called “protected health information” (PHI)) by organizations subject to the Privacy Rule (called “covered entities”) as well as standards for an individual’s privacy rights to understand and control how their health information is used. As a covered entity, UNC-Chapel Hill is subject to HIPAA regulations. HIPAA-regulated information includes information collected in connection with health care procedures, including collection through Student Health Services or UNC Hospitals. Examples include any identifiable demographic information, such as the date of birth, as well as other information relating to past, present, or future physical or mental health of an individual. Included in this definition is genetic information as well as payment information generated as part of a person’s health record and treatment.

Under HIPAA, health information combined with any of the following unique identifiers is considered sensitive data:

  • An individual’s names
  • All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalents, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census the geographic unit formed by combining all zip codes with the same three initial digits contains less than 20,000 people
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code that is derived from or related to information about the individual

For tips on protecting sensitive information subject to HIPAA, consult the HIPAA resource page from the UNC School of Medicine.

Definition of Gramm-Leach-Bliley Act (GLBA) Data

  • The Office of Student Accounts
  • The Admissions Office of the School of Medicine
  • The Admissions Office of the School of Nursing
  • The OneCard Office

Definition of Family Educational Rights and Privacy Act (FERPA) Data

FERPA covers the protection of educational records. Educational records are records that directly relate to a student and are maintained by a school or agent. The definition is broad enough to cover electronic records. Under FERPA, no such record or unique ID information can be disclosed without the consent of the student. It is important to note that education records may not be limited to official records, but include anything that may be publicly available and pertain to a specific student, including post-it notes, emails, or photos.

Important exceptions under FERPA include consent by the affected student that waives the protection of FERPA and the release of educational records. In addition, access to educational records may be granted without the consent of the student to persons with an educational interest.

UNC Departments Most Likely Maintaining Educational Records

The following departments at UNC-Chapel Hill most likely maintain educational records and therefore are subject to safeguards for the protection of sensitive information in educational records. Even if your department is not included on the list, you may still deal with educational records. If in doubt whether information constitutes an educational record, contact your supervisor.

  • Academic departments and schools
  • Alumni Office
  • Athletics Department
  • College of Arts and Sciences
  • Department of Housing and Residential Education
  • Division of Continuing Education
  • Faculty members in their roles as advisers and teachers
  • General College
  • Graduate School
  • Human Resources Employee Records Department (for teaching assistant, research assistant, and graduate assistant records pertaining to students)
  • Office of Scholarships and Student Aid (also for work-study student records)
  • Summer School Office
  • Office of the University Registrar
  • Office of the Vice Chancellor for Student Affairs
  • School of Dentistry
  • School of Law
  • School of Medicine
  • Student Health Services
  • University administrative and business offices
  • University Career Services
  • Office of Student Accounts and University Receivables
  • Veterans Services

Guidelines for Securing Computers Containing Sensitive Data Covered by FERPA and GLBA

The following checklist can be used as a guide for securing computer systems containing sensitive information. If you suspect a compromise has occurred, please contact ITS Help immediately at 962-HELP and ask for a Remedy ticket to be created that informs ITS Security about the suspected compromise. To minimize the compromise, disconnect your computer from the network by either physically unplugging the network cable or disabling the wireless connection or both.

  • Know which student data may be released without permission and which may not.
  • Guard access to computers by using strong passwords.
  • Change passwords periodically.
  • Maintain password confidentially. Do not post passwords.
  • Encrypt sensitive customer communications when transmitting or storing such communications electronically.
  • Refer requests for information only to other authorized individuals who have been properly trained.
  • Protect storage areas from physical hazard such as fire or flood.
  • Store electronic data on a securely administered server located in a physically secured area, and limit local workstation storage as much as possible.
  • Maintain and secure backups of protected data.
  • Use SSL or other secure connection to encrypt protected data in transit.
  • Caution customers and/or students against transmitting sensitive information by e-mail.
  • If e-mail is used, secure the receiving account and encrypt transmission, if possible.
  • Use audit and oversight procedures to detect improper disclosure or theft of protected information.
  • Install software patches in a timely manner.
  • Update virus definitions automatically.
  • Backup your GLBA/FERPA data.
  • Use tools like passwords and other personal identifiers to authenticate the identity of customers and/or students seeking to transact business electronically.
  • Notify customers promptly if their non-public personal information is subject to loss, damage or unauthorized access.
  • Limit access to protected information to those who have a business reason to see it.