UADA Sensitive Data Guidelines
Where to store sensitive data:
- Unless other resources are required by your supervisor or job duties (eg. Kofax, Perceptive Content, People Admin, etc.), UADA Box is the preferred storage location for electronic sensitive data and is the only location that the Division of Agriculture IT supports for sensitive data storage
- Email, external hard drives, flash drives, cloud storage (excluding Box), and other similar storage services and devices are not recommended. If there is a need to use such services or devices, please contact AGRI Tech.
What information is sensitive data?
Personally Identifiable Information (PII)
- Financial records
- Race/gender/ethnicity
- Religious affiliation/preference
- Social Security Number
- Date of birth
- Residency status
- Disciplinary files
- Performance reviews
Student Information
- Registration forms
- Grades and transcripts
- Student schedules
- Class assignments
- Class rosters
- Student information displayed on your computer screen
- Any electronic or paper document with the student’s ID or grade(s)
- Directory information does not apply unless a student has asked for restricted access to that information
Other Sensitive Data
- Research projects and information concerning research programs
- Proprietary information and Intellectual Property
- Passwords and other sign-on credentials
- Credit Card numbers and other payment information
- Grant data
- Individual donor information
- Medical records and genetic information
- Any other unique identifying number, characteristic, or code that is derived from or related to information about the individual.
NOTE: If you are unsure about the sensitive nature of information, please contact your supervisor.
Who should be accessing sensitive information?
Protecting sensitive data is the responsibility of all University employees. When in doubt, don’t give it out. Contact the registrar’s office or your supervisor for clarification as needed.
- Employees who have a legitimate interest.
- Legitimate interest is defined as an institution officials’ need to review information to fulfill a responsibility as part of their job responsibilities.
- Others who are performing a function on behalf of an institution with legitimate interest.
- Access to personal information via computer software or websites does not authorize unrestricted use of that information.
- Family or friend relationships are not a valid reason to view personal information.
- Records should only be used in the context of official business.
CAUTION: Disclosure to an instructor with a legitimate educational interest does not authorize disclosure of that information to a third party
Best Practice Guidelines
- Only use AGRI Tech created Share Folders for sensitive data.
- Keep your password secure. Never give your password to anyone and avoid writing passwords on paper, electronic documents, or sending them using messaging services.
- Lock your computer before walking away from it.
- Do not leave sensitive data on your computer screen where others can see it.
- If sensitive data is no longer valid and/or useful, destroy the information in a secure
manner.
- Contact AGRI Tech for secure disposal of all physical media storage devices when no longer needed. Including external and internal hard drives, DVDs, CDs, USB drives, etc. This applies even if the device is in an unusable state.
- Keep electronic devices within view or securely stored at all times.
- Report lost or stolen devices (computers, tablets, phones, USB drives, etc.) to AGRI Tech immediately.
- Enable lock codes for all mobile devices.
- Do not allow visitors, including significant others and children, to use your University owned devices or accounts.
- Keep printing and photocopying of documents containing sensitive data to a minimum.
- When retrieving documents from a printer, ensure that only the intended documents are taken.
- When printing to a shared printer, if a document containing sensitive data has been removed from the printer by someone else, investigate and attempt to retrieve the document.
- When providing sensitive data to a recipient (either in email, fax, phone, person
or by mail), double check each page to ensure it belongs to the correct recipient.
- If sending to a group email list be certain of every recipient and their authority to receive the information.
- It is recommended that email messages sent to external addresses should include a
confidentiality statement, regardless of whether the email message contains sensitive
data.
- Sample for use: This message and any attachment is intended solely for the use of the intended recipient(s) and may contain information that is privileged, confidential or proprietary. If you are not an intended recipient, please notify the sender, and delete and destroy all copies and attachments. Please be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this message is prohibited.
- If email encryption is required, check with AGRI Tech
- When using Guest Wi-Fi at other institutions, connect to the campus VPN to ensure a secure connection.
- All persons (visitors, vendors, and others) who are not authorized to have access to sensitive data must, to the extent reasonably practical, be supervised, escorted or observed when visiting.
Additional Resources:
https://vcfa.uark.edu/fayetteville-policies-procedures/uits/3094.php
https://vcfa.uark.edu/fayetteville-policies-procedures/uits/3095.php
https://its.uark.edu/accounts-security/cybersecurity/secure-data.php
