Sensitive Information Handling
- What is considered sensitive information?
Though there are specific things the University considers sensitive (PDID, PII, etc.), always consider if this was your information, would you want it public or protected? Here are the items the University considers to be data that should be protected:
- Social Security Number
- Bear Number
- Race
- Ethnicity
- Nationality
- Gender
- HIPPA data
- Credit Card Information
- Grades
- Are there instances where this data does not need to be protected?
Yes. Sensitive information must be protected if it can be used to identify an individual. For example, a report that shows the ratios of various ethnicities of the students who attend UNC would not need to be protected since that data can’t be tied to any one student. However, if there was a name listed with ethnicity tied to it that would need to be protected. Items like Social Security Number are always protected.
- What data are we allowed to publish?
Unless the student has filled out a Request for Non-Disclosure of Directory Information with the Registrar’s Office stating that they do not want their information published, we are allowed to publish the following information about students:
- Name
- Address & Phone
- Email Address
- Enrollment Status
- Date of Birth
- Degrees Pursued
- Dates of Attendance
- Major
- Classification
- Degree Conferred and Dates Conferred Participation in Recognized Sports
- Honors, Awards, Publications
- Physical Factors of Athletes
- What do I do with printed documents containing sensitive information?
Lock them in a file cabinet, desk drawer, or office when you still need them. When they are no longer needed, they should be shredded. This is best done by using an office-sized shredder and then putting the shredded materials in the recycle bins. If you do not have an office sized shredder, one may be purchased for your area at Bear Logic, the campus technology store inside the University Center. There are also tall, grey bins with a slot in the lid throughout campus that you can drop your papers into for professional shredding. If the bin is overflowing, please contact Facilities Management at (970) 351-2446 or the Technical Support Center at 351-HELP.
- What if the information is stored electronically and I want to protect it?
Encryption is the best method for storing sensitive information. This can be done through Windows Rights Management (WRM) for Microsoft Office files. Laptops can be encrypted with full disk protection using Microsoft Bitlocker or Apple FileVault. For documents that cannot be protected with Windows Rights Management (i.e. Adobe PDF files), using password protection is the preferred method.
To use Windows Rights Management (WRM) protection:
Open the document you would like to protect.
Click on the Office icon in the upper left hand corner of the screen.
Click on Prepare.
Click on Encrypt Document.
Type in a password (and type a second time to confirm).
Save the document
To use full disk encryption with Microsoft Bitlocker or Apple FileVault, contact the Technical Support Center at 351-HELP.To password protect a PDF document:
Locate the file you would like to protect.
Right click the file and click on SEND TO, COMPRESSED (ZIPPED) FOLDER. This will create a folder named the same as the file was named and will place it in the same location as the file. (For example, if you zipped a file called, “UNC.pdf,” from your desktop, you will now find a folder called, “UNC,” on your desktop as well).
Go to the newly created zipped folder.
Double click on the zipped folder.
Click on FILE, then ADD A PASSWORD.
Type in the password you would like to use and click ok.
Close the zipped folder.
Open a new email.
Attach the ZIPPED folder (not the original file).
Send the password in a separate email, or provide over the phone. - How would I email sensitive information to others at the University?
You can email sensitive information using Windows Rights Management (WRM) to protect the file contained within an email, or to protect the email itself.
Follow these simple steps to encrypt a Microsoft Office file:
Click on the Office icon in the upper left hand corner of the screen.
Click on Prepare.
Click on Encrypt Document.
Enter a password (then confirm).
Save the document.
For setting restrictions on Microsoft Outlook emails:Click on the Office icon in the upper left hand corner of the screen.
Click on Permission.
Click on Manage Credentials and set your preferences there.
NOTE: If you use Windows Rights Management (WRM) to protect an email that contains an attachment, and you have not encrypted that attachment, the attachment itself would not be protected, just the email would be. So to protect and email’s contents and the attachment, you would need to use Windows Rights Management (WRM) protection on both. - How would I dispose of electronically stored sensitive information?
Sensitive information that is no longer needed that is contained on mobile phones, thumb drives, CDs, iPods, external disk drives, floppy disks, hard drives, etc. can be brought to the Carter Hall Data Center on the lower level for proper certified destruction.
- What is PII?
Any piece of information which can potentially be used to uniquely identify, contact, or locate a person or can be used with other sources to uniquely identify a single individual.
- What is FERPA?
It stands for, “The Family Educational Rights and Privacy Act .” In non-legal terms, this basically means that UNC must provide students with access to their education records, the chance to amend the records, and some control over the disclosure of information from the records. They can request that their directory information not be published, for example. This would also prevent parents from being able to access information like grades. For more information regarding FERPA, please visit the FERPA Web site.
- Why do I need to know what PII and FERPA are?
UNC is required by law to comply with FERPA- In non-legal terms, this means that UNC must provide students with access to their education records, the chance to amend the records, and some control over the disclosure of information from the records. They can request that their directory information not be published, for example. This would also prevent parents from being able to access information like grades.