University at Buffalo - The State University of New York
Skip to Content

What Is Sensitive Data?

Many of us deal with sensitive data every day as part of our job. Whether you’re a system administrator that maintains the systems that house the data, someone processing the data, or the network administrator who maintains the equipment transmitting the information, we each have a responsibility to safe guard sensitive data against unauthorized disclosure. The university classifies its data according to a Data Risk Classification Policy.

Restricted Data

Collection, storage and/or transmission of restricted data must be approved by UB's Information Security Office.

Restricted data includes:

  • Social security number (SSN)
  • Driver license number
  • State-issue non-driver ID number
  • Bank/financial account number
  • Credit/debit card number (CCN)
  • HIPAA regulated PHI in any form (oral, paper, electronic)
  • Passport number
  • University IT authentication credentials
  • Documents protected by attorney-client privilege
  • Donor contact information and non-public gift information

Personally Identifiable Information

Personally Identifiable Information (PII) is data that can be used to identify a person and either locate and contact them, or steal their identity.

Personally Identifiable Information (PII) includes:

  • Mother's maiden name
  • Date of birth
  • Place of birth
  • Social Security Number

Student Education Record Data

Student Education Record Data consists of any student academic information beyond normal directory information (student’s name, address, telephone number, data and place of birth, honors and awards and dates of attendance). However, students can request that their directory information not be disclosed. It’s important to verify whether or not the student has opted out of disclosure before giving out any of that information!

UB's data is also governed by more specialized regulations, such as HIPAA (Health Insurance Portability and Accountability Act), PCIDSS (Payment Card Industry Data Security Standard) and GLBA (Gramm–Leach–Bliley Act). However, these are isolated to specific business units or decanal areas and don’t apply to the general University population.

For more information on protecting restricted and/or private  data, see the Protection of University Data Policy. For more information on protected student data, take a look at Department of Education’s FERPA overview.