Many of us deal with restricted data every day as part of our job. Whether you’re a system administrator that maintains the systems that house the data, someone processing the data, or the network administrator who maintains the equipment transmitting the information, we each have a responsibility to safe guard restricted data against unauthorized disclosure. The university classifies its data according to a Data Risk Classification Policy.
Collection, storage and/or transmission of restricted data must be approved by UB's Information Security Office.
Restricted data includes:
Personally Identifiable Information (PII) is data that can be used to identify a person and either locate and contact them, or steal their identity.
Personally Identifiable Information (PII) includes:
Student Education Record Data consists of any student academic information beyond normal directory information (student’s name, address, telephone number, data and place of birth, honors and awards and dates of attendance). However, students can request that their directory information not be disclosed. It’s important to verify whether or not the student has opted out of disclosure before giving out any of that information!
UB's data is also governed by more specialized regulations, such as HIPAA (Health Insurance Portability and Accountability Act), PCIDSS (Payment Card Industry Data Security Standard) and GLBA (Gramm–Leach–Bliley Act). However, these are isolated to specific business units or decanal areas and don’t apply to the general University population.
For more information on protecting restricted and/or private data, see the Protection of University Data Policy. For more information on protected student data, take a look at Department of Education’s FERPA overview.