The loss of restricted data is one of the greatest risks to the University of Illinois and everyone affiliated with the University. You can help make sure that your data are correctly classified and kept safe. To better understand how to classify your data, review the definitions of each data type.
Is Your Data at Risk?
Data that are high-risk or sensitive need extra care. Use the Data Classification Questionnaire to properly classify your data.
Once your data are classified, you will be able to better understand how those data can be used in the safest possible way.
If your data are classified as high risk, sensitive, or restricted, ask yourself the following questions to help lower the risk of data breach or loss:
- Do I need to make a copy of sensitive data?
- If you can view the restricted data without making a copy on your own computer or making a print copy, do that instead. Data classified as high risk cannot be stored on your computer unless special permissions are obtained.
- Do I need to share restricted data with someone else?
- In addition to creating more copies, transmitting restricted data creates the risk that it will be intercepted. Data classified as sensitive cannot be emailed without encryption. Data classified as high risk cannot be emailed.
- How long do I need to keep a copy of restricted data?
- Unless you need to use the same restricted data on a regular basis (once a week or more), destroy or securely archive any copies.
High Risk Data
- Personal Health Information (HIPAA)
- Credit Card Information (PCI-DSS)
- Banking Information (GLBA)
- Export Control (EAR/ITAR)
- Social Security Number (PIPA)
- Drivers License Number (PIPA)
- Government Classified
- Password, Encryption Keys, other authentication and authorization codes
- Student Records (FERPA)
- Employee personal information such as home address, email address, telephone
- Information covered by a Non-Disclosure Agreement (NDA)
- Network and System Diagrams and Configuration Documents
- Unpublished Research Data
- Intellectual Property
- Preliminary drafts, notes, recommendations, memoranda and other records in which opinions are expressed, or policies or actions are formulated
- Other data not listed by any other restricted classification that is exempted from disclosure under the Illinois Freedom of Information Act (FOIA) - (5 ILCS 140/7)
Public Data - Data not restricted above that may be disclosed to anyone
* Note -- The Family Educational Rights and Privacy Act (FERPA) also addresses certain data pertaining to students as “Directory Data”,
- name; addresses (local and home); telephone numbers;
- college, curriculum and major field of study;
- class level; full- or part-time status;
- dates of attendance; date of birth;
- eligibility for membership in registered University honoraries;
- degrees, honors, and certificates received or anticipated;
- weight and height, if an athletic team member;
- participation in officially recognized activities and sports; and
- institutions previously attended
The data listed above are not public information. Data classified as directory means that the Department of Education permits university leadership determine when and if those items may be disclosed or shared.
FERPA mandates that students may request that their directory data be treated as if it were educational records at a private institution, with the same disclosure restriction. restrictions.
University FERPA policy provides that any student may, within the first five days of instruction each semester, request suppression.
The University of Illinois provide several cloud-based storage solutions for working with restricted data.
Learn more about these tools: https://answers.uillinois.edu/illinois/page.php?id=54880.
Physical copies of restricted data are in many ways easier to lose than data stolen online. It is vital that any physical copies of restricted data, whether it is printed, information burned to a backup CD, or files on a USB portable drive, are securely destroyed.
The following items need to be properly stored and disposed of if they contain restricted data:
- USB Drives
- Paper copies
- Burned CDs and DVDs
- Hard Drives
For help with securely surplusing a hard drive or a USB drive, please talk to your department's IT Staff.