Sensitive vs Confidential

Technology Services (ITSS) computer

What is the difference between sensitive information and confidential information?

Sensitive Data - institutional data that is not legally protected, but should not be made public and should only be disclosed under limited circumstances. Users must be granted specific authorization to access since the data's unauthorized disclosure, alteration, or destruction may cause perceivable damage to the institution.

The following are examples of sensitive data elements:

  • All information identifiable to an individual (including students, staff, faculty, trustees, donors, and alumni), including but not limited to dates of birth, driver's license numbers, employee and student ID numbers, license plate numbers, and compensation information.
  • The University's proprietary information including but not limited to intellectual research findings, intellectual property, financial data, and donor and funding sources.

Confidential/Regulated Data - institutional data for which there is a legal obligation not to disclose. These data elements require the highest levels of restriction due to the risk or harm that will result from disclosure or inappropriate use.

The following are examples of confidential data elements:

  • Data not releasable under the Georgia Open Records Act or the Georgia Open Meetings Act
  • All federally protected data
  • Social Security and credit card numbers
  • Family Educational Rights and Privacy Act of 1974 (FERPA)
    • FERPA protects the rights of students by controlling the creation of, maintenance of, and access to educational records. It guarantees students' access to their academic records while prohibiting unauthorized access by others.
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
    • Standards for securing protected health information (PHI) in paper, electronic, and oral communication.
    • PHI is individually identifiable health information that is maintained or transmitted in any form or medium. PHI excludes individually identifiable health information in education records covered by the FERPA.
  • Gramm-Leach-Bliley Act (GLBA)
    • Provides limited privacy protections for private financial information. Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses.
    • Implements rules concerning financial privacy notices and the administrative, technical and physical safeguarding of personal information

Laptop Data - Is there a policy on what can be stored on it?

  • All proprietary information should be stored on network storage.
  • Sensitive data that are stored on local hard drives and mobile computing devices/media must be encrypted with 128-bit encryption.
  • All confidential information should be stored on network storage with appropriate access controls.
  • Confidential data shall not be stored on local hard drives and mobile computing devices/media without approval from the Data Steward and ITSS Security Administration.