KB Sections:
What is Sensitive Data?
Sensitive data at the University of Wisconsin - Green Bay (UWGB) refers to information whose unauthorized disclosure, alteration, or destruction could cause moderate risk to the university, its affiliates, or research activities. Managing sensitive data properly ensures compliance with university policies and reduces risks to operations, individuals, and institutional assets.
Below is a quick reference to key types of data, focusing on how they are classified within the UW System.
Types of Data Classifications
-
Public (Low Risk):
Data intended for public access, such as course catalogs, university websites, and press releases. There are minimal restrictions for its distribution.
-
Internal (Low Risk):
Data not intended for public disclosure but does not pose a significant risk, such as preliminary budgets, internal reports, or non-sensitive facility information.
-
Sensitive (Moderate Risk):
Sensitive data requires protection because its loss or exposure could cause moderate harm to university operations, research, or individuals. Examples include:
- FERPA-protected information: Non-directory student data (e.g., grades, personal identifiers, and attendance).
- Employee evaluations or performance reviews.
- Research protocols containing proprietary information.
-
Restricted (High Risk):
This classification includes data requiring the highest level of protection due to legal or regulatory obligations, such as Social Security numbers, HIPAA-protected health information, and financial data.
Examples of Sensitive Data
- Student Educational Records protected by FERPA:
- Graded work or grade books.
- Student enrollment status and attendance records.
- Non-directory personal information (e.g., name, address, date of birth).
- Employee Reviews and Evaluations:
- Annual performance evaluations.
- Proprietary Research Information:
- Research protocols or data that are not otherwise classified.
NOTE: Sensitive data should only be accessed by individuals with a legitimate need and must be stored using university-approved systems to ensure compliance with data handling policies.
Handling and Protecting Sensitive Data
- Access Control:
Access to sensitive data is restricted to authorized personnel only, and remote access must use secure methods such as multi-factor authentication.
- Storage Requirements:
Sensitive data must be stored in institution-approved cloud services or secure locations. Devices storing sensitive data require encryption at rest.
- Transmission Requirements:
When transmitting sensitive data, encryption must be used to protect it in transit.
NOTE: If you believe you have accidentally entered sensitive data into an AI tool (or any other system not approved for such data), please contact the GBIT Service Desk immediately. We will coordinate with the security team to address the situation.
Relevant Policies and Resources