What is Sensitive Data?

Summary

This article provides a summary of sensitive data, detailing what it includes, how it must be protected, and what to do if sensitive data is entered into an AI tool or other unapproved system.

Body

KB Sections:

What is Sensitive Data?

Sensitive data at the University of Wisconsin - Green Bay (UWGB) refers to information whose unauthorized disclosure, alteration, or destruction could cause moderate risk to the university, its affiliates, or research activities. Managing sensitive data properly ensures compliance with university policies and reduces risks to operations, individuals, and institutional assets.

Below is a quick reference to key types of data, focusing on how they are classified within the UW System.

Types of Data Classifications

  • Public (Low Risk):
    Data intended for public access, such as course catalogs, university websites, and press releases. There are minimal restrictions for its distribution.

  • Internal (Low Risk):
    Data not intended for public disclosure but does not pose a significant risk, such as preliminary budgets, internal reports, or non-sensitive facility information.

  • Sensitive (Moderate Risk):
    Sensitive data requires protection because its loss or exposure could cause moderate harm to university operations, research, or individuals. Examples include:

    • FERPA-protected information: Non-directory student data (e.g., grades, personal identifiers, and attendance).
    • Employee evaluations or performance reviews.
    • Research protocols containing proprietary information.
  • Restricted (High Risk):
    This classification includes data requiring the highest level of protection due to legal or regulatory obligations, such as Social Security numbers, HIPAA-protected health information, and financial data.

Examples of Sensitive Data

  • Student Educational Records protected by FERPA:
    • Graded work or grade books.
    • Student enrollment status and attendance records.
    • Non-directory personal information (e.g., name, address, date of birth).
  • Employee Reviews and Evaluations:
    • Annual performance evaluations.
  • Proprietary Research Information:
    • Research protocols or data that are not otherwise classified.

NOTE: Sensitive data should only be accessed by individuals with a legitimate need and must be stored using university-approved systems to ensure compliance with data handling policies.

Handling and Protecting Sensitive Data

  • Access Control:
    Access to sensitive data is restricted to authorized personnel only, and remote access must use secure methods such as multi-factor authentication.
  • Storage Requirements:
    Sensitive data must be stored in institution-approved cloud services or secure locations. Devices storing sensitive data require encryption at rest.
  • Transmission Requirements:
    When transmitting sensitive data, encryption must be used to protect it in transit.

NOTE: If you believe you have accidentally entered sensitive data into an AI tool (or any other system not approved for such data), please contact the GBIT Service Desk immediately. We will coordinate with the security team to address the situation.

Relevant Policies and Resources

Details

Details

Article ID: 1394
Created
Wed 10/30/24 12:06 PM
Modified
Wed 10/30/24 12:06 PM
Article Summary
The Article Summary field allows you to specify a custom synopsis for use when this article is being displayed in a list and the full body is not being shown. This field is the same as the Article Summary.
This article provides a summary of sensitive data, detailing what it includes, how it must be protected, and what to do if sensitive data is entered into an AI tool or other unapproved system.