Essential Security: Storing Sensitive University Data

The University provides remote storage options for UConn faculty, staff, and students, and for most data, we encourage our community to the use the option of their choice. For sensitive and confidential data, however, faculty and staff should use approved cloud or network drive storage. This ensures that all UConn employees and users of data adhere to the policies established to protect sensitive university data to which they have authorized access. These policies apply to university-owned and managed computers as well as to personally-owned devices used to access sensitive university data. (Please note: Confidential data may not be stored on personally-owned IT resources.)

 

Below is a table that lists the cloud/network storage options and what type of data may be stored on them.

 

Table 1. Data storage options for sensitive and confidential data

Data Types EFS OneDrive Google Drive
Data Location UConn Data Center Cloud Cloud
Backup Type Nightly Backup File Versioning via Sync Client File Versioning via Sync Client
Personally Identifiable Information

● Social Security Number

● Driver’s License Number

● State identification card number

● Financial account numbers such as credit, debit, or bank account numbers

● Passport Number

● Alien Registration Number

● Health Insurance Identification Number

● Home address or phone number of individuals in protected classes

Yes Yes No
Credit Card Information

● Primary Account Number

● Cardholder Name

● Service Code

● Expiration Date

No No No
Student University Data

● Grades/Transcripts/Test Scores

● Courses Taken/Schedule

● Advising Records

● Educational Services Received

● Disciplinary Actions

● Student Personnel Records

● Financial account and payment information including billing statements, bank account and credit card information

● Admissions and recruiting information including test scores, high school grade point average, high school class rank, etc.

Yes Yes No
Protected Health Information

● Health information that identifies the individual, or could reasonably be used to identify the individual; including, but not limited to: names, telephone numbers, facsimile numbers, electronic mail addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers including license plate numbers, device identifiers and serial numbers, web universal resource locators (URLs), internet protocol (IP) address numbers, biometric identifiers including fingerprints and voiceprints, full-face photographic images and any comparable images, and any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification.

● All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.

● All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people. (2) The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.

● Information about the patient’s past, present or future physical or mental health or condition

● Information relating to the provision of, or payment for, health care

Yes Yes No
Financial Data

● Employee financial account information

● Individual financial information

● Business partner and vendor financial account information

Yes Yes No
Attorney/Client Privileged Information Yes Yes No
Export Controlled Research* No No No
Controlled Unclassified Information** No No No
Sensitive Identifiable Human Subject Research Yes Yes No

*For more information, contact Jason Pufahl, CISO at Jason.pufahl@uconn.edu

**More information available on the Secured Research Infrastructure page.

 

Relevant policies

Access Control Policy

Confidential Data

Data Classification Levels

Data Roles and Responsibilities

 

 

Guidelines

Extended List of Confidential Data