Protection of Common Data Elements
University data is often characterized by category or use of the data and then classified in accordance with the legal or contractual controls placed on it. However, data elements within compliance programs often warrant different levels of protection. While some data elements offer little risk and require no special protection, inappropriate handling of other data elements might result in criminal or civil penalties, identity theft, and/or personal or organizational loss.
This table identifies some common data elements by category and the associated classification. When using this table consider:
- Not all data elements are listed. Absence of a data element does not mean that it requires no protection.
- Quantity/amount of data must be considered. One thousand records of one data element may have more value together than one record of an element with a seemingly higher protection factor.
- Combination of data elements can increase the value. For example The Family Educational Rights and Privacy Act (FERPA) identifies Personally Identifiable Information (PII) as information that can identify a person even though the name may not be given.
Personnel Information (Human Resources)
| Personnel Information Elements (Human Resources) | Information Classification |
|---|---|
| Social Security Number (SSN) | Restricted – Maine Data Act (when combined with a name or other uniquely identifiable personal information). |
| Driver’s License number | Restricted – Maine Data Act (when combined with a name or other uniquely identifiable personal information). |
| State Identification Number | Restricted – Maine Data Act (when combined with a name or other uniquely identifiable personal information). |
| Genetic Information | Restricted – Genetic Information Nondiscrimination Act (GINA). Information must be safeguarded as health information in accordance with The Health Insurance Portability and Accountability Act of 1996 (HIPAA) |
| Disability Status | Restricted |
| Military Disability | Restricted |
| Status Ethnicity/Race | Confidential |
| Gender Status | Confidential |
| Name | Public |
| Date of Birth (DOB) | Confidential |
| Employee Identification Number (EMPLID) | Internal – An EMPLID is not considered Restricted or Confidential Data, and is not afforded special protection and confidentiality. EMPLIDs uniquely identify staff and faculty members without using Restricted Data such as SSNs. Routine shared use of EMPLIDs is sometimes necessary for University functions. Share EMPLIDs only with those who have a reason to use it. Combinations of information increase the value of data. EMPLIDs when used in combination with name or DOB increase the security risk. |
| Home Address | Confidential – Not releasable by State Statute. |
| Home Phone Number | Confidential – Not releasable by State Statute. |
| Work Address | Public – Not protected by any legal or contractual controls. |
| Work Phone Number | Public – Not protected by any legal or contractual controls. |
| Business Email Address | Public – Not protected by any legal or contractual controls. |
Payroll Information
| Payroll Information Elements | Information Classification |
|---|---|
| Social Security Number Bank Information (routing/account numbers) | Restricted – Maine Data Act and Gramm-Leach-Bliley Act (GLBA) |
| Salaries | Not Protected – Not protected and is public only through official channels. |
| Work Study Awards | Internal – Protect this information as is indicative of financial need. Some work study is non-need based and does not require protection. |
| Employee Verification (i.e., salaries) | Not Protected – Human Resources (HR) will only verify what the Bank or Third Party was told by employee |
Protected Health Information (PHI)
| Protected Health Information (PHI) Elements | Information Classification |
|---|---|
| Past, present, or future physical or mental health or condition of an individual. | Restricted – HIPAA – If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information. The HIPAA privacy rule lists 18 identifiers that are not to be used with a health record. |
| Provision of health care to an individual Past, present, or future payment for the provision of health care to an individual. | Restricted – HIPAA – If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information. The HIPAA privacy rule lists 18 identifiers that are not to be used with a health record. |
| Identifiers – 18 specific identified by HIPAA Privacy Rule (includes such information as name, geographic information, dates, contact information, medical record and account numbers, biometric identifiers, photos, and other uniquely identifying number, characteristic or code) | Restricted – HIPAA – Those working with protected health information need to be familiar with the identifiers as listed by the HIPAA Privacy Rule and protect them accordingly. These identifiers by themselves may not be restricted data, but when associated in any way with the Personal Health Information elements listed above are restricted under HIPAA. |
Student Data (Registrars)
| Student Data Elements (Registrars) | Information Classification |
|---|---|
| Social Security Number (including historical student identification number when it was SSN) | Restricted – Maine Data Act & FERPA (When combined with a name or other uniquely identifiable personal information). |
| Driver’s License Number | Restricted – Maine Data Act & FERPA (When combined with a name or other uniquely identifiable personal information). |
| State Identification Number | Restricted – Maine Data Act & FERPA (When combined with a name or other uniquely identifiable personal information). |
The following elements are considered Directory information:
| Confidential or Unclassified – FERPA – This is not protected and can be openly shared unless asked by the student to be suppressed. Therefore, prior to any disclosure, one must check each student’s FERPA election to determine whether the student data may be disclosed. |
| Academic Standing (i.e., probation, suspension, etc.) | Confidential – FERPA
Note: Students’ entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course. |
| Class Schedule | Confidential – FERPA
Note: Students’ entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course. |
| Degree Audit (including courses remaining to complete a degree) | Confidential – FERPA
Note: Students’ entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course. |
| Grade Point Average (GPA) | Confidential – FERPA
Note: Students’ entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course. |
| Grades | Confidential – FERPA
Note: Students’ entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course. |
| Transcript | Confidential – FERPA
Note: Students’ entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course. |
| Student Identification Number (EMPLID) | Confidential – FERPA – Unlike a staff and faculty member EMPLID, a student identification (ID) number is Confidential Data and requires protection under FERPA. When a student worker’s EMPLID is used for employment, this EMPLID remains protected by FERPA. – This ID number is not a personal identification number under the Maine Data Act and is not protected by that law. |
| Information on former students – Student records not to include SSN or Driver’s License/State Identification Number | Confidential – FERPA – Educational Records collected when an individual was a student is protected in accordance with FERPA, for the life of the record.
Confidential FERPA or Unclassified – Information that was collected as directory information when an individual was a student is not protected unless asked by the student for it to be suppressed, while the individual was a student. Not classified by FERPA – Information about a former student (i.e. alumni information) collected after the student graduated |
Donor Information
| Donor Information Elements | Information Classification |
|---|---|
| Social Security Number | Restricted – Maine Data Act & GLBA |
| Bank Account Number | Restricted – Maine Data Act & GLBA |
| Financial Account Information | Restricted – GLBA or Payment Card Industry Data Security Standard (PCI or PCI-DSS) – Not to be stored without specific permission. Credit Card transactions must be in accordance with the Credit/Debit Card Standards APL (APL IV-F) |
| Name | Confidential – When associated with donation(s) not made public |
| Giving History (Amount/what donated) | Confidential – When associated with donation(s) not made public |
| Address | Confidential |
| Telephone/Fax Numbers | Confidential |
| Confidential | |
| Employment Information | Confidential |
| Family Information | Confidential |
| Interests, Affiliations or Sports | Confidential |
| Other donor info (e.g. Age, Sex, Degree Information) | Internal |
Payment Card
| Payment Card Elements | Information Classification |
|---|---|
| Credit/Debit Card Number | Restricted – PCI-DSS & Maine Data Act – See Credit/Debit Card Standards APL (APL IV-F) for storage requirements |
| (Primary Account Number – PAN) | Restricted – PCI-DSS & Maine Data Act – See Credit/Debit Card Standards APL (APL IV-F) for storage requirements |
| Cardholder Name | Restricted – PCI-DSS & Maine Data Act – See Credit/Debit Card Standards APL (APL IV-F) for storage requirements |
| Expiration Date | Restricted – PCI-DSS & Maine Data Act – See Credit/Debit Card Standards APL (APL IV-F) for storage requirements |
| Service Code | Restricted – PCI-DSS & Maine Data Act – See Credit/Debit Card Standards APL (APL IV-F) for storage requirements |
| Authentication data | Restricted – PCI-DSS – Never to be stored. See Credit/Debit Card Standards APL (APL IV-F). |
| Card Verification Code or Value (CAV2/CVC2/CVV2/CID) Number | Restricted – PCI-DSS – Never to be stored. See Credit/Debit Card Standards APL (APL IV-F). |
| Personal Identification Number (PIN/PIN Block) | Restricted – PCI-DSS – Never to be stored. See Credit/Debit Card Standards APL (APL IV-F). |
| Full Magnetic Stripe Data | Restricted – PCI-DSS – Never to be stored. See Credit/Debit Card Standards APL (APL IV-F). |
| Masked Credit/Debit Card Number (no more than first 6 and last 4 digits) | Internal – See Credit/Debit Card Standards APL (APL IV-F). |
Procurement
| Procurement Elements | Information Classification |
|---|---|
| Pre-Award Contract Bids | Confidential |
| Awarded Contracts | Internal/Public – Freedom of Access Act (FOAA) – subject to public record requests. |
| Purchasing Card (P-Card) Numbers | Confidential – P-Card protection requirements differ from payment cards accepted by a University merchant activity. However, all credit card numbers are high target theft items. – See Credit/Debit Card Standards APL (APL IV-F) |
Information Security
| Information Security Elements (IT) | Information Classification |
|---|---|
| Authentication Credentials (such as a password key or token) | Restricted – Requires the same protection as the level of information that is protected by those credential |
| Access & Authorization Information | Generally Internal – May Require the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system |
| Vulnerability Scanning Results | Generally Internal – May Require the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system |
| Risk Assessment Results | Generally Internal – May Require the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system |
| Intrusion Detection Alerts | Generally Internal – May Require the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system |
| Security Architecture & Design | Generally Internal – May Require the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system |
| Security Incident Response | Generally Internal – May Require the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system |
Other Data
| Other Data Types | Information Classification |
|---|---|
| Export Control Research | Restricted – International Traffic In Arms Regulations (ITAR), Export Administration Regulations (EAR) – Specific elements not listed. Requires additional protections. Refer to appropriate regulation. |
| Human Subject Research | Depends on Research- Common Rule (45 CFR 46, 102(d)) -Refer to Board of Trustees Policy Section 601 |
| Department of Defense (DoD) Controlled Unclassified | Restricted – Requires additional protections. |