Confidential Information: Requires the highest level of protection from any unauthorized access, disclosure or tampering, whether in hard copy or digital format. This includes sensitive information about students, faculty, staff, users of University services and facilities, and the University. All personally identifying or electronically protected information (PII) is classified as confidential information, including, but not limited to information governed by local or federal law.
All documentation containing personally identifying or electronically protected information MUST be labeled “Confidential” and handled accordingly. Collection of confidential information should be limited to situations where there is a business need and no reasonable alternative. (Reference other document for authorized uses)
Authorized data stewards must closely manage the access and storage of confidential information. Confidential information must always be secured in accordance with the Georgetown University Security Policy. Managers must ensure that their employees understand the need to safeguard this information, and that adequate procedures are in place to minimize this risk. Access to such information may only be granted to authorized individuals on a need to know basis.
The examples of confidential information provided below are not comprehensive and are subject to change. Any questions or concerns about the classification of data should be directed to the University Information Security Officer or CIO.
Information protected by federal laws and regulations:
The Family Educational Rights and Privacy Act (FERPA) – protects a wide range of personal education records and information about current and former students including, but not limited to, grades, university judicial, and academic records
The Health Insurance Portability and Accountability Act (HIPAA) – governs the use of protected health information, including information that identifies an individual and relates to: the individual’s past, present or future physical or mental health; or the provision of health care to the individual; or the past, present or future payment for health care.
The Gramm-Leach-Bliley Act (GLBA) – protects personal financial information
Personally Identifiable Information:
Social Security Number
Date of Birth
Place of Birth
Traditional password identifiers
- Mother’s maiden name
- Name of favorite pet
Dependents
Bank account numbers
Income tax records
Driver’s license numbers
Credit card numbers
Passport numbers
Security data and credentials authorizing access, designed to protect systems:
Information concerning security incidents
Passwords
PKI Certificates
Information collected via University business operations:
Finance
Legally binding documentation affecting the university or a member of the university community
- Confidential agreements between the university and third parties
- Non-disclosure agreements
- Documentation accepted under non-disclosure or confidentiality agreements
Legal affairs and all related documentation
Contracts
Other examples:
Research
Research subjects, including human subjects
Law Center clients
Library patrons
Established and potential donors, and information about these donors
Personnel information on current, former, and prospective employees
Current, former, and prospective employees
- Salary and pay information
- Benefits data
- Performance reviews
- University judicial affairs
Information on any portion of the patent process, including research, application documentation, granting, ownership and licensing of the patent
Note: Credit card information must not be stored by Georgetown University. For all Internet-based credit card transactions, see the Georgetown University Internet Business Policy.
Internal-Use-Only: Requires moderate protection from unauthorized access or tampering. If documentation or information does not contain information that must be labeled “Confidential,” Data Stewards have the discretion to categorize it as “Internal-Use-Only.” The Data Stewards are responsible for the day-to-day management of institutional data integrity, confidentiality, and availability, and limit the distribution of these documents.
Information labeled “Internal-Use-Only” may be disclosed to any person inside or outside the University. Although security mechanisms are not needed to control disclosure and dissemination, they are still required to protect against unauthorized modification and destruction of information.
Only when the following examples do not contain information that must be labeled Confidential, then they may be examples of “Internal-use-only” information:
• Internal memos
• Correspondence
• E-mail
Public Information: Requires basic protection from unauthorized tampering. This type of information can be freely disseminated to anyone.
DRAFT AS OF 03/16/2010