Determining Sensitivity Levels for Shared Data

This page is to be used in conjunction with REG 08.00.03 - Data Management Procedures and the following pages:


Contents of this page

Sharing data

Several regulations determine the sensitivity levels of certain data that is to be shared with other individuals either within or, especially, outside of NC State University. The sensitivity level of a particular data element will determine the controls needed to protect it. The tables on this page will help you determine the appropriate sensitivity level.

[Back to Contents]

Pertinent compliance documents

The following laws and contractual documents have been considered in terms of how they dictate the sensitivity of data elements with respect to the university. For a helpful explanation of what compliance means for a university, see Compliance (ISO 15), provided by Educause.

Federal Laws

North Carolina Laws

Laws about Electronic Signatures

Contractual provisions

  • Payment Card Industry (PCI) Data Security Standard (PDF)
    Contractually binding IT security rules for accepting credit cards
  • Research legislated and contractual requirements
    • Federal Human Subjects Research
      IRB-related matters
    • Federal Information Security Management Act (FISMA)
      Federal government IT regulation
    • Defense Federal Acquisition Regulation Supplement (DFARS)
      Department of Defense rules
    • US Export Controls
      Storing data in foreign countries
    • EU Privacy directive
      Rules for handling data about European Union country citizens
    • Other contractual requirements on a research case-by-case basis.

[Back to Contents]

Responsibilities of the Data Steward

  • must approve the complete list of data to be shared by your application or use
  • has the final say concerning the level of sensitivity of the data to be shared, after consultation with the following:
    • OIT Security and Compliance personnel
    • OIT Enterprise Applications Systems (and/or College/Dept) business analysts
    • other relevant Data Stewards
    • Office of General Counsel, when appropriate
  • has the final say, after consultation with OIT Security and Compliance personnel, concerning the controls needed to protect that data in the context of your application and sharing requirements
  • must negotiate any non-standard controls with OIT Security and Compliance personnel
  • will provide direction regarding the specific controls needed for particular data elements, based on the level of sensitivity of the use of the data for which the Data Steward is responsible
  • may add a data element to one of these tables if he or she considers it to be sensitive, with the approval of OIT Security and Compliance personnel and other relevant Data Stewards
  • will consult with OIT Security and Compliance personnel for advice and direction.

For a list of Data Stewards for various categories of University Data, see Data Categories, Trustees, Stewards, and Custodians.

[Back to Contents]

Data sensitivity levels

The data sensitivity levels as defined in the Data Classification Standard, section 6 of Reg 08.00.03 - Data Management Procedures are as follows:

  • Ultra-sensitive - Purple
  • Highly sensitive - Red
  • Moderately sensitive - Yellow
  • Normal, not sensitive - Green
  • Unclassified- White

Ultra, High and Moderate levels are considered sensitive.
Normal and Unclassified data are not sensitive.

[Back to Contents]

Abbreviations used in the tables

[Back to Contents]

Finding a data element in a table quickly

Instead of scrolling, you can use your browser's search feature to quickly locate a data element within a table as follows.

  1. Hold down the Control key (PC) or Apple key (Mac).
  2. Press the letter F key.
  3. Type the desired word(s) to search for. If found, the word(s) will be highlighted.
  4. To find the next occurrence of the same word(s), press the Enter/Return key.

[Back to Contents]

Two types of data elements

  • A single-component data element consists of only one item of information; e.g., name, mailing address, ID number, Social Security number. Most of the data elements in the tables are of this type, and the sensitivities required in various contexts are shown by the color designations in the tables.
     
  • A composite data element consists of more than one single-component data element; e.g. a medical record will normally contain a name, mailing address, age, and other components, maybe even a Social Security number. For your convenience, possible composite data elements in the tables below have been linked to this paragraph. Only an initial estimate of the sensitivity of each of these data elements is given in the tables. The actual sensitivity can be determined only after identifying all of those component elements and determining their individual sensitivities. This task will usually be the responsibility of the Data Steward, in consultation with the Data Custodian and other persons as needed. For details, see Determining the sensitivity level for a composite data element (below)

[Back to Contents]

Determining the sensitivity level for a single-component data element

  1. Locate the row in one of the tables that contains that data element.
  2. Locate the color-designated cells, if any, in columns 3 through 10 in that row. These cells indicate the applicable laws and regulations for the data element and the sensitivity level required by each. For unfamiliar abbreviations in those headings (e.g., FERPA), see Abbreviations used in the tables (above).
  3. Determine the applicable laws in your application environment, in consultation with your Data Steward.
  4. For applicable law columns, determine the highest sensitivity level found among those color-designated cells. This will be the sensitivity level for the data element.
  5. If no law or regulation in columns 3 through 10 governs your use of the data element or any of its components (i.e., all these columns show N/A, then use, as a default, the sensitivity level indicated in column 2, headed NCSU, of the data element’s row.

If you need assistance in finding a data element or determining the proper sensitivity level for it, contact the appropriate Data Steward. A list of these is found at Data Categories, Trustees, Stewards, and Custodians.

Determining the sensitivity level for a composite data element

  1. Be careful to identify all of the single-component elements that make up the composite data element.
  2. Locate the row in one of the tables that contains the composite data element.
  3. Locate the color-designated cells, if any, in columns 3 through 10 in that row. These cells indicate the laws and regulations governing the handling of the data element and the sensitivity level required by each. For unfamiliar abbreviations in those headings (e.g., FERPA), see Abbreviations used in the tables (above).
  4. Determine the applicable laws in your application environment, in consultation with your Data Steward.
  5. For applicable law columns, determine  the highest sensitivity level found among those color-designated cells.
  6. Make note of the highest sensitivity level found among those color-designated cells. This will be the initial estimate of the sensitivity level for the composite data element.
  7. Select one of the single-component elements that you identified in Step 1.
  8. Locate that component’s row in one of the tables.
  9. Locate the color-designated cells, if any, in columns 3 through 10 in that row. These cells indicate the laws and regulations governing the handling of the data element and the sensitivity level required by each. For unfamiliar abbreviations (e.g., FERPA) in those headings, see Abbreviations used in the tables (above).
  10. For applicable law columns, determine  the highest sensitivity level found among the color-designated cells in that row.  This will be the sensitivity level for that single-component.element.
  11. Repeat Steps 5 through 8 for each of the remaining single-element components of the composite data element.
  12. Review the initial sensitivity level for the composite data element as well as the sensitivity levels you determined for all its components. The highest one of these levels will be the actual sensitivity level for the composite data element. NOTE: In some cases, this will be higher than the initial sensitivity level for the composite data element.
  13. If no law or regulation in columns 3 through 10 governs your use of the data element or any of its components (i.e., all these columns show N/A), then use, as a default, the sensitivity level indicated in column 2, headed NCSU, of the data element’s row.

If you need assistance in finding a data element or determining the proper sensitivity level for it, contact the appropriate Data Steward. A list of these is found at Data Categories, Trustees, Stewards, and Custodians.

[Back to Contents]

Tables of data elements

Data elements are grouped in the five tables below as follows:

[Back to Contents]

Personal Data

1
Data
Element
2
NCSU
3
FERPA
(student
records)
4
GLBA
5
HIPAA
6
PCI-
DSS
7
NC
ID
Theft
8
NC
Public
Records
9
NC
Personnel
Act
(employee
records)
10
Red
Flag
NCSU
provisions
Adult's personal
name (last, first,
middle)
GreenGreenGreenYellow
if with
PHI
Purple
if with
PAN
Yellow
if with
PII
GreenGreenGreenN/A
Minor's personal
name (last, first,
middle)
GreenGreenGreenYellow
if with
PHI
Purple
if with
PAN
Yellow
if with
PII
YellowGreenGreenN/A
Social Security
number
PurplePurplePurplePurpleN/APurplePurplePurplePurpleN/A
Citizenship
or
country
YellowYellowYellowN/AN/AN/AN/AN/AN/AN/A
RaceYellowYellowYellowYellowN/AYellowN/AN/AYellowN/A
SexYellowYellowYellowYellowN/AYellowN/AN/AYellowN/A
Marital status
or
effective date
RedYellowRedRedN/ARedN/ARedRedN/A
Spouse or
partner name
YellowYellowN/AN/AN/AN/AN/AYellowN/AN/A
Dependents
(relationship
to individual
or employee)
RedYellowRedRedN/ARedN/ARedRedN/A
Birth dateRedYellowRedRedN/ARedN/ARedRedN/A
Death dateYellowYellowN/AN/AN/AN/AN/AYellow
if
employee's
dependent
N/AN/A
BirthplaceYellowYellowYellowN/AN/AYellowN/AN/AYellowN/A
Mother's
maiden name
RedYellowRedRedN/ARedN/ARedN/AN/A
Personal
photograph
YellowYellowN/AN/AN/AN/AN/AN/AN/AN/A
Internet Protocol (IP) addressYellowYellowYellowYellow
if with
PHI
N/AYellowN/AN/AN/AN/A
Media Access Control (MAC) device numberYellowYellowYellowYellow
if with
PHI
N/AYellowN/AN/AN/AN/A
Digital signaturePurpleN/AN/AN/AN/APurpleN/AN/AN/AN/A
Biometric dataPurpleN/AN/AN/AN/APurpleN/AN/AN/AN/A
FingerprintsPurpleN/AN/AN/AN/APurpleN/AN/AN/AN/A
Personal auto
registration
or VIN
RedN/AN/AN/AN/ARedN/AN/AGreenN/A
Personally-owned
property title
information
(see composite
data element
YellowN/AN/AN/AN/AYellowN/AN/AN/AGreen
Serial number of
personally-owned
item
YellowN/AN/AN/AN/AYellowN/AN/AN/AGreen
Home addressYellowGreen
if in
Directory
GreenYellow
if with
PHI
N/AGreenN/AYellow
if in
personnel
file
GreenN/A
Home telephoneYellowYellowYellowN/AN/AYellowN/AN/AN/AN/A
Mobile telephoneYellowYellowYellowN/AN/AYellowN/AN/AN/AN/A
Personal email
address
YellowN/AYellowN/AN/AN/AN/AYellowYellowN/A
Non-student medical records, including medical ID
number (PHI) 
(See composite
data element
)
RedN/AN/ARedN/ARedN/ARed
if in
history
N/AN/A
Disability
information
(See composite
data element
RedRedN/ARedN/ARedN/ARedN/AN/A
Employer
tax ID number
(e.g., spouse
or
dependent)
YellowN/AYellowN/AN/AYellowN/AN/AYellowN/A
Passport numberRedN/ARedN/AN/ARedN/AN/ARedN/A
Alien or
immigration ID
RedN/ARedN/AN/ARedN/AN/ARedN/A
Driver's license
number
RedN/ARedN/AN/ARedN/AN/ARedN/A
Criminal
investigation
record
or police record
(See composite
data element
RedRedN/AN/AN/ARedRedRedN/AN/A

[Back to Contents]

Financial Data

1
Data
Element
2
NCSU
3
FERPA
(student
records)
4
GLBA

5
HIPAA

6
PCI-
DSS
7
NC
ID
Theft

8
NC
Public
Records
9
NC
Personnel
Act
(employee
records)

10
Red
Flag
NCSU
provisions
Bank name
without
personal
financial info
YellowN/AYellowN/AN/AYellowN/AN/AN/AN/A
Bank name
with personal
financial info
RedRedRedN/AN/ARedN/ARedN/AN/A
Bank account
number
RedN/ARedRedN/ARedRedRedRedN/A
Bank routing
number
with other
financial info
RedN/ARedN/AN/ARedN/ARedRedN/A
Bank account
password
PurpleN/APurpleN/AN/APurpleN/AN/APurpleN/A
Payment card
number (PAN)
PurpleN/APurplePurplePurplePurpleN/AN/APurpleN/A
Payment card
PIN
PurpleN/APurpleN/APurplePurpleN/AN/APurpleN/A
Payment card
password
PurpleN/APurpleN/APurplePurpleN/AN/APurpleN/A
Payment card
expiration date
with PAN only
PurpleN/AN/AN/APurpleN/AN/AN/AN/AN/A
Payment card
service code
with PAN
PurpleN/AN/AN/APurpleN/AN/AN/AN/AN/A
Payment card
magnetic strip
info
(Not to be
stored by
NC State)
PurpleN/AN/AN/APurpleN/AN/AN/AN/AN/A
Beneficiary
info
RedRedRedN/ARedRedN/ARedN/AN/A

[Back to Contents]

Student Data

NOTES:

  • If a student invokes a privacy block, then all his/her information must be considered Yellow as a minimum.
  • FERPA requires the university to keep all student records private except directory data.
1
Data
Element
2
NCSU
3
FERPA
(student
records)
4
GLBA
5
HIPAA
6
PCI-
DSS
7
NC
ID
Theft
8
NC
Public
Records
9
NC
Personnel
Act
(employee
records)

10
Red
Flag
NCSU
provisions
Grades,
transcripts,
GPA
YellowYellowN/AN/AN/AN/AN/AN/AN/AN/A
Student IDYellowYellowN/AN/AN/AYellowN/AN/AYellowN/A
Campus
physical
address
GreenGreen
if in
Directory
GreenN/AN/AGreenN/AN/AGreenN/A
Preferred
email
address
GreenGreen
if in
Directory
YellowN/AN/AYellowN/AN/AYellowN/A
Preferred
telephone
number
GreenGreen
if in
Directory
YellowN/AN/AYellowN/ARedYellowN/A
Major field
of study
GreenGreen
if in
Directory
N/AN/AN/AN/AN/AN/AN/AN/A
Enrollment
status (e.g.,
grade level,
undergrad
or grad)
GreenGreen
if in
Directory
GreenN/AN/AN/AN/AN/AGreenN/A
Enrollment
info (class,
schedule,
program)
(See composite
data element
)
YellowYellowGreenN/AN/AN/AN/AN/AGreenN/A
Student
financial
aid info
(See composite
data element
RedRedRedN/AN/ARedN/AN/AN/AN/A
Financial
account
payment
info
(See composite
data element
RedRedRedN/AN/ARedN/AN/AN/AN/A
Student loan numberRedRedRedN/AN/ARedN/AN/ARedN/A
Loan
balances
& payment
schedules 
(See composite
data element
)
RedRedRedN/AN/AN/AN/AN/ARedN/A
Admissions &
recruiting info 
(See composite
data element
)
YellowYellowN/AN/AN/AYellowN/AN/AN/AN/A
Student
housing
YellowYellowN/AN/AN/AYellowN/AN/AN/AN/A
Student
conduct
records 
(See composite
data element
)
RedRedRedN/AN/AN/AN/AN/AN/AN/A
Attendance
dates
GreenGreen
if in
Directory
GreenN/AN/AGreenN/AN/AGreenN/A
Honors,
degrees,
awards 
(See composite
data element
)
GreenGreen
if in
Directory
GreenN/AN/AGreenN/AN/AGreenN/A
Previous
educational
institution
YellowYellowYellowN/AN/AYellowN/AN/AYellowN/A
Student medical records, including medical ID number (PHI) 
(See composite
data element
)
RedYellowN/AYellowN/ARedN/ARed
if in
history
N/AN/A
Graduate Student Support Plan (GSSP) payments & stipendsRedRedN/ARed
if with
PHI
N/ARedN/AN/AN/AN/A
Weight,
height, age
(athletic
teams)
YellowYellowYellowN/AN/AYellowN/AN/AYellowN/A

[Back to Contents]

Employee Data

1
Data
Element
2
NCSU
3
FERPA
(student
records)
4
GLBA

5
HIPAA

6
PCI-
DSS
7
NC
ID
Theft

8
NC
Public
Records
9
NC
Personnel
Act
(employee
records)
10
Red
Flag
NCSU
provisions
Office addressGreenN/AGreenN/AN/AGreenN/AN/AGreenN/A
Office telephoneGreenN/AGreenN/AN/AGreenN/AN/AGreenN/A
Employee email
address
GreenN/AGreenN/AN/AGreenN/AN/AGreenN/A
Credit
history 
(See composite
data element
)
RedN/ARedN/AN/ARedN/AN/ARedN/A
Employee
ID
YellowN/AN/AN/AN/AYellowN/AYellowN/AN/A
Background
history 
(See composite
data element
)
YellowN/AN/AN/AN/AN/AYellowYellowN/AN/A
Original
employment
date
GreenN/AN/AN/AN/AN/AGreenGreenN/AN/A
Contract terms 
(See composite
data element
)
YellowN/AN/AN/AN/AN/AYellowYellowN/AN/A
Current
position, title
GreenN/AN/AN/AN/AN/AGreenGreenN/AN/A
Current salaryYellowN/AN/AN/AN/AN/AYellowYellowN/AN/A
Salary change
info
YellowN/AN/AN/AN/AN/AYellowYellowN/AN/A
Employee HR
file info (e.g.,
performance,
benefit, financial,
medical) 
(See composite
data element
)
RedN/ARedRedN/AN/AYellowYellowN/AN/A

[Back to Contents]

Other Sensitive Data

1
Data
Element
2
NCSU
3
FERPA
(student
records)
4
GLBA
5
HIPAA
6
PCI-
DSS
7
NC
ID
Theft
8
NC
Public
Records
9
NC
Personnel
Act
(employee
records)

10
Red
Flag
NCSU
provisions
Export-controlled data 
(See composite
data element
)
RedN/AN/AN/AN/AN/AN/AN/AN/ARed
Import-controlled data 
(See composite
data element
)
RedN/AN/AN/AN/AN/AN/AN/AN/ARed
Trade secret,
intellectual
property
(e.g.,
pre-patent
research data) 
(See composite
data element
)
RedN/AN/AN/AN/AN/ARedN/AN/ARed
Research data
(DoD unclassified
but sensitive) 
(See composite
data element
)
RedN/AN/AN/AN/AN/AN/AN/AN/ARed
Research data
(DoD classified) 
(See composite
data element
)
RedN/AN/AN/AN/AN/AN/AN/AN/ARed
Trade secret
intellectual
property
research data 
(See composite
data element
)
RedN/AN/AN/AN/AN/ARedN/AN/ARed
Research data
- other 
(See composite
data element
)
YellowYellowN/AN/AN/AN/AN/AN/AN/AYellow
Data under
non-disclosure
agreement 
(See composite
data element
)
RedN/AN/AN/AN/AN/AN/AN/AN/ARed
Trial preparation
materials 
(See composite
data element
)
RedN/AN/AN/AN/AN/AN/AN/AN/ARed
Emergency
response plans
YellowN/AN/AN/AN/AN/AN/AN/AN/AYellow
Contract, bid,
performance info 
(See composite
data element
)
RedN/AN/AN/AN/AN/ARedN/AN/ARed
Attorney-client
relationship 
(See composite
data element
)
RedN/AN/AN/AN/AN/ARedN/AN/ARed
Meeting minutes
before approval 
(See composite
data element
)
YellowN/AN/AN/AN/AN/AN/AN/AN/AYellow
Drafts of
official
documents 
(See composite
data element
)
YellowN/AN/AN/AN/AN/AN/AN/AN/AYellow

Published
materials
(e.g., alumni
magazines,
university
website content)

GreenN/AN/AN/AN/AN/AN/AN/AN/AGreen
Private
contributor
records 
(See composite
data element
)
RedN/AN/AN/AN/AN/AN/AN/AN/ARed
Other
advancement
data 
(See composite
data element
)
RedN/AN/AN/AN/AN/AN/AN/AN/ARed
Alumni data 
(See composite
data element
)
RedN/AN/AN/AN/AN/AN/AN/AN/ARed
Non-university
foundations
data 
(See composite
data element
)
RedN/AN/AN/AN/AN/AN/AN/AN/ARed

[Back to Contents]

Contact for additional information

If you have any questions regarding the use of these tables or determining the appropriate sensitivity level for data, please contact:

OIT Security & Compliance
919.513.7482
security@ncsu.edu.

[Back to Contents]