Determining Sensitivity Levels for Shared Data

This page is to be used in conjunction with REG 08.00.03 – Data Management Procedures and the following pages:


Contents of this page

Sharing data

Several regulations determine the sensitivity levels of certain data that is to be shared with other individuals either within or, especially, outside of NC State University. The sensitivity level of a particular data element will determine the controls needed to protect it. The tables on this page will help you determine the appropriate sensitivity level.

[Back to Contents]

Pertinent compliance documents

The following laws and contractual documents have been considered in terms of how they dictate the sensitivity of data elements with respect to the university. For a helpful explanation of what compliance means for a university, see Compliance (ISO 15), provided by Educause.

Federal Laws

North Carolina Laws

Laws about Electronic Signatures

Contractual provisions

  • Payment Card Industry Data Security Standard
    Contractually binding IT security rules for accepting credit cards
  • Research legislated and contractual requirements
    • Federal Human Subjects Research
      IRB-related matters
    • Federal Information Security Management Act (FISMA)
      Federal government IT regulation
    • Defense Federal Acquisition Regulation Supplement (DFARS)
      Department of Defense rules
    • US Export ControlsStoring data in foreign countries
    • EU Privacy directive
      Rules for handling data about European Union country citizens
    • Other contractual requirements on a research case-by-case basis.

[Back to Contents]

Responsibilities of the Data Steward

  • must approve the complete list of data to be shared by your application or use
  • has the final say concerning the level of sensitivity of the data to be shared, after consultation with the following:
    • OIT Security and Compliance personnel
    • OIT Enterprise Applications Systems (and/or College/Dept) business analysts
    • other relevant Data Stewards
    • Office of General Counsel, when appropriate
  • has the final say, after consultation with OIT Security and Compliance personnel, concerning the controls needed to protect that data in the context of your application and sharing requirements
  • must negotiate any non-standard controls with OIT Security and Compliance personnel
  • will provide direction regarding the specific controls needed for particular data elements, based on the level of sensitivity of the use of the data for which the Data Steward is responsible
  • may add a data element to one of these tables if he or she considers it to be sensitive, with the approval of OIT Security and Compliance personnel and other relevant Data Stewards
  • will consult with OIT Security and Compliance personnel for advice and direction.

For a list of Data Stewards for various categories of University Data, see Data Categories, Trustees, Stewards, and Custodians.

[Back to Contents]

Data sensitivity levels

The data sensitivity levels as defined in the Data Classification Standard, section 6 of Reg 08.00.03 – Data Management Procedures are as follows:

  • Ultra-sensitive – Purple
  • Highly sensitive – Red
  • Moderately sensitive – Yellow
  • Normal, not sensitive – Green
  • Unclassified– White

Ultra, High and Moderate levels are considered sensitive.
Normal and Unclassified data are not sensitive.

[Back to Contents]

Abbreviations used in the tables

[Back to Contents]

Finding a data element in a table quickly

Instead of scrolling, you can use your browser’s search feature to quickly locate a data element within a table as follows.

  1. Hold down the Control key (PC) or Apple key (Mac).
  2. Press the letter F key.
  3. Type the desired word(s) to search for. If found, the word(s) will be highlighted.
  4. To find the next occurrence of the same word(s), press the Enter/Return key.

[Back to Contents]

Two types of data elements

  • A single-component data element consists of only one item of information; e.g., name, mailing address, ID number, Social Security number. Most of the data elements in the tables are of this type, and the sensitivities required in various contexts are shown by the color designations in the tables.
  • A composite data element consists of more than one single-component data element; e.g. a medical record will normally contain a name, mailing address, age, and other components, maybe even a Social Security number. For your convenience, possible composite data elements in the tables below have been linked to this paragraph. Only an initial estimate of the sensitivity of each of these data elements is given in the tables. The actual sensitivity can be determined only after identifying all of those component elements and determining their individual sensitivities. This task will usually be the responsibility of the Data Steward, in consultation with the Data Custodian and other persons as needed. For details, see Determining the sensitivity level for a composite data element (below)

[Back to Contents]

Determining the sensitivity level for a single-component data element

  1. Locate the row in one of the tables that contains that data element.
  2. Locate the color-designated cells, if any, in columns 3 through 10 in that row. These cells indicate the applicable laws and regulations for the data element and the sensitivity level required by each. For unfamiliar abbreviations in those headings (e.g., FERPA), see Abbreviations used in the tables (above).
  3. Determine the applicable laws in your application environment, in consultation with your Data Steward.
  4. For applicable law columns, determine the highest sensitivity level found among those color-designated cells. This will be the sensitivity level for the data element.
  5. If no law or regulation in columns 3 through 10 governs your use of the data element or any of its components (i.e., all these columns show N/A, then use, as a default, the sensitivity level indicated in column 2, headed NCSU, of the data element’s row.

If you need assistance in finding a data element or determining the proper sensitivity level for it, contact the appropriate Data Steward. A list of these is found at Data Categories, Trustees, Stewards, and Custodians.

Determining the sensitivity level for a composite data element

  1. Be careful to identify all of the single-component elements that make up the composite data element.
  2. Locate the row in one of the tables that contains the composite data element.
  3. Locate the color-designated cells, if any, in columns 3 through 10 in that row. These cells indicate the laws and regulations governing the handling of the data element and the sensitivity level required by each. For unfamiliar abbreviations in those headings (e.g., FERPA), see Abbreviations used in the tables (above).
  4. Determine the applicable laws in your application environment, in consultation with your Data Steward.
  5. For applicable law columns, determine  the highest sensitivity level found among those color-designated cells.
  6. Make note of the highest sensitivity level found among those color-designated cells. This will be the initial estimate of the sensitivity level for the composite data element.
  7. Select one of the single-component elements that you identified in Step 1.
  8. Locate that component’s row in one of the tables.
  9. Locate the color-designated cells, if any, in columns 3 through 10 in that row. These cells indicate the laws and regulations governing the handling of the data element and the sensitivity level required by each. For unfamiliar abbreviations (e.g., FERPA) in those headings, see Abbreviations used in the tables (above).
  10. For applicable law columns, determine  the highest sensitivity level found among the color-designated cells in that row.  This will be the sensitivity level for that single-component.element.
  11. Repeat Steps 5 through 8 for each of the remaining single-element components of the composite data element.
  12. Review the initial sensitivity level for the composite data element as well as the sensitivity levels you determined for all its components. The highest one of these levels will be the actual sensitivity level for the composite data element. NOTE: In some cases, this will be higher than the initial sensitivity level for the composite data element.
  13. If no law or regulation in columns 3 through 10 governs your use of the data element or any of its components (i.e., all these columns show N/A), then use, as a default, the sensitivity level indicated in column 2, headed NCSU, of the data element’s row.

If you need assistance in finding a data element or determining the proper sensitivity level for it, contact the appropriate Data Steward. A list of these is found at Data Categories, Trustees, Stewards, and Custodians.

[Back to Contents]

Tables of data elements

Data elements are grouped in the five tables below as follows:

[Back to Contents]

Personal Data

1
Data
Element
2
NCSU
3
FERPA
(student
records)
4
GLBA
5
HIPAA
6
PCI-
DSS
7
NC
ID
Theft
8
NC
Public
Records
9
NC
Personnel
Act
(employee
records)
10
Red
Flag
NCSU
provisions
Adult’s personal
name (last, first,
middle)
Green Green Green Yellow
if with
PHI
Purple
if with
PAN
Yellow
if with
PII
Green Green Green N/A
Minor’s personal
name (last, first,
middle)
Green Green Green Yellow
if with
PHI
Purple
if with
PAN
Yellow
if with
PII
Yellow Green Green N/A
Social Security
number
Purple Purple Purple Purple N/A Purple Purple Purple Purple N/A
Citizenship
or
country
Yellow Yellow Yellow N/A N/A N/A N/A N/A N/A N/A
Race Yellow Yellow Yellow Yellow N/A Yellow N/A N/A Yellow N/A
Sex Yellow Yellow Yellow Yellow N/A Yellow N/A N/A Yellow N/A
Marital status
or
effective date
Red Yellow Red Red N/A Red N/A Red Red N/A
Spouse or
partner name
Yellow Yellow N/A N/A N/A N/A N/A Yellow N/A N/A
Dependents
(relationship
to individual
or employee)
Red Yellow Red Red N/A Red N/A Red Red N/A
Birth date Red Yellow Red Red N/A Red N/A Red Red N/A
Death date Yellow Yellow N/A N/A N/A N/A N/A Yellow
if
employee’s
dependent
N/A N/A
Birthplace Yellow Yellow Yellow N/A N/A Yellow N/A N/A Yellow N/A
Mother’s
maiden name
Red Yellow Red Red N/A Red N/A Red N/A N/A
Personal
photograph
Yellow Yellow N/A N/A N/A N/A N/A N/A N/A N/A
Internet Protocol (IP) address Yellow Yellow Yellow Yellow
if with
PHI
N/A Yellow N/A N/A N/A N/A
Media Access Control (MAC) device number Yellow Yellow Yellow Yellow
if with
PHI
N/A Yellow N/A N/A N/A N/A
Digital signature (e.g. cryptographic private keys) Purple N/A N/A N/A N/A Purple N/A N/A N/A N/A
Biometric data Purple N/A N/A N/A N/A Purple N/A N/A N/A N/A
Fingerprints Purple N/A N/A N/A N/A Purple N/A N/A N/A N/A
Personal auto
registration
or VIN
Red N/A N/A N/A N/A Red N/A N/A Green N/A
Personally-owned
property title
information
(see composite
data element
)
Yellow N/A N/A N/A N/A Yellow N/A N/A N/A Green
Serial number of
personally-owned
item
Yellow N/A N/A N/A N/A Yellow N/A N/A N/A Green
Home address Yellow Green
if in
Directory
Green Yellow
if with
PHI
N/A Green N/A Yellow
if in
personnel
file
Green N/A
Home telephone Yellow Yellow Yellow N/A N/A Yellow N/A N/A N/A N/A
Mobile telephone Yellow Yellow Yellow N/A N/A Yellow N/A N/A N/A N/A
Personal email
address
Yellow N/A Yellow N/A N/A N/A N/A Yellow Yellow N/A
Non-student medical records, including medical ID
number (PHI)
(See composite
data element
)
Red N/A N/A Red N/A Red N/A Red
if in
history
N/A N/A
Disability
information
(See composite
data element
)
Red Red N/A Red N/A Red N/A Red N/A N/A
Employer
tax ID number
(e.g., spouse
or
dependent)
Yellow N/A Yellow N/A N/A Yellow N/A N/A Yellow N/A
Passport number Red N/A Red N/A N/A Red N/A N/A Red N/A
Alien or
immigration ID
Red N/A Red N/A N/A Red N/A N/A Red N/A
Driver’s license
number
Red N/A Red N/A N/A Red N/A N/A Red N/A
Criminal
investigation
record
or police record
(See composite
data element
)
Red Red N/A N/A N/A Red Red Red N/A N/A
Voice recording (e.g. voicemail, see composite
data element
)
Assuming the voice recording were transcribed to text, the recording’s sensitivity level would be the same as the transcribed text’s sensitivity level.

[Back to Contents]

Financial Data

1
Data
Element
2
NCSU
3
FERPA
(student
records)
4
GLBA
5
HIPAA
6
PCI-
DSS
7
NC
ID
Theft
8
NC
Public
Records
9
NC
Personnel
Act
(employee
records)
10
Red
Flag
NCSU
provisions
Bank name
without
personal
financial info
Yellow N/A Yellow N/A N/A Yellow N/A N/A N/A N/A
Bank name
with personal
financial info
Red Red Red N/A N/A Red N/A Red N/A N/A
Bank account
number
Red N/A Red Red N/A Red Red Red Red N/A
Bank routing
number
with other
financial info
Red N/A Red N/A N/A Red N/A Red Red N/A
Bank account
password
Purple N/A Purple N/A N/A Purple N/A N/A Purple N/A
Payment card
number (PAN)
Purple N/A Purple Purple Purple Purple N/A N/A Purple N/A
Payment card
PIN
Purple N/A Purple N/A Purple Purple N/A N/A Purple N/A
Payment card
password
Purple N/A Purple N/A Purple Purple N/A N/A Purple N/A
Payment card
expiration date
with PAN only
Purple N/A N/A N/A Purple N/A N/A N/A N/A N/A
Payment card
service code
with PAN
Purple N/A N/A N/A Purple N/A N/A N/A N/A N/A
Payment card
magnetic strip
info
(Not to be
stored by
NC State)
Purple N/A N/A N/A Purple N/A N/A N/A N/A N/A
Beneficiary
info
Red Red Red N/A Red Red N/A Red N/A N/A

[Back to Contents]

Student Data

NOTES:

  • If a student invokes a privacy block, then all his/her information must be considered Yellow as a minimum.
  • FERPA requires the university to keep all student records private except directory data.
1
Data
Element
2
NCSU
3
FERPA
(student
records)
4
GLBA
5
HIPAA
6
PCI-
DSS
7
NC
ID
Theft
8
NC
Public
Records
9
NC
Personnel
Act
(employee
records)
10
Red
Flag
NCSU
provisions
Grades,
transcripts,
GPA
Yellow Yellow N/A N/A N/A N/A N/A N/A N/A N/A
Student ID Yellow Yellow N/A N/A N/A Yellow N/A N/A Yellow N/A
Campus
physical
address
Green Green
if in
Directory
Green N/A N/A Green N/A N/A Green N/A
Preferred
email
address
Green Green
if in
Directory
Yellow N/A N/A Yellow N/A N/A Yellow N/A
Preferred
telephone
number
Green Green
if in
Directory
Yellow N/A N/A Yellow N/A Red Yellow N/A
Major field
of study
Green Green
if in
Directory
N/A N/A N/A N/A N/A N/A N/A N/A
Enrollment
status (e.g.,
grade level,
undergrad
or grad)
Green Green
if in
Directory
Green N/A N/A N/A N/A N/A Green N/A
Enrollment
info (class,
schedule,
program)
(See composite
data element
)
Yellow Yellow Green N/A N/A N/A N/A N/A Green N/A
Student
financial
aid info
(See composite
data element
)
Red Red Red N/A N/A Red N/A N/A N/A N/A
Financial
account
payment
info
(See composite
data element
)
Red Red Red N/A N/A Red N/A N/A N/A N/A
Student loan number Red Red Red N/A N/A Red N/A N/A Red N/A
Loan
balances
& payment
schedules
(See composite
data element
)
Red Red Red N/A N/A N/A N/A N/A Red N/A
Admissions &
recruiting info
(See composite
data element
)
Yellow Yellow N/A N/A N/A Yellow N/A N/A N/A N/A
Student
housing
Yellow Yellow N/A N/A N/A Yellow N/A N/A N/A N/A
Student
conduct
records
(See composite
data element
)
Red Red Red N/A N/A N/A N/A N/A N/A N/A
Attendance
dates
Green Green
if in
Directory
Green N/A N/A Green N/A N/A Green N/A
Honors,
degrees,
awards
(See composite
data element
)
Green Green
if in
Directory
Green N/A N/A Green N/A N/A Green N/A
Previous
educational
institution
Yellow Yellow Yellow N/A N/A Yellow N/A N/A Yellow N/A
Student medical records, including medical ID number (PHI)
(See composite
data element
)
Red Yellow N/A Yellow N/A Red N/A Red
if in
history
N/A N/A
Graduate Student Support Plan (GSSP) payments & stipends Red Red N/A Red
if with
PHI
N/A Red N/A N/A N/A N/A
Weight,
height, age
(athletic
teams)
Yellow Yellow Yellow N/A N/A Yellow N/A N/A Yellow N/A

[Back to Contents]

Employee Data

1
Data
Element
2
NCSU
3
FERPA
(student
records)
4
GLBA
5
HIPAA
6
PCI-
DSS
7
NC
ID
Theft
8
NC
Public
Records
9
NC
Personnel
Act
(employee
records)
10
Red
Flag
NCSU
provisions
Office address Green N/A Green N/A N/A Green N/A N/A Green N/A
Office telephone Green N/A Green N/A N/A Green N/A N/A Green N/A
Employee email
address
Green N/A Green N/A N/A Green N/A N/A Green N/A
Credit
history
(See composite
data element
)
Red N/A Red N/A N/A Red N/A N/A Red N/A
Employee
ID
Yellow N/A N/A N/A N/A Yellow N/A Yellow N/A N/A
Background
history
(See composite
data element
)
Yellow N/A N/A N/A N/A N/A Yellow Yellow N/A N/A
Original
employment
date
Green N/A N/A N/A N/A N/A Green Green N/A N/A
Contract terms
(See composite
data element
)
Yellow N/A N/A N/A N/A N/A Yellow Yellow N/A N/A
Current
position, title
Green N/A N/A N/A N/A N/A Green Green N/A N/A
Current salary Yellow N/A N/A N/A N/A N/A Yellow Yellow N/A N/A
Salary change
info
Yellow N/A N/A N/A N/A N/A Yellow Yellow N/A N/A
Employee HR
file info (e.g.,
performance,
benefit, financial,
medical)
(See composite
data element
)
Red N/A Red Red N/A N/A Yellow Yellow N/A N/A

[Back to Contents]

Other Sensitive Data

1
Data
Element
2
NCSU
3
FERPA
(student
records)
4
GLBA
5
HIPAA
6
PCI-
DSS
7
NC
ID
Theft
8
NC
Public
Records
9
NC
Personnel
Act
(employee
records)
10
Red
Flag
NCSU
provisions
Export-controlled data
(See composite
data element
)
Red N/A N/A N/A N/A N/A N/A N/A N/A Red
Import-controlled data
(See composite
data element
)
Red N/A N/A N/A N/A N/A N/A N/A N/A Red
Trade secret,
intellectual
property
(e.g.,
pre-patent
research data)
(See composite
data element
)
Red N/A N/A N/A N/A N/A Red N/A N/A Red
Research data
(DoD unclassified
but sensitive)
(See composite
data element
)
Red N/A N/A N/A N/A N/A N/A N/A N/A Red
Research data
(DoD classified)
(See composite
data element
)
Red N/A N/A N/A N/A N/A N/A N/A N/A Red
Trade secret
intellectual
property
research data
(See composite
data element
)
Red N/A N/A N/A N/A N/A Red N/A N/A Red
Research data
– other
(See composite
data element
)
Yellow Yellow N/A N/A N/A N/A N/A N/A N/A Yellow
Data under
non-disclosure
agreement
(See composite
data element
)
Red N/A N/A N/A N/A N/A N/A N/A N/A Red
Trial preparation
materials
(See composite
data element
)
Red N/A N/A N/A N/A N/A N/A N/A N/A Red
Emergency
response plans
Yellow N/A N/A N/A N/A N/A N/A N/A N/A Yellow
Contract, bid,
performance info
(See composite
data element
)
Red N/A N/A N/A N/A N/A Red N/A N/A Red
Attorney-client
relationship
(See composite
data element
)
Red N/A N/A N/A N/A N/A Red N/A N/A Red
Meeting minutes
before approval
(See composite
data element
)
Yellow N/A N/A N/A N/A N/A N/A N/A N/A Yellow
Drafts of
official
documents
(See composite
data element
)
Yellow N/A N/A N/A N/A N/A N/A N/A N/A Yellow
Published
materials
(e.g., alumni
magazines,
university
website content)
Green N/A N/A N/A N/A N/A N/A N/A N/A Green
Private
contributor
records
(See composite
data element
)
Red N/A N/A N/A N/A N/A N/A N/A N/A Red
Other
advancement
data
(See composite
data element
)
Red N/A N/A N/A N/A N/A N/A N/A N/A Red
Alumni data
(See composite
data element
)
Red N/A N/A N/A N/A N/A N/A N/A N/A Red
Non-university
foundations
data
(See composite
data element
)
Red N/A N/A N/A N/A N/A N/A N/A N/A Red

[Back to Contents]

Contact for additional information

If you have any questions regarding the use of these tables or determining the appropriate sensitivity level for data, please contact:

OIT Security & Compliance
919.513.7482
security@ncsu.edu.

[Back to Contents]