This page is to be used in conjunction with REG 08.00.03 – Data Management Procedures and the following pages:
- Controls for Securing University Data – Best Practices
- Data Categories, Trustees, Stewards, and Custodians
- Storage Locations for University Data
- Frequently Asked Questions – Data Management Procedures
- Data Management Procedures Summary and Guidance
Contents of this page
- Sharing data
- Pertinent compliance documents
- Responsibilities of the Data Steward
- Data sensitivity levels
- Abbreviations used in the tables
- Finding a data element in a table quickly
- Two types of data elements
- Determining the sensitivity level for a single-component data element
- Determining the sensitivity level for a composite data element
- Tables of data elements
- Contact for additional information
Sharing data
Several regulations determine the sensitivity levels of certain data that is to be shared with other individuals either within or, especially, outside of NC State University. The sensitivity level of a particular data element will determine the controls needed to protect it. The tables on this page will help you determine the appropriate sensitivity level.
Pertinent compliance documents
The following laws and contractual documents have been considered in terms of how they dictate the sensitivity of data elements with respect to the university. For a helpful explanation of what compliance means for a university, see Compliance (ISO 15), provided by EDUCAUSE.
Federal Laws
- Family Educational Rights and Privacy Act (FERPA)
Federal law that protects the privacy of student education records - Higher Education Act of 1987 Title 34: Education, Part 688, Student Assistance General Provisions
Specifies compliance requirements for Student Loan Data - Red Flags Rule: Fighting Identity Theft with the Red Flags Rule
Introduction and link to the Red Flags Rule, a part of the Federal Trade Commission’s Fair and Accurate Credit Transactions Act of 2003 (FACTA), which requires a formal written Identity Theft Prevention Program, with particular relevance to credit card data - Gramm–Leach–Bliley Act (GLBA)
Privacy laws for organizations that provide banking services - EDUCAUSE: Digital Millennium Copyright Act (DMCA)
Provides a good introduction and links to the laws covering the sharing of copyrighted materials, which should be handled as highly sensitive data. - Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- The Health Information Technology for Economic and Clinical Health (HITECH) Act
Widens the scope of privacy and security protections available under HIPAA
See also HITECH Act Summary.
- The Health Information Technology for Economic and Clinical Health (HITECH) Act
North Carolina Laws
- North Carolina General Statutes, Chapter 75. Monopolies, Trusts And Consumer Protection
Chapter 75, Article 2A. Identity Theft Protection Act (PDF) - North Carolina General Statutes, Chapter 126: North Carolina Human Resources Act
- North Carolina General Statutes, Chapter 132: Public Records
§132-1.10. Social security numbers and other personal identifying information (PDF)
Laws about Electronic Signatures
- Joint FTC/Commerce Department Report Released on “Reasonable Demonstration” Requirement of ESIGN
- North Carolina General Statutes, Chapter 66. Commerce and Business (PDF)
- Article 11A: Electronic Commerce in Government (PDF)
Covers the use of Public Key signatures for communication with NC state government agencies - Article 40: Uniform Electronic Transactions Act (PDF)
Implements the federal ESIGN Act in more detail at the NC state level
- Article 11A: Electronic Commerce in Government (PDF)
- Guidance for Industry Part 11; Electronic Records: Electronic Signatures – Scope and Application (PDF)
Covers the use of digital signatures to support research activities under contract to U.S. Department of Health and Human Services, Food and Drug Administration
Contractual provisions
- Payment Card Industry Data Security Standard
Contractually binding IT security rules for accepting credit cards - Research legislated and contractual requirements
- Federal Human Subjects Research
IRB-related matters - Federal Information Security Management Act (FISMA)
Federal government IT regulation - Defense Federal Acquisition Regulation Supplement (DFARS)
Department of Defense rules - US Export Controls
Storing data in foreign countries - EU Privacy directive
Rules for handling data about European Union country citizens - Other contractual requirements on a research case-by-case basis.
- Federal Human Subjects Research
Responsibilities of the Data Steward
- must approve the complete list of data to be shared by your application or use
- has the final say concerning the level of sensitivity of the data to be shared, after consultation with the following:
- OIT Security and Compliance personnel
- OIT Enterprise Applications Systems (and/or College/Dept) business analysts
- other relevant Data Stewards
- Office of General Counsel, when appropriate
- has the final say, after consultation with OIT Security and Compliance personnel, concerning the controls needed to protect that data in the context of your application and sharing requirements
- must negotiate any non-standard controls with OIT Security and Compliance personnel
- will provide direction regarding the specific controls needed for particular data elements, based on the level of sensitivity of the use of the data for which the Data Steward is responsible
- may add a data element to one of these tables if he or she considers it to be sensitive, with the approval of OIT Security and Compliance personnel and other relevant Data Stewards
- will consult with OIT Security and Compliance personnel for advice and direction.
For a list of Data Stewards for various categories of University Data, see Data Categories, Trustees, Stewards, and Custodians.
Data sensitivity levels
The data sensitivity levels as defined in the Data Classification Standard, section 6 of Reg 08.00.03 – Data Management Procedures are as follows:
- Ultra-sensitive – Purple
- Highly sensitive – Red
- Moderately sensitive – Yellow
- Normal, not sensitive – Green
- Unclassified– White
Ultra, High and Moderate levels are considered sensitive.
Normal and Unclassified data are not sensitive.
Abbreviations used in the tables
- DoD: Department of Defense
- FERPA: Family Educational Rights and Privacy Act
- GLBA: Gramm–Leach–Bliley Act (Financial Services Modernization Act of 1999)
- HIPAA: Health Insurance Portability and Accountability Act of 1996
- PAN: Primary Account Number (Payment Card Industry)
- PCI-DSS: Payment Card Industry Data Security Standard (PCI DSS) (PDF)
- HR: Human Resources
- PHI: Protected Health Information (HIPAA)
- PII: Handbook for Safeguarding Sensitive Personally Identifiable Information (PDF)
- VIN: Vehicle identification number
Finding a data element in a table quickly
Instead of scrolling, you can use your browser’s search feature to quickly locate a data element within a table as follows.
- Hold down the Control key (PC) or Apple key (Mac).
- Press the letter F key.
- Type the desired word(s) to search for. If found, the word(s) will be highlighted.
- To find the next occurrence of the same word(s), press the Enter/Return key.
Two types of data elements
- A single-component data element consists of only one item of information; e.g., name, mailing address, ID number, Social Security number. Most of the data elements in the tables are of this type, and the sensitivities required in various contexts are shown by the color designations in the tables.
- A composite data element consists of more than one single-component data element; e.g. a medical record will normally contain a name, mailing address, age, and other components, maybe even a Social Security number. For your convenience, possible composite data elements in the tables below have been linked to this paragraph. Only an initial estimate of the sensitivity of each of these data elements is given in the tables. The actual sensitivity can be determined only after identifying all of those component elements and determining their individual sensitivities. This task will usually be the responsibility of the Data Steward, in consultation with the Data Custodian and other persons as needed. For details, see Determining the sensitivity level for a composite data element (below)
Determining the sensitivity level for a single-component data element
- Locate the row in one of the tables that contains that data element.
- Locate the color-designated cells, if any, in columns 3 through 10 in that row. These cells indicate the applicable laws and regulations for the data element and the sensitivity level required by each. For unfamiliar abbreviations in those headings (e.g., FERPA), see Abbreviations used in the tables (above).
- Determine the applicable laws in your application environment, in consultation with your Data Steward.
- For applicable law columns, determine the highest sensitivity level found among those color-designated cells. This will be the sensitivity level for the data element.
- If no law or regulation in columns 3 through 10 governs your use of the data element or any of its components (i.e., all these columns show N/A, then use, as a default, the sensitivity level indicated in column 2, headed NCSU, of the data element’s row.
If you need assistance in finding a data element or determining the proper sensitivity level for it, contact the appropriate Data Steward. A list of these is found at Data Categories, Trustees, Stewards, and Custodians.
Determining the sensitivity level for a composite data element
- Be careful to identify all of the single-component elements that make up the composite data element.
- Locate the row in one of the tables that contains the composite data element.
- Locate the color-designated cells, if any, in columns 3 through 10 in that row. These cells indicate the laws and regulations governing the handling of the data element and the sensitivity level required by each. For unfamiliar abbreviations in those headings (e.g., FERPA), see Abbreviations used in the tables (above).
- Determine the applicable laws in your application environment, in consultation with your Data Steward.
- For applicable law columns, determine the highest sensitivity level found among those color-designated cells.
- Make note of the highest sensitivity level found among those color-designated cells. This will be the initial estimate of the sensitivity level for the composite data element.
- Select one of the single-component elements that you identified in Step 1.
- Locate that component’s row in one of the tables.
- Locate the color-designated cells, if any, in columns 3 through 10 in that row. These cells indicate the laws and regulations governing the handling of the data element and the sensitivity level required by each. For unfamiliar abbreviations (e.g., FERPA) in those headings, see Abbreviations used in the tables (above).
- For applicable law columns, determine the highest sensitivity level found among the color-designated cells in that row. This will be the sensitivity level for that single-component.element.
- Repeat Steps 5 through 8 for each of the remaining single-element components of the composite data element.
- Review the initial sensitivity level for the composite data element as well as the sensitivity levels you determined for all its components. The highest one of these levels will be the actual sensitivity level for the composite data element. NOTE: In some cases, this will be higher than the initial sensitivity level for the composite data element.
- If no law or regulation in columns 3 through 10 governs your use of the data element or any of its components (i.e., all these columns show N/A), then use, as a default, the sensitivity level indicated in column 2, headed NCSU, of the data element’s row.
If you need assistance in finding a data element or determining the proper sensitivity level for it, contact the appropriate Data Steward. A list of these is found at Data Categories, Trustees, Stewards, and Custodians.
Tables of data elements
Data elements are grouped in the five tables below as follows:
Personal Data
1 Data Element |
2 NCSU |
3 FERPA (student records) |
4 GLBA |
5 HIPAA |
6 PCI- DSS |
7 NC ID Theft |
8 NC Public Records |
9 NC Personnel Act (employee records) |
10 Red Flag |
NCSU provisions |
---|---|---|---|---|---|---|---|---|---|---|
Adult’s personal name (last, first, middle) |
Green | Green | Green | Yellow if with PHI |
Purple if with PAN |
Yellow if with PII |
Green | Green | Green | N/A |
Minor’s personal name (last, first, middle) |
Green | Green | Green | Yellow if with PHI |
Purple if with PAN |
Yellow if with PII |
Yellow | Green | Green | N/A |
Social Security number |
Purple | Purple | Purple | Purple | N/A | Purple | Purple | Purple | Purple | N/A |
Citizenship or country |
Yellow | Yellow | Yellow | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
Race | Yellow | Yellow | Yellow | Yellow | N/A | Yellow | N/A | N/A | Yellow | N/A |
Sex | Yellow | Yellow | Yellow | Yellow | N/A | Yellow | N/A | N/A | Yellow | N/A |
Marital status or effective date |
Red | Yellow | Red | Red | N/A | Red | N/A | Red | Red | N/A |
Spouse or partner name |
Yellow | Yellow | N/A | N/A | N/A | N/A | N/A | Yellow | N/A | N/A |
Dependents (relationship to individual or employee) |
Red | Yellow | Red | Red | N/A | Red | N/A | Red | Red | N/A |
Birth date | Red | Yellow | Red | Red | N/A | Red | N/A | Red | Red | N/A |
Death date | Yellow | Yellow | N/A | N/A | N/A | N/A | N/A | Yellow if employee’s dependent |
N/A | N/A |
Birthplace | Yellow | Yellow | Yellow | N/A | N/A | Yellow | N/A | N/A | Yellow | N/A |
Mother’s maiden name |
Red | Yellow | Red | Red | N/A | Red | N/A | Red | N/A | N/A |
Personal photograph |
Yellow | Yellow | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
Internet Protocol (IP) address | Yellow | Yellow | Yellow | Yellow if with PHI |
N/A | Yellow | N/A | N/A | N/A | N/A |
Media Access Control (MAC) device number | Yellow | Yellow | Yellow | Yellow if with PHI |
N/A | Yellow | N/A | N/A | N/A | N/A |
Digital signature (e.g. cryptographic private keys) | Purple | N/A | N/A | N/A | N/A | Purple | N/A | N/A | N/A | N/A |
Biometric data | Purple | N/A | N/A | N/A | N/A | Purple | N/A | N/A | N/A | N/A |
Fingerprints | Purple | N/A | N/A | N/A | N/A | Purple | N/A | N/A | N/A | N/A |
Personal auto registration or VIN |
Red | N/A | N/A | N/A | N/A | Red | N/A | N/A | Green | N/A |
Personally-owned property title information (see composite data element) |
Yellow | N/A | N/A | N/A | N/A | Yellow | N/A | N/A | N/A | Green |
Serial number of personally-owned item |
Yellow | N/A | N/A | N/A | N/A | Yellow | N/A | N/A | N/A | Green |
Home address | Yellow | Green if in Directory |
Green | Yellow if with PHI |
N/A | Green | N/A | Yellow if in personnel file |
Green | N/A |
Home telephone | Yellow | Yellow | Yellow | N/A | N/A | Yellow | N/A | N/A | N/A | N/A |
Mobile telephone | Yellow | Yellow | Yellow | N/A | N/A | Yellow | N/A | N/A | N/A | N/A |
Personal email address |
Yellow | N/A | Yellow | N/A | N/A | N/A | N/A | Yellow | Yellow | N/A |
Non-student medical records, including medical ID number (PHI) (See composite data element) |
Red | N/A | N/A | Red | N/A | Red | N/A | Red if in history |
N/A | N/A |
Disability information (See composite data element) |
Red | Red | N/A | Red | N/A | Red | N/A | Red | N/A | N/A |
Employer tax ID number (e.g., spouse or dependent) |
Yellow | N/A | Yellow | N/A | N/A | Yellow | N/A | N/A | Yellow | N/A |
Passport number | Red | N/A | Red | N/A | N/A | Red | N/A | N/A | Red | N/A |
Alien or immigration ID |
Red | N/A | Red | N/A | N/A | Red | N/A | N/A | Red | N/A |
Driver’s license number |
Red | N/A | Red | N/A | N/A | Red | N/A | N/A | Red | N/A |
Criminal investigation record or police record (See composite data element) |
Red | Red | N/A | N/A | N/A | Red | Red | Red | N/A | N/A |
Voice recording (e.g., voicemail, see composite data element) |
Assuming the voice recording were transcribed to text, the recording’s sensitivity level would be the same as the transcribed text’s sensitivity level. |
Financial Data
1 Data Element |
2 NCSU |
3 FERPA (student records) |
4 GLBA |
5 HIPAA |
6 PCI- DSS |
7 NC ID Theft |
8 NC Public Records |
9 NC Personnel Act (employee records) |
10 Red Flag |
NCSU provisions |
---|---|---|---|---|---|---|---|---|---|---|
Bank name without personal financial info |
Yellow | N/A | Yellow | N/A | N/A | Yellow | N/A | N/A | N/A | N/A |
Bank name with personal financial info |
Red | Red | Red | N/A | N/A | Red | N/A | Red | N/A | N/A |
Bank account number |
Red | N/A | Red | Red | N/A | Red | Red | Red | Red | N/A |
Bank routing number with other financial info |
Red | N/A | Red | N/A | N/A | Red | N/A | Red | Red | N/A |
Bank account password |
Purple | N/A | Purple | N/A | N/A | Purple | N/A | N/A | Purple | N/A |
Payment card number (PAN) |
Purple | N/A | Purple | Purple | Purple | Purple | N/A | N/A | Purple | N/A |
Payment card PIN |
Purple | N/A | Purple | N/A | Purple | Purple | N/A | N/A | Purple | N/A |
Payment card password |
Purple | N/A | Purple | N/A | Purple | Purple | N/A | N/A | Purple | N/A |
Payment card expiration date with PAN only |
Purple | N/A | N/A | N/A | Purple | N/A | N/A | N/A | N/A | N/A |
Payment card service code with PAN |
Purple | N/A | N/A | N/A | Purple | N/A | N/A | N/A | N/A | N/A |
Payment card magnetic strip info (Not to be stored by NC State) |
Purple | N/A | N/A | N/A | Purple | N/A | N/A | N/A | N/A | N/A |
Beneficiary info |
Red | Red | Red | N/A | Red | Red | N/A | Red | N/A | N/A |
Student Data
NOTES:
- If a student invokes a privacy block, then all his/her information must be considered Yellow as a minimum.
- FERPA requires the university to keep all student records private except directory data.
1 Data Element |
2 NCSU |
3 FERPA (student records) |
4 GLBA |
5 HIPAA |
6 PCI- DSS |
7 NC ID Theft |
8 NC Public Records |
9 NC Personnel Act (employee records) |
10 Red Flag |
NCSU provisions |
---|---|---|---|---|---|---|---|---|---|---|
Grades, transcripts, GPA |
Yellow | Yellow | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
Student ID | Yellow | Yellow | N/A | N/A | N/A | Yellow | N/A | N/A | Yellow | N/A |
Campus physical address |
Green | Green if in Directory |
Green | N/A | N/A | Green | N/A | N/A | Green | N/A |
Preferred address |
Green | Green if in Directory |
Yellow | N/A | N/A | Yellow | N/A | N/A | Yellow | N/A |
Preferred telephone number |
Green | Green if in Directory |
Yellow | N/A | N/A | Yellow | N/A | Red | Yellow | N/A |
Major field of study |
Green | Green if in Directory |
N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
Enrollment status (e.g., grade level, undergrad or grad) |
Green | Green if in Directory |
Green | N/A | N/A | N/A | N/A | N/A | Green | N/A |
Enrollment info (class, schedule, program) (See composite data element) |
Yellow | Yellow | Green | N/A | N/A | N/A | N/A | N/A | Green | N/A |
Student financial aid info (See composite data element) |
Red | Red | Red | N/A | N/A | Red | N/A | N/A | N/A | N/A |
Financial account payment info (See composite data element) |
Red | Red | Red | N/A | N/A | Red | N/A | N/A | N/A | N/A |
Student loan number | Red | Red | Red | N/A | N/A | Red | N/A | N/A | Red | N/A |
Loan balances & payment schedules (See composite data element) |
Red | Red | Red | N/A | N/A | N/A | N/A | N/A | Red | N/A |
Admissions & recruiting info (See composite data element) |
Yellow | Yellow | N/A | N/A | N/A | Yellow | N/A | N/A | N/A | N/A |
Student housing |
Yellow | Yellow | N/A | N/A | N/A | Yellow | N/A | N/A | N/A | N/A |
Student conduct records (See composite data element) |
Red | Red | Red | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
Attendance dates |
Green | Green if in Directory |
Green | N/A | N/A | Green | N/A | N/A | Green | N/A |
Honors, degrees, awards (See composite data element) |
Green | Green if in Directory |
Green | N/A | N/A | Green | N/A | N/A | Green | N/A |
Previous educational institution |
Yellow | Yellow | Yellow | N/A | N/A | Yellow | N/A | N/A | Yellow | N/A |
Student medical records, including medical ID number (PHI) (See composite data element) |
Red | Yellow | N/A | Yellow | N/A | Red | N/A | Red if in history |
N/A | N/A |
Graduate Student Support Plan (GSSP) payments & stipends | Red | Red | N/A | Red if with PHI |
N/A | Red | N/A | N/A | N/A | N/A |
Weight, height, age (athletic teams) |
Yellow | Yellow | Yellow | N/A | N/A | Yellow | N/A | N/A | Yellow | N/A |
Employee Data
1 Data Element |
2 NCSU |
3 FERPA (student records) |
4 GLBA |
5 HIPAA |
6 PCI- DSS |
7 NC ID Theft |
8 NC Public Records |
9 NC Personnel Act (employee records) |
10 Red Flag |
NCSU provisions |
---|---|---|---|---|---|---|---|---|---|---|
Office address | Green | N/A | Green | N/A | N/A | Green | N/A | N/A | Green | N/A |
Office telephone | Green | N/A | Green | N/A | N/A | Green | N/A | N/A | Green | N/A |
Employee email address |
Green | N/A | Green | N/A | N/A | Green | N/A | N/A | Green | N/A |
Credit history (See composite data element) |
Red | N/A | Red | N/A | N/A | Red | N/A | N/A | Red | N/A |
Employee ID |
Yellow | N/A | N/A | N/A | N/A | Yellow | N/A | Yellow | N/A | N/A |
Background history (See composite data element) |
Yellow | N/A | N/A | N/A | N/A | N/A | Yellow | Yellow | N/A | N/A |
Original employment date |
Green | N/A | N/A | N/A | N/A | N/A | Green | Green | N/A | N/A |
Contract terms (See composite data element) |
Yellow | N/A | N/A | N/A | N/A | N/A | Yellow | Yellow | N/A | N/A |
Current position, title |
Green | N/A | N/A | N/A | N/A | N/A | Green | Green | N/A | N/A |
Current salary | Yellow | N/A | N/A | N/A | N/A | N/A | Yellow | Yellow | N/A | N/A |
Salary change info |
Yellow | N/A | N/A | N/A | N/A | N/A | Yellow | Yellow | N/A | N/A |
Employee HR file info (e.g., performance, benefit, financial, medical) (See composite data element) |
Red | N/A | Red | Red | N/A | N/A | Yellow | Yellow | N/A | N/A |
Other Sensitive Data
1 Data Element |
2 NCSU |
3 FERPA (student records) |
4 GLBA |
5 HIPAA |
6 PCI- DSS |
7 NC ID Theft |
8 NC Public Records |
9 NC Personnel Act (employee records) |
10 Red Flag |
NCSU provisions |
---|---|---|---|---|---|---|---|---|---|---|
Export-controlled data (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Red |
Import-controlled data (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Red |
Trade secret, intellectual property (e.g., pre-patent research data) (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | Red | N/A | N/A | Red |
Research data (DoD unclassified but sensitive) (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Red |
Research data (DoD classified) (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Red |
Trade secret intellectual property research data (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | Red | N/A | N/A | Red |
Research data – other (See composite data element) |
Yellow | Yellow | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Yellow |
Data under non-disclosure agreement (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Red |
Trial preparation materials (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Red |
Emergency response plans |
Yellow | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Yellow |
Contract, bid, performance info (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | Red | N/A | N/A | Red |
Attorney-client relationship (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | Red | N/A | N/A | Red |
Meeting minutes before approval (See composite data element) |
Yellow | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Yellow |
Drafts of official documents (See composite data element) |
Yellow | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Yellow |
Published materials (e.g., alumni magazines, university website content) |
Green | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Green |
Private contributor records (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Red |
Other advancement data (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Red |
Alumni data (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Red |
Non-university foundations data (See composite data element) |
Red | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Red |
Contact for additional information
If you have any questions regarding the use of these tables or determining the appropriate sensitivity level for data, please contact:
OIT Security & Compliance
919.513.7482
security@ncsu.edu.