Protection of Common Data Elements.
University data is often characterized by category or use of the data and then classified in accordance with the legal or contractual controls placed on it. However, data elements within each category often warrant different levels of protection. While some data elements offer little risk and require no special protection, inappropriate handling of other data elements might result in criminal or civil penalties, identity theft, and/or personal or organizational loss.
This table identifies some common data elements by category, the associated classification, and the degree of protection that each requires. The protection factor is based on the threats to that type of data together (e.g. identity or credit threat targets) with the impact if lost (to the University or to affected individuals). When using this table consider:
- Not all data elements are listed. Absence of a data element does not mean that it requires no protection.
- Quantity/amount of data must be considered. One thousand records of one data element may have more value together than one record of an element with a seemingly higher protection factor.
- Combination of data elements can increase the value. For example FERPA identifies Personally Identifiable Information (PII) as information that can identify a person even though the name may not be given.
Use the following protections when storing, processing or transmitting data for each protection factor:
- Critical – Use extreme caution as this information is highly targeted for theft and loss of this data could severely impact the University. Must be encrypted when stored on a computing device, and only stored on such a device with department head approval.
- High – Use caution as this information is targeted for theft. Limit use and protect according to quantity and value.
- Medium – This data has some value, especially in quantity. Limit storage on computing devices
- Low – There is a low threat to this data which has little value. Releasable through official channels only.
| Personnel Information Elements (HR) | Information Classification | Protection Factor |
|---|---|---|
| Social Security Number
Driver’s License number State Identification Number | Compliant – Maine Data Act (when combined with a name or other uniquely identifiable personal information). | Critical |
| Genetic Information | Compliant – Genetic Information Nondiscrimination Act (GINA). Information must be safeguarded as health information in accordance with HIPAA | Critical |
| Disability Status
Military Disability Status Ethnicity/Race Gender Status | Compliant | High |
| Name
Date of Birth | Business Sensitive | High |
| Employee Identification Number (EMPLID) | Business Sensitive – An EMPLID is not considered Compliant Data, and is not afforded special protection and confidentiality. EMPLIDs uniquely identify staff and faculty members without using Compliant Data such as SSNs. Routine shared use of EMPLIDs is sometimes necessary for University functions. Share EMPLIDs only with those who have a reason to use it. Combinations of information increase the value of data. EMPLIDs when used in combination with name or DOB increase the security risk. | Medium |
| Home Address
Home Phone Number | Unclassified – Not protected by any legal or contractual controls and is provided only to those with a “need to know” or public only through official channels. | Medium |
| Work Address
Work Phone Number Business Email Address | Unclassified – Not protected by any legal or contractual controls and is public information. | Low |
| Payroll Information Elements | Information Classification | Protection Factor |
|---|---|---|
| Social Security Number Bank Information (routing/Acct #) | Compliant – Maine Data Act & GLBA | Critical |
| Salaries | Not Protected – Not protected and is public only through official channels. | Low |
| Work Study Awards | Business Sensitive – Protect this information as is indicative of financial need. Some work study is non-need based and does not require protection. | Medium |
| Employee Verification (i.e., salaries) | Not Protected HR will only verify what the Bank or Third Party was told by employee | Low |
| Protected Health Information (PHI) Elements | Information Classification | Protection Factor |
|---|---|---|
| Past, present, or future physical or mental health or condition of an individual.
Provision of health care to an individual Past, present, or future payment for the provision of health care to an individual. | Compliant – HIPAA – If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information. The HIPAA privacy rule lists 18 identifiers that are not to be used with a health record. | Critical |
| Identifiers – 18 specific identified by HIPAA Privacy Rule (includes such information as name, geographic information, dates, contact information, medical record and account numbers, biometric identifiers, photos, and other uniquely identifying number, characteristic or code) | Compliant – HIPAA – Those working with protected health information need to be familiar with the identifiers as listed by the HIPAA Privacy Rule and protect them accordingly. These identifiers by themselves may not be compliant data, but when associated in any way with the Personal Health Information elements listed above are compliant under HIPAA. | High |
| Student Data Elements (Registrars) | Information Classification | Protection Factor |
|---|---|---|
| Social Security Number (including historical student ID number when it was SSN)
Driver’s License Number State Identification Number | Compliant – Maine Data Act & FERPA (When combined with a name or other uniquely identifiable personal information). | Critical |
| The following elements are considered Directory information:
Name | Compliant or Unclassified – FERPA – This is not protected and can be openly shared UNLESS ASKED BY THE STUDENT TO BE SUPPRESSED. Therefore, prior to any disclosure, one must check each student’s FERPA election to determine whether the student data may be disclosed. | Medium |
| Academic Standing (i.e., probation, suspension, etc.)
Class Schedule Degree Audit (including courses remaining to complete a degree) GPA Grades Transcript Email Address | Compliant – FERPA
Note: Students’ entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course. | Medium |
| Student Identification Number (EMPLID) | Compliant – FERPA – Unlike a staff and faculty member EMPLID, a student ID number is Compliant Data and requires protection under FERPA. When a student worker’s EMPLID is used for employment, this EMPLID remains protected by FERPA. – This ID number is not a personal identification number under the Maine Data Act and is not protected by that law. | Medium |
| Information on former students – Student records not to include SSN or Driver’s License/State Identification Number | Compliant – FERPA – Educational Records collected when an individual was a student is protected in accordance with FERPA, for the life of the record.
Compliant FERPA or Unclassified – Information that was collected as directory information when an individual was a student is not protected unless asked by the student for it to be suppressed, while the individual was a student. Not classified by FERPA – Information about a former student (i.e. alumni information) collected after the student graduate | Medium |
| Donor Information Elements | Information Classification | Protection Factor |
|---|---|---|
| Social Security Number
Bank Account Number | Compliant – Maine Data Act & GLBA | Critical |
| Financial Account Information | Compliant – GLBA or PCI – Not to be stored without specific permission. Credit Card transactions must be in accordance with the Credit/Debit Card Standards APL | Critical |
| Name
Giving History (Amount/what donated) | Business Sensitive – When associated with donation(s) | High |
| Address
Telephone/Fax Numbers Employment Information Family Information Interests, Affiliations or Sports | Business Sensitive | Medium |
| Other donor info (e.g. Age, Sex, Degree Information) | Unclassified | Low |
| Payment Card Elements | Information Classification | Protection Factor |
|---|---|---|
| Credit/Debit Card Number
(Primary Account Number – PAN) Cardholder Name Expiration Date Service Code | Compliant – PCI-DSS & Maine Data Act – See Credit/Debit Card Standards APL for storage requirements | Critical |
| Authentication data
(CAV2/CVC2/CVV2/CID) Number PIN/PIN Block Full Magnetic Stripe Data | Compliant – PCI-DSS – Never to be stored. See Credit/Debit Card Standards APL. | Critical |
| Masked Credit/Debit Card Number (no more than first 6 and last 4 digits) | Unclassified – See Credit/Debit Card Standards APL | Low |
| Procurement Elements | Information Classification | Protection Factor |
|---|---|---|
| Pre-Award Contract Bids | Compliant | Critical |
| Awarded Contracts | Unclassified – FOAA – subject to public record requests. | Low |
| Purchasing Card (P-Card) Numbers | Compliant – P-Card protection requirements differ from payment cards accepted by a University merchant activity. However, all credit card numbers are high target theft items. – See Credit/Debit Card Standards APL | High |
| Information Security Elements (OIS & IT) | Information Classification | Protection Factor |
|---|---|---|
| Authentication Credentials (User Name and Password) | Compliant – Requires the same protection as the level of information that is protected by those credential | Critical |
| Access & Authorization Information
Vulnerability Scanning Results Risk Assessment Results Intrusion Detection Alerts Security Architecture & Design Security Incident Response | Compliant or Business Sensitive – Requires the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system | Critical or High |
| Other Data Types | Information Classification | Protection Factor |
|---|---|---|
| Export Control Research | Compliant – ITAR, EAR – Specific elements not listed. Refer to appropriate regulation. | Critical |
| Human Subject Research | Depends on Research- Common Rule (45 CFR 46, 102(d)) -Refer to Board of Trustees Policy Section 601 | Depends on Research |