V802.07.01 GUIDELINES FOR PROTECTING SENSITIVE DATA

In today's universe, protecting confidential data is crucial. VCSU is a custodian of personal information belonging to students, staff, faculty, researchers, and those who use its outreach services. As custodian of that information, VCSU is responsible for protecting and securing personal, student-related, financial, health information, and intellectual property from misuse, theft, compromise, and unauthorized disclosure. As an employee of VCSU it is your responsibility to:
  • Follow all applicable laws, and VCSU policy and procedure
  • Use due diligence when working with confidential and sensitive data
  • Incorporate and use mandated and recommended standards and guidelines for protection of confidential and sensitive data
When working with confidential and private data, these best practices must be followed:
  • All data must be classified.
  • All data access must be authorized under the principle of least privilege and based on minimal need.
  • All access to confidential data must be authenticated and logged.
  • When an individual has been granted special access changes responsibilities or leaves employment, all their access rights must be reevaluated and any unneeded access removed.
  • When necessary, data transmission and storage should be encrypted.
Federal and state laws that protect personal data:
  • FERPA (Family Education Rights and Privacy Act), 1974. This law protects student information such as name, SSN, demographic information, grades and information related to their education.
  • GLBA (Graham Leech Bliley Act), 2000. A financial law designed to protect personal financial information such as financial aid, banking, credit, and investment information.
  • HIPAA (Health Insurance Portability Accountability Act), 1996. A federal law that protects personal health information.
State Laws and Other Standards that protect personal data:
  • ND Privacy Law, 2006, Protects personal data. VCSU is required to report to the owner of the data if a breach has occurred and if information has become compromised or stolen.
  • North Dakota Public Records Statute. Defines what is and isn't a public record or what data can be made available for public view.
  • PCI - DSS (Payment Industry Data Security Standard). Standards created for online credit card transactions by the four major credit card payment companies. Requires those entities that accept online credit card payments to follow strict standards.
NDUS and VCSU Policies and Procedures:
  • North Dakota University System Computer Use Policy and Procedure 1901.2
    • http://www.ndus.nodak.edu/policies_procedures/ndus_policies
  • VCSU1: Policy 1901.2 Computer & Network Usage Procedures;
North Dakota University System Data Classification Standard
The North Dakota University System Data Classification Standard was developed to identify and clarify the definition of data types within a university. Any data asset of the NDUS or the Institution shall be classified as Public, Private, or Confidential.

Public data is defined as data that any entity either internal or external to the ND University System can access. The Open Records law of North Dakota may apply. Public data elements include:

Employee Information
  • Name
  • Salary
  • Expense reimbursements
  • Job titles
  • Job descriptions
  • Education and training
  • Previous work experience
  • First and last employment
  • Existence and status of complaints
  • Terms of buy-out agreements
  • Final disposition of disciplinary action
  • Work location
  • Work phone number
  • Work electronic (e-mail) address
  • Honors and awards received
  • Payroll time sheets
  • Home address*
  • Home telephone number*
Student Directory Information*
  • Name
  • Address
  • Telephone number
  • Electronic (e-mail) address
  • Dates of enrollment
  • Enrollment status (full/part-time, not enrolled)
  • Major
  • Advisor
  • College
  • Class
  • Academic awards and honors
  • Degree received
Other
  • Financial data on public sponsored projects
  • Course offerings
  • Invoices and purchase orders
  • Budgets
Student Directory Information* - This information is public unless the student has requested non-disclosure (suppress).
Home Address* - Considered public information unless employee has requested non-disclosure (suppress).
Home Telephone Number* - Considered public information unless employee has requested non-disclosure (suppress).


Private data includes information that the NDUS or institution is under legal or contractual obligation to protect. Private information may be copied and distributed with the NDUS only to authorized users. Private information disclosed to external authorized users must be done so under a non-disclosure agreement. Private data elements include:

Employee Information
  • Employee ID Number
  • Birth Date
  • Location of Assets
  • Donors
  • Gender
  • Ethnicity
  • Citizenship
  • Citizen visa code
  • Veteran and disabled status
Non-Directory Student Information*
  • Grades
  • Courses taken
  • Schedule
  • Test scores
  • Advising records
  • Educational services received
  • Disciplinary actions
  • Student ID number
Non-directory Student Information* - May not be released except under certain prescribed conditions

Confidential data is information that is not to be publically disclosed. The disclosure, use, or destruction of confidential data can have adverse effects on the ND University System or the institution and possibly carry significant civil, fiscal, or criminal liability. This designation is used for highly sensitive information whose access is restricted to selected, authorized employees. The recipients of confidential information have an obligation not to reveal the contents to another individual unless that person has a valid "need to know" for the information. Confidential information must not be copied without authorization from the owner. Confidential data elements include:
  • Legal investigations conducted by the institutions
  • Sealed bids
  • Trade secrets or intellectual property such as research activities
  • Social Security Number
  • Gross pension
  • Value & Nature of Fringe Benefits
  • Health Records
  • Passwords
  • Credit/Debit Card Information
The owner of the data is the one whom the data belongs to. For example, a person owns his/her social security number, date of birth, and address.

The custodians of such data are employees, departments, colleges, research centers, and extension offices responsible for the integrity, confidentiality and availability of the data. It shall be the responsibility of the owner/custodian of the data to classify the data. However, all individuals accessing data are responsible for the protection of the data at the level determined by the owner/custodian of the data as mandated by law. Any data not yet classified by the owner/custodian shall be deemed Confidential. Access to data items may be further restricted by law, beyond the classification systems of the NDUS or VCSU.

Social Security Numbers

Do not use SSNs as a key field or as an identifier for files, spread sheets, data bases, and correspondence. If possible, it is recommended to avoid including the SSN in any type of file or document. An alternative would be to use the EmplID or Student ID.

If there is a business need to use the SSN in files and documents, the data must be secured and available only to those who have a need to know.

If you use a laptop and travel, it is recommended the hard drive of the laptop's hard drive be encrypted.

Never attach documents containing SSN's or other personally identifiable information to email. It is possible the transmission may not be secure.

Credit Card Information

Credit card information is protected under the Payment Card Industry Data Security Standards and by various federal and state laws. When accepting, using, and storing credit card information, these guidelines must be followed.
  • Must not store any magnetic stripe information, including security codes, CVV/CVC, PIN number, CVV2/CVC2.
  • Credit card receipts must only show the last four digits of the card. The CVV2 and/or the expiration data must not be printed on the receipt.
  • Do not accept credit card information via electronic messaging.
  • If credit card information is received over voice mail, delete immediately.
  • Within the office/department, there must be separation of duties for accepting and processing credit cards.
VCSU uses a secure third party service provider, TouchNet, to accept credit cards payments. Please contact the Director of Business & Financial Services for more information on how to use this service.


Sponsor: Vice President for Business Affairs
Effective: May 1, 2009