Confidential Data

Confidential data refers to business sensitive, personally identifiable information (PII) or otherwise regulated data not intended for disclosure outside the organization.  

The University of Dayton is required to comply with regulations such as:

• Family Educational Records Protection Act (FERPA)
• Health Information Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standards (PCI-DSS)

The University of Dayton policy on Electronic Use of Confidential Data details the types of data used by the University. The charts can be used to assist with identifying and securing sensitive information within the University. Those who require access to confidential data are required to abide by UD's Confidentiality Agreement and submit a Confidentiality Agreement Form. 

Laptop Encryption

The loss or theft of laptops and mobile devices presents a great risk to personally identifiable information (PII) and intellectual property potentially stored on these devices. The Board of Trustees and President's Council has directed that all University laptops incorporate a standard, full disk encryption solution with initial and annual costs borne by the unit purchasing the laptop.

Please contact your unit's IT staff or the UDit Risk Management Office (itriskmgmt@udayton.edu, 937-229-4387) if you have questions or an immediate need for encryption on your device.

Understand Data Protection Requirements

Faculty and staff at UD use a wide variety of electronic information to facilitate University business. While much of this information is public, misuse of restricted or sensitive data could substantially damage UD’s reputation or put our institution at legal and financial risk. 

• Regulated or Personally Identifying Information (PII): Information to which access must be restricted due to contractual or legal/regulatory considerations. Examples: student academic record (FERPA), social security numbers, credit card data (PCI), personal health information (HIPAA)

• Business Sensitive: Information of value to UD or which, if lost, might adversely impact our environment. Examples: Proprietary research, pay scales and donor data

• Public: Information with no existing local, national or international legal restrictions on access. Public information may or must be open to the general public. Examples: course catalog, directory information

See UD's Electronic Use of Confidential Data Policy for more information about classifying the types of data you use.

Locate Personally Identifiable Information (PII)

Tools that assist in finding personally identifiable information on your computing devices include:

• Cornell Spider - http://www.it.cornell.edu/services/spider/howto/index.cfm
   
• IdentityFinder - http://www.identityfinder.com/us/Home/Free (personally owned machines only, free version may not be used on UD owned computers or laptops)

Report IT Security Incidents

An IT Security Incident is any adverse event which compromises some aspect of computer or network security.

Security incidents that must be reported include:

• Compromise of user credentials (when there is reason to believe this has led to unauthorized access or loss of confidential data)

• Lost or stolen laptop

• Lost or stolen removable media containing sensitive UD information (CD, DVD, USB flash drive, external hard drive, smart cards)

• Malware or virus-infected computer (when there is reason to believe this has led to unauthorized access or loss of confidential data)

All incidents should be taken seriously and reported according to UD's policy on IT Incident Handling.  When in doubt, report it!