| Type | Description | Examples |
|---|---|---|
| Attorney/Client Privileged Information | Confidential communications between a client and an attorney for the purpose of securing legal advice. For the privilege of confidentiality to exist, the communication must be to, from, or with an attorney. | Communications related to a lawsuit. Communications related to a contract, such as email between the Office of the General Counsel and Procurement Services related to a contract dispute with a vendor. |
| Export Controlled Research (ITAR, EAR) | Export Controlled Research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. The International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) govern this data type. Current law requires that this data be stored in the U.S and that only authorized U.S. persons be allowed access to it. | Chemical and biological agents Scientific satellite information Certain software or technical data Military electronics Certain nuclear physics information Documents detailing work on new formulas for explosives |
| IT Security Information | IT Security Information consists of information that is generated as a result of automated or manual processes that are intended to safeguard the university’s IT resources. It includes settings, configurations, reports, log data, and other information that supports IT security operations. | IT security program plans IT security incident information Access and authentication logs Firewall rules |
| Other Sensitive Institutional Data | According to university policy, data will typically be classified as sensitive if any of the following are true: Unauthorized disclosure may have serious adverse effects on the university’s reputation, resources, or services or on individuals It is protected under federal or state regulations. There are proprietary, ethical, or privacy considerations. | Due to the nature of the definition of sensitive data, it is impossible to have an exhaustive list of sensitive data examples. While the most common types of sensitive data are already included in this guide, there are many other examples of sensitive data, including: Public safety and security information Certain types of information about hazardous substances Certain types of blueprints and building plans Proprietary information such as computer source code developed at the university Certain types of information related to university investments and investment planning Certain types of information related to university insurance claims Information about misconduct proceedings Animal research |
| Personally Identifiable Information (PII) | Personally Identifiable Information (PII) is a category of sensitive information that is associated with an individual person, such as an employee, student, or donor. PII should be accessed only on a strict need-to-know basis and handled and stored with care. PII is information that can be used to uniquely identify, contact, or locate a single person. Personal information that is “de-identified” (maintained in a way that does not allow association with a specific person) is not considered sensitive. Note that UWFID numbers by themselves are not considered sensitive or private personal information. University policies, contractual obligations, and federal and state laws and regulations require appropriate protection of PII that is not publicly available. These regulations apply to PII stored or transmitted via any type of media: electronic, paper, microfiche, and even verbal communication. PII does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. | For Everyone at UWF: Social Security number (There are additional restrictions on where Social Security numbers can be stored and shared.) National ID number Passport number Visa permit number Driver's license number Bank and credit/debit card numbers Tax information (e.g., W-2, W-4, 1099) Disability information Ethnicity Gender The location of an individual at a particular time Web sites visited Materials downloaded Any other information reflecting preferences and behaviors of an individual Internet Protocol (IP) address (source and destination) in conjunction with other PII. IP address may identify an individual originating a transaction as well as the recipient. For Employees: Biographic/demographic data Date and location of birth Country of citizenship Citizenship status Marital status Military status Criminal record Home address Grievance information Discipline information Leave-of-absence reason Payroll and benefits information Health information (There are additional restrictions on where Protected Health Information can be stored and shared. For Students: See Student Education Records For Donors: Biographic/demographic data Contact information Prospect data Gift and gift-planning data |
| Protected Health Information (HIPAA) | Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the Past, present, or future physical or mental health or condition of an individual. Provision of health care to the individual by a covered entity (for example, hospital or doctor). Past, present, or future payment for the provision of health care to the individual. Researchers should be aware that health and medical information about research subjects may also be regulated by HIPAA. | Names Telephone numbers Fax numbers Email addresses Social Security numbers Medical record numbers Health plan beneficiary numbers License plate numbers URLs Full-face photographic images Any other unique identifying number, characteristic, code, or combination that allows identification of an individual |
| Sensitive Identifiable Human Subject Research | The following individually identifiable data elements, when combined with health information about that person, make such information protected health information (PHI): Sensitive identifiable human subject research data is regulated by the Federal Policy for the Protection of Human Subjects (also called the “Common Rule”). Among other requirements, the Common Rule mandates that researchers protect the privacy of subjects and maintain confidentiality of human subject data. A human subject is defined by federal regulations as a "living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.” “Identifiable” means the information contains one or more data elements that can be combined with other reasonably available information to identify an individual (for example, Social Security number, health care record). Personally identifiable data is sensitive if disclosure of such data would pose increased social/reputational, legal, employability, or insurability risk to subjects. | Sensitive identifiable information may include research data referring to Illegal behaviors Drug or alcohol abuse Sexual behavior Mental health or other sensitive health or genetic information Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality is considered sensitive. |
| Social Security Numbers | Social Security numbers are unique, nine-digit numbers issued to U.S. citizens, permanent residents, and temporary (working) residents for taxation, social benefits, and other purposes. Social Security numbers are a primary target for identity thieves. They fall into the UWF category of sensitive Personally Identifiable Information (PII) and Protected information. UWF has not used Social Security numbers as identifiers for students and employees since 2004. | |
| Student Education Records (FERPA) | Records that contain information directly related to a student and that are maintained by the University of West Florida or by a person acting for the university. The Family Educational Rights and Privacy Act (FERPA) governs release of, and access to, student education records. Directory information about a student is not regulated by FERPA and can be released by the university without the student's permission. Students can request non-disclosure from the UWF Registrar's Office. | Student transcripts and grades Degree information Class schedule Advising records Disciplinary records Athletics or department recruiting information Wire transfer information Financial aid, accounting, and loan information Student tuition bills Advising records Other non-directory information |
| Student Loan Application Information (GLBA) | Personal financial information held by financial institutions and higher education organizations as related to student loan and financial aid applications. Gramm Leach Bliley Act (GLBA) provisions govern this data type. | Student loan information Student financial aid and grant information Payment history |
| Credit Card or Payment Card Industry (PCI) Information | Information related to credit, debit, or other payment cards. This data type is governed by the Payment Card Industry (PCI) Data Security Standards and overseen by the University's Office of Internal Auditing. Credit or debit card numbers cannot be stored in any electronic format without the expressed, written consent of the UWF Financial Services Office and the Office of Internal Auditing. Those offices (along with ITS for implementation) are responsible for the only PCI-compliant network segment at the university. If, for example, your unit is hosting a conference and needs to accept credit card payment for registration fees, contact the University's Financial Services Office to arrange for this. You cannot handle the transactions using departmental computers. Restrictions listed here do not apply to your own personal credit card information. However, it is recommended that you follow the same precautions with regard to your own personal information as you would with university data. | Cardholder name Credit/debit card account number Credit/debit card expiration date Credit/debit card verification number Credit/debit card security code |
| Federal Information Security Management Act (FISMA) Data | The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for information technology systems and store the data on U.S. soil. This means that, under some federal contracts or grants, information the university collects or information systems that the university uses to process or store research data need to comply with FISMA. Whether data is regulated by FISMA is typically called out in a Request for Proposal (RFP) or in contract or grant language. It is important that researchers review grant and contract language closely to identify FISMA or other information security requirements. | Examples of research work that might be regulated by FISMA include research in which data is provided by federal organizations such as: National Institutes of Health NASA Department of Veterans Affairs |