Web U-M ITSS only
itss2008banner_blue-tabs
ITSS logo
Home students Faculty & Staff IT Security Community
Events
Training
Services
Tools & Tips
Links
Report an IT Security Incident
About IIA
Contact Us
F.A.Q.
Home Sensitive Data - Examples

Sensitive Data - Examples

Much of the data identified as sensitive is about individuals; this data is typically known as Private Personal Information (PPI).  Other data deemed sensitive by the University includes security information and sensitive legal documents.

Sensitivity is sometimes determined by the context in which the item appears, and could change over time. Therefore, it’s not feasible to provide an inclusive list of all sensitive data items. Rather, here is a list of examples:

Sensitive Data - Examples

Private Personal Information (PPI)

Private Personal Information (PPI) is a category of sensitive information that is associated with an individual person. PPI may be used to:

  • uniquely identify, contact, or locate a single person
  • enable disclosure of non-public personal information

Personal information that is “de-identified” (aggregated in a way that does not allow association with a specific person) is not considered sensitive.

Appropriate protection of PPI that is not publicly available is required by federal and state regulations, contractual obligations and University policies. These regulations apply to PPI stored or transmitted on any type of media – electronic, paper, microfiche, and even verbal communication

PPI should be accessed only on a strict need-to-know basis and handled with care. For more information about protecting PPI, please refer to Privacy Matters. 

Private Personal Information Relating to Categories of Individuals:

Employee

The University requires protecting the confidentiality of certain personal data items associated with employees including:

    • Social Security Number
    • National ID Number
    • Bank Account Numbers
    • Tax Information (W2, W4, 1099)
    • Date/Location of Birth
    • Country of Citizenship
    • Citizenship Status
    • Visa permit Data
    • Driver’s License
    • Gender
    • Ethnicity
    • Disability Information
    • Marital Status
    • Military Status
    • Criminal Record
    • Home Address
    • Grievance Information
    • Discipline Information
    • Leave of Absence Reason
    • Benefit Information
    • Health Information

Student

The University defines policies for handling and accessing student records in compliance with the Family Educational Rights and Privacy Act (FERPA).  According to FERPA, disclosure of student education records normally requires the consent of the student. (The right to control access to a student’s educational record transfers from the parent to the student when he/she reaches the age of eighteen or attends a school beyond the high school level.)

Examples of data items contained in student education records include but are not limited to:

  • Grades / Transcripts
  • Class lists or enrollment information
  • Student Financial Services information
  • Athletics or department recruiting information
  • Credit Card Numbers
  • Bank Account Numbers
  • Wire Transfer information
  • Payment History
  • Financial Aid / Grant information / Loans
  • Student Tuition Bills
  • Ethnicity
  • Advising records
  • Disciplinary records

 

Information categorized as “Directory Information” under FERPA is considered public information, unless students specifically request that their directory information not be disclosed.  The University of Michigan has designated the following items as “Directory Information”:

  • Name
  • Permanent and Local Address and Telephone
  • U-M School or College
  • Class Level
  • Major Field
  • Dates of Attendance
  • Degree Received and Date Awarded
  • Honors and Awards Received
  • Participation in Recognized Activities
  • Previous Schools Attended
  • Height and Weight of Members of Intercollegiate Athletic Teams

 

For more information about FERPA, please refer to http://www.umich.edu/~regoff/ferpa/ .

Protected Health Information

Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) includes individually identifiable information that is:

  • Created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Examples of information protected under HIPAA include:

  • Patient Names
  • Street Address, City, Country, Zip Code
  • Dates related to individuals
  • Phone Numbers
  • Social Security Number
  • Account Numbers
  • Patient admission date
  • Patient discharge date
  • Medical record number
  • Patient number: Facility assigned
  • Unique patient number: ORS assigned
  • Procedure dates
  • Carrier codes (Insurance/HMO Name)
  • Patient zip-code
  • Health care professional ID
  • Health care facility ID
  • Fax number
  • Health plan beneficiary numbers
  • Email addresses
  • Internet Protocol Address Numbers (IP addresses)
  • Web Universal Resource Locators (URLs)
  • Device identifiers and serial numbers
  • Certificate/License numbers
  • Vehicle identification numbers and serial numbers
  • Full face photographic images and any comparable images
  • Biometric identifiers such as finger and voice prints
  • Any other unique identifying number, characteristic, or code.

For more information about HIPAA, please refer to www.med.umich.edu/u/compliance and www.hhs.gov/ocr/hipaa.

Customer

The University requires protecting the confidentiality of private personal information provided by “customers” of the University in accordance with the Gramm-Leach-Bliley Act (GLBA).  This includes information that is:

  • Provided to obtain (or in connection with) a financial product or service
  • Results from any transaction involving a financial product or service between the University and a customer

Examples of services or activities which the University may offer, which could result in the creation of customer information protected under GLBA include but are not limited to:

  • Student (or other) loans, including receiving application information, and the making or servicing of such loans
  • Credit counseling services
  • Collection of delinquent loans and accounts
  • Check cashing services
  • Real estate settlement services
  • Issuing credit cards or long term payment plans involving interest charges
  • Obtaining information from a consumer report

Examples of customer private personal information include but are not limited to:

  • Social Security Number
  • Credit Card Number
  • Account Numbers
  • Account Balances
  • Any Financial Transactions
  • Tax Return Information
  • Driver’s License Number
  • Date/Location of Birth

For more information about GLBA, please refer to:
https://www.safecomputing.umich.edu/download/info_security_program_jan2007.pdf

Research Subject

Federal regulations for human research require protecting the confidentiality of any records containing individually identifiable information about human subjects participating in research studies.  Examples of human subject related information:

  • Research Results
  • Medical Records
  • Any other information collected about research subjects that can be directly linked to them

For more information about the protection of human subject information, please refer to:
http://www.hhs.gov/ohrp/humansubjects/guidance/45cfr46.htm#subparta
http://privacyruleandresearch.nih.gov/ 
http://grants2.nih.gov/grants/policy/coc/

Donor

The University requires protecting the confidentiality of non-public personal information relating to donors such as:

  • Name
  • Degree Information (Graduating Class & Degree(s))
  • Credit Card Numbers (this is typically not kept but in case it is)
  • Bank Account Numbers
  • Social Security Numbers
  • Giving History (Amount/what donated)
  • Telephone/Facsimile Numbers
  • E-mail, URLs
  • Employment Information
  • Family information (spouse(s)/children/grandchildren)
  • Medical History (alumni/family who have major medical procedures performed at UM Hospital)

Private Personal Information Relating to Any Individuals

Social Security Number

The University handles social security numbers with a high degree of security and confidentiality.  This policy is consistent with the Michigan Social Security Number Privacy Act, which became effective in January 2006. 

For more information, please refer to SPG 601.14 and to http://www.legislature.mi.gov/(umv2ac45dnxufayrcenxe545)/mileg.aspx?page=GetMCLDocument&objectname=mcl-Act-454-of-2004

Credit Card Information Protected under PCI-DSS

The Payment Card Industry Data Security Standard was designed by major credit card companies to protect cardholder account information.  The University is required to protect cardholder account information provided to units that process credit card payments. Protected information includes:

  • Credit Card Numbers/Expiration Dates
  • Transaction Information

For more information about the PCI Data Security Standard and its implementation at the University, please refer to
https://www.safecomputing.umich.edu/download/PCIComplianceAtUofMv1_1-Final.pdf

Personal Information Protected under Michigan Notification of Security Breach

This bill amends the Identity Theft Protection Act and requires the University to notify a Michigan resident whose personal information might have been acquired by an unauthorized person. 

The law covers personal identification information such as name, number, or other information that can be used for the purpose of identifying a specific person or providing access to a person’s records. Protected personal information includes but not limited to:

  • name
  • address
  • telephone number
  • driver license or state personal identification card number
  • social security number
  • place of employment
  • employee identification number
  • employer or taxpayer identification number
  • government passport number
  • health insurance identification number
  • mother's maiden name
  • demand deposit account number
  • savings account number
  • financial transaction device account number or the person's account password
  • stock or other security certificate or account number
  • credit card number
  • medical records or information
  • vital record

For more information please refer to:
http://www.legislature.mi.gov/documents/2005-2006/publicact/htm/2006-PA-0566.htm
http://www.legislature.mi.gov/(S(mpmedj55thbfd345f511zs55))/mileg.aspx?page=getObject&objectname=mcl-445-71

IT Security Information

IT security information consists of information that is generated as a result of automated or manual processes that are intended to safeguard the University’s IT resources.  Processes which generate security information include but are not limited to:

  • authentication (e.g., log on/off)
  • network-based filtering (e.g., router Access Control List and firewall logging)
  • authorization (e.g., audit trails enabled to record access to files or records)
  • vulnerability scanning (e.g., the output generated by a vulnerability scanner against an asset)
  • security incident response (e.g., per SPG 601.25, the description of a security incident)
  • risk assessment  (e.g., the detailed report from a risk assessment process detailing risks that are present in a given system)
  • security planning (e.g. the designs and documentation of security architectures and plans)

IT security data includes but is not limited to the following:

  • access and authorization audit logs generated by operating systems, applications, and other protection-oriented processes
  • login / logoff transactions (successful and unsuccessful)
  • intrusion detection signatures, logs, and alerts
  • firewall policies, logs, and alerts
  • risk assessment results
  • incident reports and details stemming from breaches and suspicious events
  • vulnerability scanning results
  • security configurations of computers, networks, and other IT elements

More about stewardship of IT Security Information at https://www.safecomputing.umich.edu/umonly/SecInfoFAQ.html

Last modified November 09, 2009