A. Understand the Terms
‘Sensitive data’ is a blanket term used to designate classes of data with a high level of sensitivity that the University is legally or contractually required to protect. Based on the University's data classification model, sensitive data at UMass Amherst refers to confidential and restricted data. A few tips:
Remember the definitions of confidential and restricted data.
Restricted data is defined as confidential data with the highest level of sensitivity (e.g., ethnicity, Social Security Numbers). All policies referring to confidential data also apply to restricted data.
When coming across other terms for sensitive data, refer back to the University's data classifications.
Sensitive data may be referred to as ‘protected information’, ‘personally identifiable information (PII)’, etc. Designations will vary depending on policy or legal statute. Always refer back to the definition of sensitive data at UMass Amherst and the University's data classifications when coming across additional terminology.
When in doubt, assume University data is confidential.
If you are not sure how to classify a piece of data, check with your supervisor. As a rule, err on the side of caution and assume University data is confidential. This means choosing a secure storage option and declining to share it with others.
B. Understand the Context
Even if it may be not apparent at first, most departments on campus work with sensitive data. A few common examples of sensitive data are described below. Depending on your department’s business processes, you may have access to additional sensitive data.
Travel & Purchasing Data
If you are processing travel documents (e.g., mileage and other travel expense reimbursements), you will often work with credit card and other sensitive financial information.
If you are responsible for making purchases for your department, you are likely to use a University-issued Procard and keep track of departmental transactions.
If you are an instructor, you will handle class rosters, student grades, SPIRE IDs, or assignments.
If you are an advisor, you may keep advising notes and other details related to a students’ academic progress.
If you are working with academic records, you may process enrollment overrides, holds and other service indicators, scholarship information, and other student data.
If you are part of a graduate admissions committee, you will work with applicant names and application materials.
For more information on education records, see the FERPA Tutorial (pdf, 151k) and Instructors' Guide to Information Security (pdf, 1130k).
Faculty, students, and departmental support staff often work with human subject and other research data they are contractually obligated to protect.
Departments often store organizational charts, employment applications, and other employment-related materials.
C. Understand Your Responsibilities
Departments are required to keep track of the sensitive data stored on departmental devices, delete this data when no longer needed, and use caution when disseminating this data. Use our Data Protection Action Plan to learn more about your responsibilities when working with sensitive data.
Talk to your supervisor about your department's data security policies.