Sensitive Data Best Practices
What is Sensitive Data?
Students, faculty, and staff interact with data on a daily basis. It is important
to understand that all data cannot be treated equally in terms of how we store, share,
and dispose of it. LSUE categorizes data in three ways:
- Confidential Data is the most sensitive classification and LSUE students, faculty and staff are required
by law to protect it. Examples of confidential data would include:
- Student Records
- Social Security Numbers
- Credit Card Numbers
- Health Records
- Financial Records
- Private Data is not considered confidential, but reasonable effort should be made so that it does
not become readily available to the public. Examples of private data would include
- Personal Contact Data
- Proprietary information
- LSUE ID
- Research Data
- Public Data is suitable for public consumption and protection of the data is at the discretion
of the owner. Examples of public data include:
- Public budget data
- Employee contact data
- Departmental Websites
How can I protect Sensitive Data?
Encryption is the most effective way to protect your data from unauthorized access.
Encryption can be defined as transforming the data into an alternative format that
can only be read by a person with access to a decryption key.
If you are transmitting sensitive data, you must use an encrypted communication channel.
For example, with web based transmission, always ensure that the web site is protected
by SSL. For FTP transmissions, make sure you are using a secured variety of the protocol
(i.e. SFTP or FTPS).
Another available option is FilestoGeaux, which is a web-based temporary storage service that allows LSUE faculty
and staff through myLSU to upload files they want to share to a secure LSU web server.
How should I dispose of Sensitive Data?
Eventually it may become necessary to dispose data or devices containing LSUE data.
When doing so, remember the following:
- Disposing media (disks, tapes, hard drives) that contains confidential information
must be done in a manner that protects the confidentiality of the information.
- Shred paper based media with confidential data when it is no longer needed. Do not
discard confidential information in the trash.
- Do not take confidential information off campus unless it is encrypted.
Additional Guidelines
Here are some additional things to consider when dealing with LSUE data:
- Do not transmit confidential data via wireless technology, email, or the Internet
unless the connection is secure, or the information is encrypted.
- Password protect all confidential data, and accounts with access to confidential data.
- Do not share passwords and do not write passwords down.
- Do not store unencrypted confidential information on PDA, laptop computer/desktop
computer's hard drive, USB drive, CD, flash memory card, floppy drive, or other storage
media.
- Eliminate the use of forms that ask for confidential information whenever possible.
- Do not store confidential information obtained from LSUE systems on media or other
systems unless required by the University or by law.
- Always lock computers, offices, desks, and files that contain confidential information
when unattended.
- Do not publicly display confidential data, or leave confidential data unattended.
- Do not share confidential documents or information with anyone unless required by
government regulations, specific LSUE job responsibilities, or business requirements.
Be prepared to say "no" when asked to provide that type of information.
- Do not communicate confidential information to others unless you know they are approved
to handle confidential information.
- Notify the Office of Information Technology (OIT) and the data steward if you suspect
confidential information may have been compromised.
If you have any doubts or questions about confidential information, please reach out
to OIT at it@lsue.edu.