What is Sensitive Data?

Some information on how to determine if data you have control over is considered sensitive.

Reviewed by Bil Hays 04/29/2014

The security policies in force at UNC CH require that we take measures to secure data that is considered sensitive from unwarranted access. For more information on how ITS defines sensitive data, please see the policy document from ITS Security. Generally speaking, the data we have in Computer Science that would be considered sensitive falls into one of the following areas. Also, it is worth pointing out that your own personal data is yours and you can do with it what you will–these guidelines deal with cases in which a person or organization keeps sensitive data that belong to others. Also, this is not an exhaustive list, just an outline of types of sensitive data that are known to be used here in Computer Science.

Educational data such as grades, covered under FERPA.

The most common sensitive data that fall under FERPA is grades. Any information linking grades to individual students is considered sensitive, but other data are also covered under FERPA guidelines. For example, while FERPA allows disclosure of directory information such as phone number and address or honors and awards, it also requires that schools provide a method for students to request that such information not be disclosed. At UNC this is done by giving everyone the right to request that their data be treated as private. The Registrar has more information on FERPA guidelines, but a quick rule of thumb is that if you can see the data for a particular individual in the online Telephone Directory, it’s not considered sensitive and accessible to the general public.

Personnel Information covered under the State Personnel Act

Article Seven of the State Personnel Act sets guidelines for what personnel data are considered public or confidential. Information of a general nature such as name, age, date of hire, title, and salary are considered public. Other information such as performance reviews are considered sensitive.

Financial Account Information

Any data containing account numbers or codes such as credit card numbers or bank account numbers should be considered sensitive. These data are covered by Chapter 132 of the North Carolina Public Records Act. You can find guidelines for handling such data at the PCI Security Standards Council web site.

Research Data containing personal identifying information

Research data may be considered sensitive if the data contains information that can be linked to an individual. Generally speaking, the process of acquiring and using such data are vetted by UNC’s IRB. Data that has been anonymized is not considered sensitive. Details on the levels of security required for various IRB data are available, contact Computer Services if you need help addressing those requirements.

Raw Network Traces

We do research in networking and computer security, and some of that research requires acquisition of network traffic from multiple computers. Such data are considered sensitive if they are not anonymized.