Sensitive Data Best Practices
What is Sensitive Data?
Students, faculty, and staff interact with data on a daily basis. It is important to understand that all data cannot be treated equally in terms of how we store, share, and dispose of it. LSU categorizes data in three ways:
- Confidential Data is the most sensitive classification and LSU students, faculty and staff are required
by law to protect it. Examples of confidential data include:
- Social Security Numbers
- Credit Card Numbers
- Health Records
- Financial Records
- Student Records
- Private Data is not considered confidential, but reasonable effort should be made so that it does
not become readily available to the public. Examples of private data include:
- Research Data
- Personal Contact Data
- Proprietary information
- LSU ID (i.e. 89 number)
- Public Data is suitable for public consumption and protection of the data is at the discretion
of the owner. Examples of public data include:
- Public budget data
- Employee contact data
- Departmental Websites
How can I protect Sensitive Data?
Encryption is the most effective way to protect your data from unauthorized access. Encryption can be defined as transforming the data into an alternative format that can only be read by a person with access to a decryption key.
There are various resources available to encrypt data that you store on your machine. Some readily available options include Bitlocker on the Microsoft Windows platform and FileVault for Mac OS X. More information can be found here.
If you are transmitting sensitive data, you must use an encrypted communication channel. For web based transmission, always ensure that the web site is protected by SSL. For FTP transmissions, make sure you are using a secured variety of the protocol (i.e. SFTP or FTPS). Another convenient option at LSU is FilestoGeaux, which is a web based service that allows LSU users to upload files they want to share to a secure LSU web server.
How should I dispose sensitive data?
Eventually it may become necessary to dispose data or devices containing LSU data. When doing so, remember the following:
- Disposing media (disks, tapes, hard drives) that contains confidential information must be done in a manner that protects the confidentiality of the information. ITSP recommends DBAN.
- Shred paper based media with confidential data when it is no longer needed. Do not discard confidential information in the trash.
- Do not take confidential information off campus unless it is encrypted.
Here are some additional things to consider when dealing with LSU data:
- Do not transmit confidential data via wireless technology, email, or the Internet unless the connection is secure, or the information is encrypted.
- Password protect all confidential data, and accounts with access to confidential data.
- Do not share passwords, and do not write passwords down.
- Do not store unencrypted confidential information on PDA, laptop computer/desktop computer's hard drive, USB drive, CD, flash memory card, floppy drive, or other storage media.
- Eliminate the use of forms that ask for confidential information whenever possible.
- Do not store confidential information obtained from LSU systems on media or other systems unless required by the University or by law.
- Always lock computers, offices, desks, and files that contain confidential information when unattended.
- Do not publicly display confidential data, or leave confidential data unattended.
- Do not share confidential documents or information with anyone unless required by government regulations, specific LSU job responsibilities, or business requirements. Be prepared to say "no" when asked to provide that type of information.
- Do not communicate confidential information to others unless you know they are approved to handle confidential information.
- Notify Information Technology Services (ITS) and the data steward if you suspect confidential information may have been compromised.
If you have any doubts or questions about confidential information, please reach out to ITSP at email@example.com.