Confidential Data FAQ*

What is confidential data?

Confidential data is any sensitive data which is protected by law or policy.  These include, but are not limited to, things such as grades, SSN data, credit cards, biometric identifiers, medical records, birth dates, personal vehicle information, patient names or addresses, building access codes, insurance or health plan information, etc.  A more complete list can be found at http://security.utexas.edu/policies/extended-cat-1.html

Data which would otherwise not be confidential data can additionally be classified as confidential data due to requirements for confidentiality,  integrity, or availability.  That is, data which must be always available in order to conduct university business would be confidential data for availability, even if it does not meet the other criteria for confidential data.

Can I store confidential data on my University owned office machine?

Yes, but you are required to implement appropriate technical security measures to protect the data consistent with the University Minimum Security Standards.

Can I store confidential data on my personal (non-university owned) machine?

No, unless special permission has been granted for the specific data and the device is encrypted.  Confidential data may not be stored on any personally-owned device without documented permission from the data owner.

Can I take confidential data home with me?

No, unless special permission has been granted for the specific data and the device is encrypted.  Confidential data may not be stored on any portable device, or any device that faculty and staff use at home (whether personally or departmentally owned) without documented permission from the data owner.  Confidential data must be encrypted when it is stored on portable devices or any device that faculty and staff use off campus.

Can I print confidential data?

Yes.  Sensitive data should be immediately retrieved from the printer.  You should safe guard printed confidential data the same as electronic confidential data.  For example, this might mean storing them in a locked file cabinet, or shredding them before disposal.

 

*Per the updated Information Resource Use and Security Policy, data categorization has been renamed. Category I data is now called confidential data, Category II data is now called controlled data, and Category III data is now called published data. For more information, please read the Information Resource Use and Security Policy at https://security.utexas.edu/policies/irusp .

Written by CNS OIT staff
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.

See also: Security