Helpful Links

Navigate OHIO

Connect With Us

Tech Help Desk
Alden Library 4th floor
30 Park Place
Athens, OH 45701
help.ohio.edu

Safeguarding Sensitive University Data

Purpose

The purpose of this standard is to establish the process of safeguarding sensitive university data from improper disclosure.

Scope

This standard applies to all faculty, staff, students, and third parties that access sensitive university data. All members of the university community should know what sensitive data is and their responsibility for ensuring the protection of this information.

Standard

Improper disclosure of sensitive data can cause personal and financial harm to students, faculty, and staff, and can cause severe reputational and/or legal damage to the university. For these reasons, it is everyone’s responsibility to safeguard sensitive university data.

Some examples of sensitive data can include but may not be limited to:

  • Social Security Numbers (SSN)
  • Credit Card Numbers
  • Driver’s License Numbers
  • Protected Health Information (PHI)
  • Personally identifiable patient information
  • Personally identifiable human research subject information
  • Personally identifiable student information
  • Personally identifiable employee information
  • Personally identifiable donor information
  • Proprietary research data
  • Confidential legal data
  • Confidential financial data
  • Other types of sensitive data that should not be shared with the public

A more comprehensive list of data with corresponding sensitivity classifications can be found by viewing Ohio University’s Data Classification Table.

The following are guidelines for securing sensitive university data:

General precautions

  • Enterprise communication systems including email may contain privileged, sensitive or confidential information. As such, the unauthorized duplication or disclosure of the aforementioned information is prohibited as it may result in the violation of federal regulations.
  • Do not download or copy sensitive data from university servers to your devices unless absolutely required and once you have documented permission to do so from management.
  • Whenever possible, remove or redact any confidential information from files when sharing with others.
  • Be cautious of creating your own file shares, whereby such data may be accessible by unauthorized individuals.
  • Physically secure devices that can be easily moved such as laptops, portable USB drives, backup tapes etc. in accordance with the Mobile Device Standard and Physical Security Standard.
  • Never store unencrypted sensitive data on a portable device.
    • If you absolutely must store sensitive data on a portable device, always use some form of encryption, at a minimum at the file level, but whole disk encryption is highly recommended.
      • Keep the data on such a device only for the shortest period of time you need to accomplish the task.
  • Do not create databases or applications that use SSN as identifiers unless there is an unavoidable business need. Whenever possible, create unique identifiers that do not use an individual’s SSN.
  • If you are storing sensitive data elements, access to this data must be restricted to only those individuals whose job function absolutely requires access to the data.
  • Never download or copy sensitive data to your personally owned computing devices.

Password protections

  • Access to university data must be restricted by using strong passwords, per university policy 91.004 University Credentials.
  • Desktop and mobile devices that contain or provide access to university data must be password protected per university policy 91.004 University Credentials against unauthorized access.

Physical security

  • Computers and devices must be locked when unattended and require password reauthentication upon fifteen (15) minutes of inactivity.
  • Portable media and devices containing university data should always be kept in a location that prevents theft, unauthorized access, or accidental disclosure.

Secure data transmission

  • Forwarding university data to external email accounts is not permitted.
  • When university data needs to be sent outside the university for legitimate business reasons, it must be transmitted security. If sent via email, it must be encrypted, password-protected, and attached to the email message. The password must be sent separately, such as by phone or voicemail.
  • Whenever university data is transmitted to a third party, for business operations purposes only, it must be transmitted over a secure communication protocol, such as SSL, or secure file transfer protocol (SFTP).

Protections for mobile devices

  • Given the portability of mobile devices, they are more susceptible to loss and theft. The following measures shall be used to secure university data contained on mobile devices.
    • Keep your device secure by keeping it with you or in a physically secured location.
    • Enable strong device pass-code protection features and select a passcode or PIN that is difficult to guess.
    • Enable mobile device idle timeout and other device specific locking features when possible.
    • Delete any university data on the device when no longer needed.
    • Enable device encryption so that university data on the device is encrypted. Or at minimum, if whole device encryption is not available, encrypt file level encryption for university data on the device.
    • Enable and configure device tracking features (e.g. Find My iPhone).
    • Use your university issued OneDrive or relevant OneDrive Group to back up files.
    • Keep software updated to protect against vulnerabilities.
    • Minimize the number of apps on your device and only load apps or software on your device that come from a trusted source and are university approved.

Protections for paper files

  • Hardcopy university data must be securely stored to prevent unauthorized or accidental disclosure, and should never be left unattended on copiers, faxes, printers, or other unsecured areas.

Secure disposal

  • When disposing or transferring ownership of devices, media or any other form of electronic storage ensure that medial is properly sanitized in accordance with the information security standard Media Sanitization.
  • When disposing of paper documents that have sensitive university data, individuals should place documents in a shredder or designated bin of a document destruction service. Documents should not be placed in the trash or in campus recycling.

Reporting lost or stolen devices or the suspected disclosure of University data

If you know or suspect that university property or a privately-owned device containing university data has been lost or stolen promptly contact the campus police department, with any identifying information such as make, model, and identifying stickers.

To prevent unauthorized access to your data and accounts, you should change your access passwords as soon as possible, since most mobile devices store passwords so that mobile apps can automatically access remote computer applications without a prompt for username and password.

Definitions

Personally Identifiable Information (PII): any information that can be used to identify, contact, or locate an individual, either alone or combined with other easily accessible sources. Examples of data elements that can be classified as PII include, but are not limited to, fingerprints or other biometric data, email address, telephone number, birth dates, or social security number. Such data elements can be found in sources such as medical, educational, financial, and employment information.

Secure Sockets Layer (SSL) certificates: sometimes called digital certificates, are used to establish an encrypted connection between a browser or user’s computer and a server or website. The SSL connection protects sensitive data from being intercepted from nonauthorized parties during the session.

File Transfer Protocol (FTP): a standard network protocol used for the transfer of computer files between a client and server on a computer network.

References

Policy 91.004 University Credentials 

Policy 91.005 Information Security  

Information Security Standard: Acceptable Encryption  

Information Security Standard: Media Sanitization  

Information Security Standard: Mobile Device  

Information Security Standard: Security Incident Reporting & Breach Notification  

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.

Request an exception:

Complete Exception request form.

Governance

This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:

  • Audit, Risk, & Compliance: Josh Gonzalez, Chief Privacy Officer 
  • Audit, Risk, & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance 
  • Faculty: Hans Kruse, Instructor; Emeritus (Scripps College) 
  • Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences) 
  • Faculty: Shawn Ostermann, Associate Professor (College of Engineering) 
  • Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College) 
  • Finance: Julie Allison, Associate Vice President, Finance 
  • Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations 
  • Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security & Digital Accessibility 
  • Regional Higher Education: Larry Tumblin, Director of Information Technology for Regional Higher Education 
  • Research: Kimberly Littlefield, Associate Vice President for Research Administration 

History

Draft versions of this policy were circulated for review and approved March 16, 2026.