Sensitive Data: Defining and Classifying

At Ohio University, the term "sensitive data" refers to the classification of data at a medium or high level that must be protected against unauthorized disclosure. As outlined in University Policy 93.001 Data Classification, data owners must be aware of their data's sensitivity level and how to protect it.

Data Classification

Data Classification is the process of categorizing data into groups to properly manage and store the information based on the sensitivity level. Data at Ohio University is classified as high, medium, or low criticality.

High criticality data includes, but is not limited to, information subject to Ohio Breach Notification Law such as credit card/bank account numbers, social security numbers, and driver's license numbers. Additionally, Protected Health Information and some research data classify as high criticality data.
Medium criticality data includes, but is not limited to, internal business information and financial information.
Low sensitivity data encompasses public information and data that poses little to no risk to the University if disclosed.

Keeping sensitive data safe from inappropriate access and disclosure is of the utmost importance. Ohio University has policies, procedures, and standards in place to protect sensitive data. It is the responsibility of everyone handling sensitive data at Ohio University to be familiar with these policies, procedures, and standards. In addition, it's important to know what steps are needed to protect this data. For more in-depth information on identifying the sensitivity of various data types, view our Data Classification Table (requires a valid OHIO login to view).

Tips for Finding Sensitive Data

Today, it's easy to store thousands of files without a second thought, and it's not uncommon to have files that go back several years. These tips can help locate sensitive information hiding among large amounts of files and file types:

Examine spreadsheets for "hidden" columns, rows, or cells that may contain sensitive data but may not be visible on first opening of the file.
Review potential locations for sensitive data in email, including archived messages you may have stored on your computer.
Use a scanning tool to locate and act upon files containing sensitive information.

Properly Storing Sensitive Data

Part of being a proper data owner is storing sensitive data in secured locations. The Storing Data by Type and Storing Data by Solution guides identify appropriate OIT managed solutions for storing data. Adhering to these guides is an important part of protecting University information. Keep in mind that these guides only list OIT managed solutions. If you store data classified as medium or high sensitivity in an IT service or tool not listed in the guide, contact Information Security to determine if it's appropriate for your data type.

To find an appropriate storage solution, click a column heading to sort or use the Filter box to search for keywords. If you have questions, please consult with the Information Security Office.

Criticality Level by Data Type

Sensitivity Level	Data Type
High Criticality Data	Protected Health Information (PHI) Attorney-Client Privilege Information (ACP) Payment Card Industry Information (PCI) Export Controlled Research (ITAR/EAR) Identifiable Human Subject Research Social Security Numbers Student Education Records (FERPA) - depending on the use case and specific data element
Medium Criticality Data	Student Education Records (FERPA) - depending on the use case and specific data element Personally Identifiable Information (PII) - depending on the use case and specific data element
Low Criticality Data	Student Education Records FERPA - depending on the use case and specific data element Personally Identifiable Information (PII) - depending on the use case and specific data element

Info for:

Log In

Locations

Connect