We regularly receive questions about sharing or storing sensitive information.  While we have several recommendations, first, let’s talk about why you should be concerned about how you share or store sensitive information.

ALL users are responsible for ensuring that their use of sensitive information services complies with laws, regulations, and policies where applicable; it is EVERYONE’s responsibility. Technology can be used to protect information, but there are also human factors like due diligence and common sense. Technology enables us to encrypt and share the information securely. However, if a person becomes the victim of a phishing attack and their credentials are compromised, even encrypted information can fall into the hands of unauthorized persons. It’s almost like handing your house keys and alarm system password to a stranger. They don’t have to “break” in; they can use the key and walk in as the technology does what it’s supposed to do: allow someone with the key (or password) to access the information.

If you need to share/store student grade rolls, p-card information, or other sensitive files electronically, you must think about how you want to give them access to this information and possibly take additional steps to better insure privacy and confidentiality. If you share this information in plain text, such as with regular email or T-Storage, it is more susceptible to interception from hackers and others. To protect this information, you must share it securely with a method that automatically encrypts your data. Office software such as Microsoft Word, PowerPoint, and Excel support the encryption of information in the applications themselves. Email within Office365 can be encrypted using the word ‘encrypt’ in the subject line. Adobe Acrobat supports the password-encryption of information of files.

From a compliance perspective, there are three types of information that we are concerned about: health and medical information, financial and credit card information, and student data. Additionally, a fourth type that may require our due diligence is federally sponsored research, as it also may include federal compliance requirements in the various contracts and data use agreements.

Learn more about the technical ways to protect this data and what options are available for faculty and staff.