What is Sensitive Data?

Sensitive data is information that should be protected against unwarranted disclosure.

Learning how to appropriately handle sensitive data helps to protect you, the community and the institution.

What to do if you believe that sensitive data is not being handled according to DCP guidelines?

If you or your department work with sensitive data and your processes are not in compliance with the DCP contact InfoSec at infosec@middlebury.edu immediately. We will work with you to identify more secure processes to accomplish your business objectives.

Find out how to work with sensitive data in a new process (business or academic).

Remember that the Data Classification Policy (http://go.middlebury.edu/dcp) is a great place to start. From their you should be familiar with any standards or regulations that govern the data you are working with. Student records and work are governed by FERPA. Research may be governed by NSF regulations. Payment card data is governed by both our PCI policy and the PCI standard. It is up to you and your departmental data stewards to be familiar with this information. InfoSec, infosec@middlebury.edu,  is happy to help you figure this out and help you identify what requirements might apply to your data set.

How do you know if you work with sensitive data?

Start by reviewing Middlebury's Data Classification Policy for definitions and usage guidelines for sensitive data types. http://go.middlebury.edu/dcp 

What should you know about Restricted Data?
  • Should be limited to a business need Only 

  • Payment Card data is not collected or stored for any reason 

  • Storage and retention should be limited to necessity 

  • All regulatory guidelines should be closely followed 

  • All policies regarding restricted data must be closely followed 

  • All persons working with this data should be educated on security concerns and risk around data breach and integrity 

Planning to work with a vendor or online service provider?

Do you work with an online vendor or service provider or are you planning on changing the services offered by a current service provider? Have your service provider complete a security survey at http://go.middlebury.edu/securitysurvey. This will start a security assessment of their current security posture.

Need to access or store sensitive data? 

If you or your department has a business or academic need to store sensitive data, work with Information security to identify the requirements around safe storage of your data set. Contact infosec@middlebury.edu for more assistance.