In today's universe, protecting confidential data is crucial. NDSU is a custodian of personal information belonging to students, staff, faculty, researchers, and tose who use its outreach services. As custodian of that information, NDSU is responsible for protecting and securing personal, student-related, financial, health information, and intellectual property from misuse, theft, compromise, and unauthorized disclosure. As an employee of NDSU it is your responsibilty to
HIPAA (Health Insurance Portability Accountability Act), 1996. A federal law that protects personal health information.
The North Dakota University System Data Classification Standard was developed to identify and clarify the definition of data types within a university. Any data asset of the NDUS or the Institution shall be classified as Public, Private, or Confidential.
Public data is defined as data that any entity either internal or external to the ND University System can access. The Open Records law of North Dakota may apply. Public data elements include
Private data includes information that the NDUS or institution is under legal or contractual obligation to protect. Private information may be copied and distributed with the NDUS only to authorized users. Private information disclosed to authorized external users must be done so under a non-disclosure agreement. Private data elements include
Confidential data is information that is not to be publically disclosed. The disclosure, use, or destruction of confidential data can have adverse effects on the ND University System or the institution and possibly carry significant civil, fiscal, or criminal liability. This designation is used for highly sensitive information whose access is restricted to selected, authorized employees. The recipients of confidential information have an obligation not to reveal the contents to another individual unless that person has a valid "need to know" for the information. Confidential information must not be copied without authorization from the owner. Confidential data elements include
The owner of the data is the one whom the data belongs to. For example, a person owns his/her social security number, date of birth, and address.
The custodians of such data are employees, departments, colleges, research centers, and extension offices responsible for the integrity, confidentiality and availability of the data. It shall be the responsibility of the owner/custodian of the data to classify the data. However, all individuals accessing data are responsible for the protection of the data at the level determined by the owner/custodian of the data as mandated by law. Any data not yet classified by the owner/custodian shall be deemed Confidential. Accerss to data items may be further restricted by law, beyond the classification systems of the NDUS or NDSU.
&nb
|
Confidential |
Private |
Public |
|
|---|---|---|---|
|
Legal investigations conducted by the institutions |
Employee ID number |
Employee Information |
Student Directory Information* |
|
Sealed bids |
Birth date |
Name |
Name |
|
Trade secrets or intellectual property such as research activities |
Location of assets |
Salary |
Address |
|
Social Security Number |
Donors |
Expense reimbursements |
Telephone number |
|
Gross pension |
Gender |
Job titles |
Electronic (e-mail) address |
|
Value and nature of fringe benefits |
Ethnicity |
Job descriptions |
Dates of enrollment |
|
Health records |
Citizenship |
Education and training |
Enrollment status (full/part-time, not enrolled) |
|
Passwords |
Citizen visa code |
Previous work experience |
Major |
|
Credit/debit card information |
Veteran and disabled status |
First and last employment |
Advisor |
Non-Directory Student Information* |
Existence and status of complaints |
College |
|
|
Grades |
Terms of buy-out agreements |
Class |
|
|
Courses taken |
Final disposition of disciplinary action |
Academic awards and honors |
|
|
Schedule |
Work location |
Degree recieved |
|
|
Test scores |
Work phone number |
||
|
Advising records |
Work electronic (e-mail) address |
||
|
Educational services recieved |
Honors and awards recieved |
||
|
Disciplinary actions |
Payroll time sheets |
||
|
Student ID |
Home address* |
||
|
Home telephone number* |
|||
Other |
|||
|
Financial data on public sponsored projects |
|||
|
Course offerings |
|||
|
Invoices and purchase orders |
|||
|
Budgets |
Non-Directory Student Information* - May not be released except under certain perscribed conditions.
Student Directory Information* - This information is public unless the student has requested non-disclosure (suppress).
Home Address* - Considered public information unless employee has requested non-disclosure (suppress).
Home Telephone Number* - Considered public information unless employee has requested non-discosure (suppress).
Do not use SSNs as a key field or as an identifier for files, spread sheets, data bases, and correspondence. If possible, it is recommended to avoid including the SSN in any type of file or document. An alternative would be to use the EmplID or Student ID.
If there is a business need to use the SSN in files and documents, the data must be secured and available only to those who have a need to know.
If you use a laptop and travel, it is recommended the hard drive of the laptop's hard drive be encrypted.
Never attach documents containing SSN's or other personally identifiable information to email. It is possible the transmission may not be secure.
Credit card information is protected under the Payment Card Industry Data Security Standards and by various federal and state laws. When accepting, using, and storing credit card information, these guidelines must be followed.
NDSU uses a secure third party vendor, TouchNet, to accept credit cards. Please contact NDSU Customer Account Services, Karin Hegstad or Carrie Peterson for more information on how to use this service. If it is desired to implement another vendor or method of collection for payment using credit cards, please read NDSU policy 509, Electronic Financial Transactions.