Keys to Securing Purdue's Data

Updated - July 2016

Know Data Handling

In order to be good stewards of University data, it is important that we understand the laws and policies that govern how our data is handled.

Health Insurance Portability and Accountability Act of 1996 (HIPAA): Laws and regulations governing the provision of health benefits, the delivery and payment of health care services, and the security and confidentiality of Individually Identifiable and Protected Health Information in written, electronic or oral formats.

Family Educational Rights and Privacy Act of 1974 (FERPA): Federal law designed to protect the privacy of education records. It also provides guidelines for appropriately using and releasing student education records.

Gramm-Leach Bliley Act (GLBA): Requires financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confidentiality of customer information.

PCI (Payment Card Industry): A worldwide security standard, to protect card holder information and the merchants and/or processors who store that sensitive information from fraudulent use. 

Authentication, Authorization and Access Controls (S-13): Controls that facilitate access to and protect University IT Resources and data. Access to non-public IT Resources will be achieved by unique User Credentials and will require Authentication. 

Social Security Number Policy (VII.B.7): To ensure that the necessary procedures and awareness exist so that University employees and students comply with both the letter and the spirit of FERPA and Indiana Code Title 4 Article 1 Chapter 8 - State Requests for Social Security Numbers, as amended from time to time. 

For more information on these laws and policies, or others not listed here, visit: https://www.purdue.edu/Business/Security/Policies_Procedures/

Proper Data Handling

Ask yourself:

  • What type of data am I using?
  • How is the data classified?
  • Who will have access to the data and what will they do with it?
  • What do the data handling requirements say?
  • Have I followed the appropriate handling requirements for public, sensitive, or restricted data?
  • Are there alternative ways to handle the data that make it more secure or less likely to be used or viewed by unauthorized individuals?

There are three ways in which we categorize the handling of our data: 

  • Handling of Printed Information
  • Electronically Stored Information
  • Electronically Transmitted Information

For the complete guide to handling all university data, visit: https://www.purdue.edu/securepurdue/data-handling/index.php.

Know How the Data is Classified

The university's data are organized by the area responsible for it. Below is a summary of HR, Finance, and Student restricted data:

  • Restricted Student Data
    • Social Security Number
    • Class schedule information
    • Clinical dictation for transcribing into voice data format
    • Confidential letters of recommendation
    • Credit bureau information
    • Credit card information, application fees, check information
    • Criminal investigation information
    • Disability information
    • Discipline information
    • Donor information
    • Encumbrance information
    • Exam schedule
    • Fellowship awards
    • Financial Aid information
    • Financial info of students or parents
    • Fraudulent records information
    • Grades/GPA/Transcripts
    • Insurance information
    • Litigation information
    • Medical records
    • Minority student information
    • Resume information
    • Salary data collected from former students via surveys
    • Subpoenas for student records
    • Tax record info of students/parents
    • Test scores
    • Veteran's records
    • Witness protection program
  • Restricted Financial Data
    • Social Security Number
    • Credit card (CC) numbers
    • Transactions and balances of selected accounts (i.e. reserves, endowments)
    • GLBA (loan agreements/balances, collection activity)
    • Bank account numbers
    • Grant proposals
  • Restricted HR Data
    • Social Security Number
    • HIPAA (i.e. benefit claims)
    • Employee Background Check
    • Employee ADA information
    • Employee discipline
    • Garnishments/child support
    • Bank account information
    • Ethnicity
    • I-9 Documentation
    • Payroll deduction selections
  • Restricted Government Research Data
    • Data Subject to ITAR, EAR regulations
  • Restricted Third Party/Proprietary
    • Restricted by contractual obligations

Restricted Data (Printed)

Type Requirements
Labeling No special requipment. Some documents should be labeled as "Confidential."
Duplication Receiver of document containing restricted information must not further 
distribute without permission.
Mailing (internal
and external)
No classification marking on external envelope, envelope to be sealed in 
such a way that tampering whould be indicated upon receipt.
Destruction Destroy beyond recognition (shred).
Storage Store in secure location when not in use.

Restricted Data (Electronically Transmitted)

Type Requirements
Fax Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing.  
Printouts are to be picked up as soon as possible.
By voicemail Do not leave restricted information in a voice mail message. Request a callback.
By wireless or cellular 
technology
Encryption required.
Other electronic 
transmissions (email, FTP)
Encryption required.

Restricted Data (Electronically Stored)

Type Requirements
Storage on removeable media (CDs, USB flash drives) Not allowed.
Printing of data Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing.
Storage on fixed media (server) with access controls Encryption not required (exception-HIPAA, FERPA, PCI, GLBA subject to applicable laws).
Storage on fixed media (hard drive) without access controls, but not accessible via the Web Not recommended.

Best Practices

  • Always lock your workstation, mobile device, or laptop when you are not using them. 
  • Create strong passwords with upper/lowercase letters, numbers, and symbols. 
  • Do not store restricted information on your local hard drive. This type of data should always be stored in a secure area protected by access controls on the LAN. 
  • Clear your browser cache monthly. 
  • Do not share your password or login with others. 
  • Encrypt and password protect your mobile devices. 
  • Do not open unexpected email attachments. Verify with the sender that the attachment is legitimate. 
  • Never enable the password “auto-save” feature on your browser. 

Need Training?

Need a review of data handling and security? Visit https://www.purdue.edu/securepurdue/data-handling/index.php using your career account and password.

If you have problems, contact certify@purdue.edu and put Training Problem in the subject box.

Questions?

A Data Steward manages data as a University resource and asset.

For a complete listing of all Data Stewards, visit https://www.purdue.edu/securepurdue/data-handling/data-stewards.php
Questions may also be sent to: datastewards@purdue.edu