Data Storage Guidance

Data classification, examples, and storage requirements for government-regulated confidential information, other types of confidential information, and all other electronic information.

Government-regulated Confidential Information

Including:

  • Personal Identifying Information (PII)
  • Protected Health Information (PHI) as specified by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
  • Education records of students, applicants and alumni as defined by the Family Educational Rights and Privacy Act (FERPA)
  • Personally Identifiable Financial information as specified by the Financial Services Modernization Act of 1999 (Gramm Leach Bliley Act or GLB)
  • Human subject research data which falls under the jurisdiction of the university’s Institutional Review Board (IRB)
  • Confidential medical records used to provide an employee with a reasonable accommodation under the Americans with Disabilities Act of 1990 (ADA)
  • Payment card data
  • Social Security, Driver license or Passport numbers
  • Information relating to the physical or mental health condition of an individual
  • Test results, grades, and other academic performance information
  • Student disciplinary records
  • Records received from previously attended academic institutions
  • Information about loans or financial aid received by a student
  • Student financial data
  • Tax ID numbers
  • Banking information
  • Credit and debit card numbers

Store this data in systems of record, such as Colleague and Workday, and refrain from making unnecessary versions or copies of this data outside of the system of record.

If university business requires creating a file or document with this information, store it on a departmental shared drive or personal network storage drive. If it needs to be editable by multiple university employees, it may be stored on Google Drive. Do not store this data on any other cloud drives such as DropBox, MS OneDrive, etc.

Special Note on PCI Data: The university does not permit storage of payment card data within any university system or storage, including all local storage and all cloud storage. Further, payment card information may never be sent or received via electronic mail and may not be retained by the university.


Other Types of Confidential Information

The university deems confidential or is required by contract to keep confidential.

  • Budget and salary information
  • Personnel information such as disciplinary actions or annual reviews
  • Nonpublic information about third parties that the university has a contractual obligation to keep confidential, such as information about suppliers, vendors, sources of funding, grantors, donors, alumni, research partners and sponsors

Store this data on Google Drive, a departmental shared drive or personal network storage drive. Do not store this data on any other cloud drives such as DropBox, MS OneDrive, etc.


All other electronic information

Created or managed as part of your work function.

  • Work products
  • Internal and external correspondence
  • Research data not subject to specific confidentiality requirements

Store this data on Google Drive, a departmental shared drive or personal network storage drive. Do not store this data on any other cloud drives such as DropBox, MS OneDrive, etc.

It is not sufficient to store this data on a computer hard drive or personal storage device, as it must be backed up and accessible by other appropriate individuals in the university. The information may be synced between Google Drive and a local hard drive using Google Drive Sync.