Working with Sensitive Information
When you use, create, store, or access sensitive information at Tufts, you will need to follow Tufts policies and Massachusetts state, federal, and, in some cases, international laws. Many of these types of sensitive information used at Tufts are listed below. Click on any type to learn more about how to work with that type of information.
Tufts’ Institutional Data Classification and Handling Policy classifies all Tufts information (also called “institutional data”) into three levels:
- Restricted Institutional Data (Highest – Level 3)
- Confidential Institutional Data (Middle Level – Level 2)
- Public Institutional Data (Lowest Level – Level 1)
The section, All Institutional Data, below includes all university information. All of the other types of information listed here are classified as Restricted Institutional Data (also called Restricted Information).
All Restricted Information should be handled with the highest level of confidentiality and security. Follow the Restricted Information Handling Guidelines. The online learning module, Stepping up your Game – 10 Key Strategies for Protecting Tufts Most Sensitive Information in the Tufts Learning Center summarizes the Guidelines. There is also a Quick Guide for you to use.
The University has also established the Tufts Security and Privacy Program and appointed Information Stewards to support the proper management and handling of Restricted Information.
Institutional data refers to all information that is created, collected, licensed, maintained, recorded, used, or managed by the University, its employees, and agents working on its behalf, regardless of ownership or origin. The electronic and physical systems owned or licensed by Tufts University used to store and access institutional data are institutional systems. Members of the Tufts community are expected to responsibly maintain and use institutional data regardless of the resource used to access or store the data - whether an institutional system, a privately owned resource, or a third-party resource.
Why?
The University is committed to ensuring the value of its institutional data as an institutional resource for the furtherance of our mission of being a student-centered research university dedicated to the creation and application of knowledge.
Getting Started
- Review the Information Stewardship Policy and its three related policies, the Use of Institutional Systems Policy, the Information Classification and Handling Policy, and the Information Roles and Responsibilities Policy. These set forth the responsibilities that University employees have towards institutional data and systems and how to manage them.
- Review business practices with your Information Steward.
Documentation
- Information Stewardship Policy
- Use of Systems Policy
- Information Classification and Handling Policy
- Information Roles and Responsibilities Policy
- Security Policies
- University Records Policy
- Confidential Records Destruction
All acceptance of credit or debit card transactions requires the prior approval of Treasury Operations. Tufts is required to process cardholder data by following the Payment Card Industry Data Security Standards (PCI DSS).
Data Classification: Restricted Institutional Data (Highest - Level 3)
Why?
Using the Tufts network to accept credit card transactions is prohibited because of the liability it produces for the University. Credit card numbers are also subject to regulation by the Massachusetts Data Privacy Laws.
Getting Started
- Review your business practices with the Treasury Operations department to verify that your process is compliant with the PCI DSS and Tufts policy.
- Review the Policy for Accepting Credit Card and eCommerce Payments and complete the application to become a merchant accepting credit card or online payments.
- Also comply with the Restricted Information Handling Guidelines. The online learning module, Stepping up your Game –10 Key Strategies for Protecting Tufts Most Sensitive Information in the Tufts Learning Center and the Quick Guide are also available as quick summaries.
Documentation
Banking and financial data often include Personally Identifiable Information, which is protected by federal, Massachusetts and other state laws.
Data Classification: Restricted Institutional Data (Highest - Level 3)
Why?
The University must comply with Massachusetts Data Privacy Laws, other state laws, and federal laws. Misuse of this information may also lead to financial loss for the individuals whose accounts are accessed.
Getting Started
- Never store banking information and credit card numbers on your computer.
- For banking information other than credit or debit card numbers and other Cardholder Data, if you do have a business need for the information, the records should be stored only in a Tufts network drive, in Tufts Box (subject to the Tufts Box Use Guideline), or another Tufts approved location. A device can be left on the T, but a network drive cannot.
- Control access to accounts and minimize the number of people who have access to the records.
- Comply with the Restricted Information Handling Guidelines. The online learning module Stepping up your Game –10 Key Strategies for Protecting Tufts Most Sensitive Information in the Tufts Learning Center and the Quick Guide are also available as quick summaries.
Documentation
At Tufts, Sensitive Personal Information (SPI) includes:
Government-Issued Identifying Numbers
- Social Security numbers
- Driver’s License numbers
- Other Massachusetts ID numbers
- Passport numbers
- All Government ID numbers
Regulated Financial Information
- Credit or Debit card numbers
- Financial Account numbers (e.g. Bank Accounts)
Biometric Indicators for Identity
For example:
- Fingerprints
- Retina Patterns
- Genetic Information
Financial accounts includes accounts for individuals, such as listed on a check, other bank accounts, and accounts at other financial institutions. Includes Tufts accounts for individuals where Tufts provides a service or product similar to those provided by a financial institution. Includes student loan accounts. Does not include Tufts Dept IDs.
Biometric Indicators for Identity includes any unique biological attribute or measurement that can be used to authenticate the identity of an individual, including, but not limited to, fingerprints, genetic information, iris or retina patterns, facial characteristics, and hand geometry.
Most types of SPI, when combined with a person's name, are also Personal Information under the Massachusetts Data Privacy Laws and Regulations.
Data Classification: Restricted Institutional Data (Highest - Level 3)
Why?
The University must comply with the Massachusetts Data Privacy Laws and all staff, faculty and students are required to follow the University's policies. The unauthorized disclosure of this information could also result in identity theft for the individuals whose information is disclosed.
Getting Started
- Review your work practices with your Information Steward. In this process, evaluate with your Information Steward your need for this information
- Comply with the Restricted Information Handling Guidelines. The online learning module Stepping up your Game –10 Key Strategies for Protecting Tufts Most Sensitive Information in the Tufts Learning Center and the Quick Guide are also available as quick summaries.
Documentation
Social security numbers are a subset of Sensitive Personal Information and are also protected under the Massachusetts Data Privacy Laws and Regulations, other state laws, and the Family Education Rights and Privacy Act (FERPA).
Data Classification: Restricted Institutional Data (Highest - Level 3)
Why?
The University must comply with FERPA, the Massachusetts Data Privacy Laws and other state laws, and all staff, faculty and students are required to follow the University’s policies. The unauthorized disclosure of Social Security numbers could also result in identity theft for the individuals whose Social Security numbers are disclosed.
Getting Started
- Review your business practices with your Information Steward. Also, consider whether you have any paper documents that include Social Security Numbers. In this process, evaluate with your Information Steward your business need for this information.
- If you determine that you have a business need to store Social Security numbers, keep them on network drives or in applications approved by TTS for Social Security numbers, with strictly limited access. If you no longer have a business need for the information, securely delete or destroy the files.
- Review with your Information Steward appropriate use and storage of Social Security numbers, including using encrypted email, not storing Social Security numbers on a laptop or other mobile device that is not encrypted, and storing paper records in a locked container in a secure, locked location.
- Comply with the Restricted Information Handling Guidelines. The online learning module Stepping up your Game –10 Key Strategies for Protecting Tufts Most Sensitive Information in the Tufts Learning Center and the Quick Guide are also available as quick summaries.
Documentation
Students’ Personally Identifiable Information in their student records is sensitive information protected by the Family Educational Rights and Privacy Act (FERPA). However, some personal information that is listed as Directory Information in the University’s FERPA Policy is not categorized as protected information, unless the student has requested a Privacy Block.
Student records are defined as any record maintained by the university or an agent of the university that is directly related to a student, with the exception of employment records, Public Safety records, medical records, and alumni records.
Data Classification: Restricted Institutional Data (Highest - Level 3)
Why?
Student information is protected under FERPA. In addition, there are several university policies aimed at complying with FERPA and protecting students' privacy.
Getting Started
- Store student records on network drives or in Tufts approved applications, like SIS. If you no longer have a business need for the information, securely delete or destroy the files.
- Work with your Information Steward to change your business practices so student records are not stored on individual computers. The records should stay in the application and never need to be copied over to a device. A device can be left on the T, but a network drive cannot.
- Comply with the Restricted Information Handling Guidelines. The online learning module Stepping up your Game –10 Key Strategies for Protecting Tufts Most Sensitive Information in the Tufts Learning Center and the Quick Guide are also available as quick summaries.
Documentation
- FERPA Policy
- Information Classification and Handling Policy
- University Records Policy
- Confidential Records Destruction