Working with Sensitive Information

Certain categories of data used at Tufts must be created, stored, and accessed in accordance with Tufts policy, and/or Massachusetts, state and federal law. These categories are listed below. Click on any category to learn more about how to secure that type of information.

The electronic and physical systems owned or licensed by Tufts University used to store and access institutional data are institutional systems. All acceptance of credit or debit card transactions, requires the prior approval of Treasury Operations.

Why?

Using the Tufts network to accept credit card transactions is prohibited because of the liability it produces for the University. Credit card numbers are also subject to regulation by the Massachusetts Data Privacy Laws.

Getting Started

  1. Review your business practices with the Treasury Operations department to verify that your process is compliant with the PCI and Tufts policy.
  2. Review the policy for accepting credit card and ecommerce payments and complete the application to become a merchant accepting credit card or online payments.
  3. Comply with the Tips and Guidelines for Sensitive Personal Information (PDF). The Sensitive Personal Information Guide (PDF) is also available as a quick summary.

Documentation

Policy for accepting credit card and ecommerce payments
Application to Become a Merchant Accepting Credit Card and/ or Online Payments
PCI Security Standards
Massachusetts Data Privacy Laws
University Records Policy
Confidential Records Destruction
Information Classification and Handling Policy (PDF)

Banking and financial data often include Personally Identifiable Information, which is protected by federal and Massachusetts laws. This data is also a type of institutional data, which is defined as all information that is created, collected, licensed, maintained, recorded, used, or managed by the University, its employees, and agents working on its behalf, regardless of ownership or origin.

Why?

The University must comply with Massachusetts Data Privacy Laws.

Getting Started

  1. Never store banking information and credit card numbers on your computer.
  2. For banking information other than credit or debit card numbers, if you do have a business need for the information, the records should be stored only in a Tufts network drive, in Tufts Box (subject to the Tufts Box Use Guideline), or another Tufts approved location. A device can be left on the T, but a network drive cannot.
  3. Control access to accounts and minimize the number of people who have access to the records.
  4. Comply with the Tips and Guidelines for Sensitive Personal Information (PDF). The Sensitive Personal Information Guide (PDF) is also available as a quick summary.

Documentation

Massachusetts Data Privacy Laws
University Records Policy
Confidential Records Destruction
Information Classification and Handling Policy (PDF)

Institutional data refers to all information that is created, collected, licensed, maintained, recorded, used, or managed by the University, its employees, and agents working on its behalf, regardless of ownership or origin. The electronic and physical systems owned or licensed by Tufts University used to store and access institutional data are institutional systems. Members of the Tufts community are expected to responsibly maintain and use institutional data regardless of the resource used to access or store the data - whether an institutional system, a privately owned resource, or a third-party resource. The privacy of the personal information of University community members and clients should be protected and additionally the University is subject to several laws regarding data privacy.

Why?

The University must comply with the Family Educational Rights and Privacy Act and several Massachusetts Data Privacy Laws which inform the University institutional data policies.

Getting Started

  1. Review the Information Stewardship Policy, which sets forth the responsibility that University employees have towards institutional data and how to manage it.
  2. Review business practices with your Information Steward and run an Identity Finder scan to see if your department has caches of data for which there is no business need.

Documentation

Information Stewardship Policy
Use of Institutional Systems Policy
Security Policies
Information Classification and Handling Policy (PDF)
University Records Policy
Confidential Records Destruction

At Tufts, Sensitive Personal Information (SPI) includes:

Government-Issued Identifying Numbers

  • Social Security numbers
  • Driver’s License numbers
  • Other Massachusetts ID numbers
  • Passport numbers
  • All Government ID numbers

Regulated Financial Information

  • Credit or Debit card numbers 
  • Financial Account numbers (e.g. Bank Accounts)

Biometric Indicators for Identity
For example:

  • Fingerprints
  • Retina Patterns
  • Genetic Information

Financial accounts includes accounts for individuals, such as listed on a check, other bank accounts, and accounts at other financial institutions. Include Tufts accounts for individuals where Tufts provides a service or product similar to those provided by a financial institution. Include student loan accounts. Do not include Tufts Dept IDs.

Biometric Indicators for Identity includes any unique biological attribute or measurement that can be used to authenticate the identity of an individual, including, but not limited to, fingerprints, genetic information, iris or retina patterns, facial characteristics, and hand geometry.

Most types of SPI, when combined with a person's name, are also Personal Information under the Massachusetts Data Privacy Laws and Regulations. All SPI is Regulated Institutional Data under the Information Classification and Handling Policy (PDF) and should be handled with the highest level of confidentiality and security.

Why?

The University must comply with the Massachusetts Data Privacy Laws and all staff, faculty and students are required to follow the University's policies. The University has established the Massachusetts Data Privacy Program and appointed Information Stewards to support the proper management and handling of SPI.

Getting Started

  1. Review your work practices with your Information Steward. In this process, evaluate with your Information Steward your need for this information
  2. Comply with the Tips and Guidelines for Sensitive Personal Information (PDF). The Sensitive Personal Information Guide (PDF) is also available as a quick summary.

Documentation

Massachusetts Data Privacy Laws
Tufts Security & Privacy Program
Information Classification and Handling Policy (PDF)
University Records Policy
Confidential Records Destruction

Social security numbers are a subset of Institutional Data and they are also Personally Identifiable Information, as defined by the Family Education Rights and Privacy Act (FERPA). Social Security Numbers, when combined with a person’s name, are also Personal Information under the Massachusetts Data Privacy Laws and Regulations. They are Regulated Institutional Data, under the Information Classification and Handling Policy (PDF), and should be handled with the highest level of confidentiality and security. Social Security numbers are also included as Sensitive Personal Information in the University’s Information Steward Program.

Why?

The University must comply with FERPA and the Massachusetts Data Privacy Laws and all staff, faculty and students are required to follow the University’s policies.

Getting Started

  1. Review your business practices with your Information Steward and run an Identity Finder scan to see if you have caches of Social Security numbers in your department. Also, consider whether you have any paper documents that include Social Security Numbers. In this process, evaluate with your Information Steward your business need for this information.
  2. If you determine that you have a business need to store Social Security numbers, keep them on network drives or in applications approved by TTS for Social Security numbers, with strictly limited access. If you no longer have a business need for the information, securely delete the files.
  3. Review with your Information Steward appropriate use and storage of Social Security numbers, including using encrypted email, not storing Social Security numbers on a laptop or other mobile device that is not encrypted, and storing paper records in a locked container in a secure, locked location.
  4. Comply with the Tips and Guidelines for Sensitive Personal Information (PDF). The Sensitive Personal Information Guide (PDF) is also available as a quick summary.

Documentation

Guide to Massachusetts Data Privacy Laws
FERPA Policy
Information Classification and Handling Policy (PDF)
University Records Policy
Confidential Records Destruction

Student records are one of the most sensitive forms of data that the University stores. These records are defined as any record maintained by the university or an agent of the university that is directly related to a student, with the exception of employment records, Public Safety records, medical records, and alumni records. Student records contain, but are not limited to, personally identifying information such as: name, parents' names, address of the student and family, personal identifier such as social security number, lists of identifying personal characteristics, or any combination of this information.

Why?

Student records are protected under the Family Educational Rights and Privacy Act (FERPA). In addition, there are several university policies aimed at complying with FERPA and protecting students' privacy.

Getting Started

  1. Store student records on network drives or in Tufts approved applications, like SIS. If you no longer have a business need for the information, securely delete the files. Student ID numbers with no additional information (like names, addresses, or phone numbers) do not qualify as Personally Identifiable Information (PII)
  2. Work with your Information Steward to change your business practices so student records are not stored on individual computers. The records should stay in the application and never need to be copied over to a device. A device can be left on the T, but a network drive cannot.
  3. For added security, follow the "Advanced" section of our Security Tips page.

Documentation

Guide to Massachusetts Data Privacy Laws
FERPA rights
Information Classification and Handling Policy (PDF)
Confidential Records Destruction