Sensitive Data is data whose unauthorized disclosure may have serious adverse effects on the university's reputation, resources, services, or individuals. Sensitive Data includes social security numbers, credit card information, and anything else that can be used to facilitate identity theft. It also includes federally protected data such as student information and medical information, as well as passwords, account information, restricted data, and any other unique identification. A primary source of risk in higher educational institutions is the retention of old data, particularly class rosters. Many schools, like the U of A, once used Social Security Numbers as Student IDs. While this may not have been an issue prior to the internet, it certainly is in the 21st century. UA faculty and staff are responsible for protecting sensitive university data to which they have authorized access, as well as responsible for compliance with all UA information security policies and procedures and any applicable laws, statutes, and regulations. Faculty Sensitive Data Cleanup To assist faculty members in reducing their risk, the Information Security Office, in cooperation with the Faculty Senate, has developed a sensitive data checklist. This "low tech" way of cleaning up data will not only reduce risk for faculty, departments, and the university at large, it will help in getting rid of old data that is taking up space on computers all over campus. Print your checklist below. Faculty Sensitive Data Cleanup Checklist Data Management It is important to know who can access the data, the appropriate places to store the data, how to securely dispose of the data, and how to report a breach or compromise of sensitive university data. The following information addresses faculty and staff responsibilities related to the handling and storage of university data. Data Retention Records retention has always been about as fun as going to the dentist: you don’t want to do it, but it’s necessary for your well-being. Some believe that they should archive, anything and everything forever, just to be on the safe side. But that's not quite right either. In records-retention land, there is no "safe side." Keeping too much information is a risk too. If you retain a record for too long, it's very expensive, you expose yourself and the university to litigation risks, and you might even be violating privacy rights. UA's Office Security Handout Should I Retain or Dispose of this Document? Use this flowchart to assist you when deciding to retain or dispose of documentation. University of Arizona Records Management and Archives Safe Disposal Procedures It is important to properly handle data erasure and disposal of electronic media (e.g. PCs, CDs, USB drives) in order to protect confidential and sensitive data from accidental disclosure. Before discarding your computer or portable storage devices, you need to be sure that data has been completely erased. Read/writable media (including your hard drive) should be wiped using Department of Defense compliant software, which can be downloaded at no cost. Shred CDs and DVDs. This type of media should be physically destroyed. Media that does not have a need to be re-used or contains sensitive or private data that cannot be wiped should be physically destroyed. FTC's Protecting Personal Information: A Guide for Business provides tips on how to properly dispose of your data. To properly clear off old data from a flash drive, hard-disk drive, solid-state drive, or hybrid hard drive, check out PCWorld’s how-to article "Free Tools to Wipe Your Drives Securely." Copier Data Security Copiers are smart machines that can do the obvious, copy, but can also print, scan, fax, and email documents. Copiers require hard disk drives to manage the many jobs they receive; but did you know that the copier’s hard drive also stores all of the data that goes through it? If you don’t take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed. The FTC’s Copier Data Security: A Guide for Businesses includes everything you need to know about copiers and their data. For UA policies regarding disposal of university property see the Surplus Property - Program Information page. Office Moves & Renovations While it is always important to be mindful of data/physical security for computing devices, it is especially important to safeguard this type of equipment during office renovations, moves, travel, or disposal of devices. These types of events have the potential to create scenarios when there is a higher risk for computer and identity theft. UA InfoSec's Safeguarding Computer Equipment During Office Moves and Renovations explains why you are more at risk and what you can do to lower that risk. Secure Data Deletion University departments are responsible for securely disposing of or destroying any media that has ever held, stored, or transmitted sensitive university data. In most cases, simply deleting data files from a device is insufficient in meeting the obligation to protect University data from unauthorized disclosure. When disposing of any data, it is best to play it safe and treat it as though it contained sensitive information. Consult with your IT staff for your best options.