What is Confidential/Restricted Information?
Data and data types are classified by their use and sensitivity. Categories are Public, Internal, Sensitive, and Restricted.
- Public: Data is considered "public" when it has been specifically classified for public release (e.g. sports scores, public events information, announcements, faculty expertise, student accomplishments*, aggregate data prepared for release)
- Internal: Data is considered "internal" when its unauthorized disclosure, alteration or deletion represents minimal risk to the University. Public information subject to established University protocol for release (e.g. budget information, reports and data.)
- Sensitive: Data is considered "sensitive" when its unauthorized disclosure, alteration or deletion represents moderate risk to the University. Generally, sensitive data is not used outside of Binghamton University or the SUNY community.
- Restricted: Data is considered "restricted" when its unauthorized disclosure, alteration or deletion represents significant risk to the University. This data includes and is not limited to that protected by federal and/or state regulation, university policy and confidentiality agreements. Note: Student directory information is restricted if directory exclusion is requested by the student.
It is the responsibility of all University employees to respect the highest level of privacy for their colleagues and other members of the University community. Disclosure and discussion of information obtained from University records, either during or after employment with the University, is not permissible unless such disclosure is a normal requirement of an employee's position or has been so authorized.
Examples of Restricted Data
The following data elements require the highest level of protection. Generally this will include any data that can be tied directly to an individual and that, by itself or coupled with other data, could put that individual's identity, financial well-being or reputation at risk. This list may expand and is not comprehensive.
SSN and Other Personally Identifiable Information
Name (First name or initial and Last name), when stored or displayed with one or more of the other listed data elements
- Social Security Number
- Driver's license number
- State identification card number
- Financial account numbers such as credit, debit, or bank account numbers
- Passport number
- Alien registration number
- Health insurance identification number
Credit Card Information
- Primary Account Number (when stored with any other information below)
- Cardholder Name
- Service Code
- Expiration Date
(Individual) Student University Records
- Grades/Transcripts/Test scores
- Courses taken/Schedule
- Advising records
- Educational services received
- Disciplinary actions
- Student Financial Aid, Grants, and Loans
- Financial account and payment information including billing statements, bank account and credit card information
- Admissions and recruiting information including test scores, high school grade point average, high school class rank, etc.
- Student Personnel records - Refer to the University's FERPA policy for additional information.
Personal Health Information
- Information that identifies the individual, or could reasonably be used to identify the individual, including, but not limited to name, addresses, telephone/fax number, medical record number, telephone number, birthday, admission/discharge date, vehicle ID and serial number, device IDs and serial number, certificate/license numbers, biometric identifiers, full-face images, other unique identifying number/characteristic/code.
- Information about the patient's past, present or future physical or mental health or condition
- Information relating to the provision of, or payment for, health care
- Employee financial account information
- Student financial account information – aid/grants/bills (covered under FERPA)
- Individual financial information
- Business partner and vendor financial account information
(with thanks to UConn Info Security Office)
What Documents may contain this information?
Travel requests and supporting documentation
Old student schedule cards
Declaration of candidacy for degree forms
Old student general purpose student class lists (green bar)
Data that is regulated by Federal or State laws including but not limited to:
- personal information as defined by the NYS Freedom of Information Act (FOIL)
- personal identifying information as defined by the NYS Information Security Breach and Notification Act, and the NYS Disposal of Personal Records Law
- personal information defined in the NYS Personal Privacy Protection Law and in the related University Policy
- personally identifiable information on students in education records as defined in the Family Education Rights and Privacy Act (FERPA)
- personal information defined in the NYS Electronic Signatures and Records Act (ESRA)
- personally identifiable financial information on customers in financial lending records as defined in the Gramm-Leach Bliley Act (GLBA) with is associated Federal Trade Commission Safeguards Rule
- electronic protected health information as defined in the Security Standard related to the Health Insurance Portability and Accountability Act (HIPAA)
- payment card transaction information as defined by the Payment Card Industry Data Security Standard (PCI-DSS)
- Electronic Communications Privacy Act (ECPA)
- Children's Online Privacy Protection Act (COPPA)
- Federal Trade Commission (FTC) Red Flags Rule (Identity Theft Regulation) or other relevant University policies or procedures.
- SUNY Records Retention and Disposition Policy