Storing Sensitive Data
Sensitive data is any data that the unwarranted and/or unauthorized disclosure of such would have an adverse effect on the institution or individuals to which it pertains.
- Social security number (SSN)
- Credit card numbers
- Bank account information
- Driver’s license or State ID #
- Personal Identification Numbers (PINs)
- Medical information
- Tax documents
- Donor information
- Mailing lists
- Scholarship information
- Financial account number
- Credit card data
Where Should I Store Sensitive Data?
Confidential and sensitive data should only be stored in approved centrally managed systems such as Banner.
If you believe you have a need to store sensitive data or securely share access with a limited number of faculty/staff at WKU, please contact the ITS Service Desk to discuss potential options for doing so, including the use of the U: (Secure) drive.
The best way to protect sensitive data is not to have it in the first place; therefore, only collect or retain sensitive information if it is essential to your job function. For individuals who work with sensitive information, remember to purge or delete unneeded data to minimize risk. Data should be stored in as few places as possible and duplicated only when necessary.
Where Should I NOT Store Sensitive Data?
Sensitive data should never be sent via email, even for business purposes. Sensitive data should also not be stored on workstations, laptops, or removable USB drives.
Do not use store sensitive data on the shared network drive (S:).
What is PII?
Personal Identity Information, or PII, is a specific category of particularly sensitive data. Kentucky statute 365.732 defines PII as: an individual's first name or first initial and last name in combination with any one (1) or more of the following data elements, when the name or data element is not redacted:
- Social Security Number;
- Driver’s license number; or
- Account number or credit or debit card number, in combination with any required security code, access code, or password to permit access to an individual's financial account.
PII is sometimes called "notice-triggering data" because Kentucky law require affected individuals to be notified in the event of a breach in which this information has been acquired by an unauthorized person.
Where Do I Find More Information?
More information can be found in the WKU IT Security Plan under the section titled Sensitive Data Protection.