Protecting KU Data
At KU, security is a shared responsibility. During the course of your day at KU, you access many types of information, some of it sensitive and/or confidential. To maintain privacy and data security at KU, you are required to properly handle data and information.
Your responsibilities include:
- Understanding what type of data is sensitive.
- Following proper handling procedures to maintain privacy.
- Keeping physical areas secure.
- Protecting mobile devices that are easily lost or stolen.
Data Classification Levels
The KU Data Classification and Handling policy details three levels of data and the security protections required for the handling of data at each level. All KU employees are responsible for classifying and handling data according to the policy. Below is an excerpt from the policy describing three data classification levels. Please read the full policy in the KU Policy Library.
STOP! SPECIAL CARE IS REQUIRED!
High risk of significant financial loss, legal liability, public distrust or harm if this data is disclosed.
Examples of Level I Data:
- Data protected by HIPAA (health information).
- Data protected by FERPA: Student information including grades, exams, rosters, official correspondence, financial aid, scholarship records, etc.
- Personally Identifiable Information (PII).
- Individually identifiable information created and collected by research projects.
- Data subject to other federal or state confidentiality laws.
- Personnel data.
BE VERY CAUTIOUS!
Moderate requirement for confidentiality and/or moderate or limited risk of financial loss, legal liability, public distrust or harm if this data is disclosed.
PROCEED WITH AWARENESS
Low requirement for confidentiality (information is public) and/or low or insignificant risk of financial loss, legal liability, public distrust or harm if this data is disclosed.
Proper Handling of Sensitive Data
Help maintain privacy by doing the following:
- Adopt a clean desk and clear screen policy
- Lock your screen when you step away from your desk
- Set your the timeout for your screen at 10 minutes or less
- Don't retain un-needed data (electronic or paper)
- Destroy sensitive data in the proper way:
If You Find Improperly Stored Data
What Constitutes a Security Breach?
"Security breach" is the unauthorized access to a system, device, application or data by circumventing security policies, practices, procedures or mechanisms. Read the State of Kansas statute.