VCCS Definition of Sensitive Data
Definition of Confidential / Sensitive Data
Confidential / sensitive data is defined by the VCCS as:
- Items covered by FERPA.
- Third Party Confidential information (both sent and received).
- Personally Identifiable Information (anything that could be used to identify you) as covered by the Government Data Collection & Dissemination Practices Act. Note: Exceptions can be made by providing notice that information will be distributed (such as in a student handbook).
- Financial Information as protected by the PCI Security Standard; or when integrity, confidentiality, and/or availability are an issue.
- Chancellor’s or president’s working papers or correspondence used for his/her own deliberative purposes and not otherwise open to the public.
- Electronic data covered by Attorney Client privilege.
All sensitive / confidential data should be encrypted if it is being transmitted in any form over public transmission lines, with the encryption methodology to be decided by the vendor. The requirements are part of the ISO27000 security framework, and not available for public viewing. Further information on requirements can be provided, if requested.
- Information often ceases to be sensitive or critical after a certain period of time, for example, when the information has been made public. These aspects should be taken into account, as over-classification can lead to the implementation of unnecessary controls resulting in additional expense.
- Considering documents with similar security requirements together when assigning classification levels might help to simplify the classification task.
- In general, the classification given to information is a shorthand way of determining how this information is to be handled and protected.
VA Statute § 18.2-186.3 defines “identifying information” as:
C. As used in this section, “identifying information” shall include but not be limited to: (i) name; (ii) date of birth; (iii) social security number; (iv) driver’s license number; (v) bank account numbers; (vi) credit or debit card numbers; (vii) personal identification numbers (PIN); (viii) electronic identification codes; (ix) automated or electronic signatures; (x) biometric data; (xi) fingerprints; (xii) passwords; or (xiii) any other numbers or information that can be used to access a person’s financial resources, obtain identification, act as identification, or obtain money, credit, loans, goods or services.