Identifying Electronic Confidential Data
Data that are stored or transmitted electronically are considered confidential if their unauthorized release can result in harm to the institution or to individuals. Such harm may include identity theft, legal or financial liability, institutional or personal embarrassment, as well as other consequences. It is the responsibility of all employees of Reed College and others who are empowered to act on behalf of the College to protect confidential data from unauthorized access and/or misuse.
The following guidelines are intended to help you identify data items that should be treated as confidential. However, the lists below are not exhaustive and there are confidential data items that fall outside of these guidelines. If you are uncertain about the confidentiality status of a particular data item, please consult with your supervisor or the Chief Technology Officer.
- Identity Theft Material
- Employee Information
- Donor Information
- Student Information
- Other Information
Identity Theft Material
Identity theft is the fraudulent use of another's personal information for financial gain or to perpetrate other illicit activity. Unauthorized access to materials that can be used for identity theft can expose individuals to harm and, in certain cases, expose the institution to financial liability, public relations challenges, and other types of problems. This applies to all employees, students, alumni, donors, parents, board members, vendors, and others –– whether they are current, former, or prospective –– whose personal data is electronically stored or transmitted by the College. In conjunction with an individual's name, data related to identity theft include:
- Date of birth
- Social Security Number
- Driver's license/passport/ID numbers
- Credit card numbers, expiration dates, PINs
- Account numbers (banks, brokerages, utilities, etc.)
- Passwords for accounts, databases, and other resources
These items can be found in documents such as tax returns, admissions applications, credit, loan and other types of applications, housing agreements, employment records, student records, financial correspondence, etc.
For more information about ID theft see https://consumer.ftc.gov/features/identity-theft
Employee Information
In addition to material that can be used in identity theft, other personal data items that are to be treated as confidential include:
- Compensation and promotion information
- Benefits information
- Performance reviews, disciplinary materials, and related documents
- Worker's compensation, disability claims, or other medical information
Information on records marked confidentialDonor Information
- Activities/events attended
- Children/family information
- Contact reports
- Correspondence history
- Gift/Pledge data
If you are authorized to handle donor information, see the College Relations Security Policy at https://www.reed.edu/cris/CR_IS/Documentation/Policy_CRIS_RecordRelease200612.pdf.
Student Information
The Family Educational Rights and Privacy Act, FERPA, gives students four specific rights:
- to see the records that the institution is keeping on the student;
- to seek amendment to those records and in certain cases to append a statement to a record;
- to consent to disclosure of his/her records;
- to file a complaint with the FERPA Office in Washington.
For answers to some common questions about FERPA see https://www.registrar.pitt.edu/ferpa.html.
For information about Reed's FERPA policies, see
https://www.reed.edu/academic/gbook/comm_pol/disclosure.html
Under FERPA the following data items may be not be disclosed unless appropriately authorized:
- Grades
- Financial aid information
- Credit Card Numbers
- Bank Account Numbers
- Wire Transfer information
- Payment History
- Student Tuition Bills
In addition, students have the right to restrict disclosure of the following items:
- Name
- Date of birth
- Place of birth
- Campus address and phone number
- Campus mailbox number
- Electronic mail address
- Permanent mailing address
- Permanent phone number
- Secondary mailing address
- Semesters of registration at Reed
- Full or part-time status
- Reed major, degree(s) awarded and date(s)
- Institution attended prior to Reed
- Honors awarded
- Participation in Reed College programs
- ID card photographs
Under Health Insurance Portability and Accountability Act, HIPAA, the following data may be not be disclosed unless appropriately authorized:
- Patient Name
- Street address, city, county, zip codeBirth date (except year)
- Location or dates of treatment
- Contact information: phone, fax, email, etc.
- Social security number
- Account/Medical record numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle ID's & serial numbers
- Device ID's & serial numbers
- Full face images
- Any other unique identifying number, characteristic, or code
- Payment guarantor's information
For answers to commonly asked questions about HIPPA see the HHS website:
https://www.hhs.gov/ocr/privacy/hipaa/faq/
Other Information
Other data items whose unauthorized use could directly or indirectly harm the institution or individuals include:
- Class rosters
- Academic records and notes
- Human subject data
- Materials related to internal or external investigations
- Legal documents and records
- Financial records, grants, and contracts
- Campus security plans and procedures
- Storage sites for confidential data
- Email containing sensitive information
- Meetings minutes, memos, notes, emails, and other materials related to sensitive topics such as personnel matters, student behavior, etc.