What is sensitive information?
Sensitive information is defined as information that is protected against unwarranted disclosure. Access to sensitive information should be safeguarded. Protection of sensitive information may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations.
How do I know if the information I want to use is considered sensitive?
The University maintains an information classification standard that provides extensive guidance on what is considered classified information and what is not. When it comes to purchasing new or upgrading current IT platforms, products and services, we are most concerned about Tier 2 and Tier 3 level classifications. Requested data use that falls into one of these two categories will add additional layers of approval to the purchasing process. Please note, the examples listed below are not exhaustive.
Tier 2: Confidential Information
This is the default classification of University information until determined otherwise. Confidential Information includes information which the University is required by law, regulation, contract, policy, or other governing requirement to keep confidential.
The following are examples of Confidential Information elements:
- Education records such as grades and class schedules
- Confidential personnel file information protected by the N.C. Human Resources Act, including criminal background check results
- The University’s proprietary information including, but not limited to, intellectual research findings, intellectual property, financial data and donor/funding sources not otherwise classified under this standard
- Attorney-client communications
- Information subject to a confidentiality agreement
- Information protected by contractual agreements or non-disclosure agreements such as vendor product roadmaps, bid documents sealed for a limited time
Tier 3: Restricted Information
This includes any information that the University has a contractual, legal or regulatory obligation to safeguard in the most stringent manner. Unauthorized disclosure or loss of this information may require notification.
The following are examples of Restricted Information:
- Social Security Numbers (SSNs)
- Information that could expose a person’s credit card or other financial accounts
- Protected Health Information or information about a person that can be connected with their healthcare or billing for health services
- Education records such as disciplinary conduct reports, student health information, sexual assault reports, passports, or financial aid information
- Export controlled information (ITAR/EAR)
- Information that could expose the University’s financial accounts, or those of other organizations
- Information protected by contractual obligations such as vendor information security documentation
- Passwords
Need guidance on what is not sensitive information? Reference our non-sensitive information examples.
How does my request to use sensitive information impact the purchasing process?
Understanding if your request involves sensitive information is critical to ensuring a smooth and efficient purchasing experience. When sensitive information is involved, you must obtain approvals from individuals and committees from multiple University departments before the purchase can be completed. This will extend the length of the purchasing process. Use the Data Protection Checklist to help you determine which approvals you must obtain.