Sensitive Institutional Information/Data Types

Sensitive PII IIHI PHI PCI FERPA

Overview

The Information Security office have classified several types of information for institutional data as sensitive. These include Personally Identifiable Information (PII), Protected Health Information (PHI), Payment Card Information (PCI), Financial Information and FERPA Information. Descriptions of each type are outlined below

Types of Institutional Information/Data Considered Sensitive and Confidential

Sensitive Data*

Data that, if disclosed, misused, or accessed without authorization, could cause harm, discrimination, or adverse consequences for the individual to whom it pertains.

*Definitions provided do not limit alternative definitions per applicable regulations.

Personally Identifiable Information (PII)

PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Examples of PII Data:

Name
Date of Birth (DOB)
Address
Email Address
Phone Number
Photo
Student ID Number
Social Security Number (SSN)
Passport Number
Driver’s License Number
Taxpayer Identification Number
Patient Identification Number
Credit Card Number

Protected Health Information (PHI)

Information, including genetic information, created or received by a Covered Entity which relates to: (1) the individual's past, present, or future physical or mental health or condition; or (2) the provision of health care to the individual; or (3) the past, present, or future payment for the provision of health care to the individual. And as to any such information, the information identifies the individual or there is a reasonable basis to believe can be used to identify the individual.

Individually Identifiable Health Information

Any information, including demographic and/or scheduling information collected about an individual, that:

Is created or received by a health care provider, health plan, employer, or health care clearinghouse or any employee of the above; and
Relates to the past, present or future physical and/or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and
1. Identifies the individual, or
2. With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

All of the following are considered by DU to fall into this category:

Patient information collected or generated by a clinical staff member, employee vendor, volunteer, student, or other affiliate of DU (e.g., transferred medical records, correspondence, telephone calls, e-mail, etc.); or
Information entrusted by the individual to a clinical staff member, employee vendor, volunteer, student, or other affiliate of DU; or
Any knowledge a clinical staff member, employee, vendor, volunteer, student, or other affiliate of DU gains in the course of fulfillment of his or her appointed role in DU regarding the individual; or
Research information collected, generated, maintained, or disseminated by DU that identifies individuals, or when combined with other data can reasonably lead to the identification of individuals.

Payment Card Information (PCI)

Payment Card Information is credit card-related information covered by the Data Security Standards of the Payment Card Industry (PCI). The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
Cardholder Data includes:

Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code

Financial Information

Financial Information is any information that a student or other third party provides in order to obtain a financial service from the university OR about a student or other third party resulting from any transaction with the university involving financial service OR otherwise obtained about a student or other third party in connection with providing a financial service to that person.
For more information please visit here.

FERPA Information

FERPA Information is any data that could be used to identify a student as covered by the Family Education Rights and Privacy Act (FERPA).
Examples of FERPA Data:

Student's Name
Student's User ID
University ID Number
Address
Telephone listing
Email Address
Photograph
Date of Birth
Field of Study
Dates of Enrollment
Anticipated or Actual Date of Graduation
Enrollment Status
Degrees
Honors and Awards Received
Prior Degrees, Recent Educational Institutions attended
Class year
House affiliation
Weight and Height of members of athletic teams
Participation in officially recognized activities and sports
Parents or guardians home address & phone numbers
Country of Citizenship
Place of Birth
Permanent Address & Phone Number
Society

For more information please visit here.

Educational Record

Any record that directly relates to a Drexel student and is maintained by Drexel or a party acting on its behalf is a student education record that is protected under FERPA. Student records include but are not limited to information such as grades, transcripts, class lists, course schedules, financial aid information, student coursework, or images/audio/or video recordings of identifiable students.

Student education records can only be used as permitted by FERPA’s nondisclosure provisions or in a manner allowed by a student’s written consent.

0 reviews

Print Article

Related Services / Offerings (1)

Third Party Risk Management

This service is provided by the Information Security Office. In order to protect the Institution and the Institution's systems, departments and/or individuals should complete this form to initiate a security assessment where a third-party software/service will store/process/transmit institutional information as defined in the Information Security for Institutional Information Policy (IT-8). This is intended for use by Institution personnel and should be completed by an organizational unit [Requester] within the Institution. Kindly engage your college or central IT professional while completing this form. Early IT involvement during third-party risk/security assessments often improves risk/security assessment quality and reduces unnecessary delays in the process. This process will assist the Institution in preventing breaches of institutional information and comply with Institutional policies, state, and federal laws.

Updating...