Sensitive Information Examples
What is "Sensitive" Information?
KUMC recognizes the importance of protecting the privacy of any personally identifiable information that it may collect during the course of its everyday business activities, including information about its students, faculty, staff and others.
As a result, KUMC has identified two distinct types of information - "public" and "sensitive" - and guidelines for handling and disclosing each type.
Public information is available to anyone who requests it. The only exception is certain student data when the student has specifically requested that information about him/her must not be released without express written permission.
Sensitive information can only be released to the subject of the information and to those within the university who have a legitimate need-to-know, outside entities with the subject's written permission, and others as allowed by law. In many cases, the use of this information is protected by either state or federal law, including the following:
- Graham-Leach-Bliley Act of 1999 (GLBA) - governs privacy and use of financial information
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) - governs privacy and use of health care information
- Family Educational and Privacy Rights Act of 1974 (FERPA) - governs privacy and use of student information
NOTE: If you are creating a new information system that will store or handle sensitive information, you must contact Information Security at 8-0966 for approval.
Examples of both types of information are provided below. If you have questions about information that is listed here or whether or not a piece of information is sensitive or public, please ask your supervisor or contact Information Security.
The following is a list of information that is considered to be "sensitive" by KUMC and must be protected from disclosure to unauthorized individuals. Guidelines for protecting sensitive information can be found in the Operational Protocol titled "Sensitive Information in Electronic and Paper-based Systems".
- Social security number or other taxpayer ID
- Employee ID
- Birth date
- Home phone number
- Home address
- Personal contact information
- Education and training
- Previous work experience
- Job description
- Non-salary financial information (such as expense reimbursements, pension information, or fringe benefit value)
- Benefits information
- Health records
- Parking leases
- Citizen visa code
- Veteran and disability status
- Performance reviews or disciplinary actions
- Payroll time sheets
- Worker's compensation or disability claims
Non-directory Student Information
The following information is governed by FERPA and cannot be released except under certain prescribed conditions. For additional information, refer to the University of Kansas Student Records Policy.
- Social Security Number
- Student ID Number
- Courses taken
- Test scores
- Advising records
- Educational services received
- Disciplinary actions
- Financial aid/grant information
- Student tuition bills
- Payment history
Patient Health & Research
The following information is governed by HIPAA and cannot be released except under certain prescribed conditions. For additional information, refer to KUMC's HIPAA Security Rule Policy and HIPAA Policy on Research using Electronic Protected Health Information.
- Address information (street address, city, county, zip code)
- All elements of dates directly related to an individual except the year (e.g., date of birth, admission date, discharge date, date of death).
- All ages over 89 or dates indicating such an age, except that you may have an aggregate category of individuals 90 and older.
- Telephone number
- Fax number
- Email address
- Social security number
- Medical record number
- Health plan number
- Account number
- Certificate or license numbers
- Vehicle identification (e.g, VIN, serial numbers and license plate numbers)
- Device identification/serial numbers
- Universal resource locators (website URL's)
- Internet protocol addresses
- Biometric identifiers (e.g., fingerprints)
- Full face photographs and comparable images
- Any other unique identifying number, characteristic or code.
Financial/ Credit Cards
- Any information obtained during the offering or delivery of a financial product or service that would serve to identify an individual, including:
- Phone number
- Account balances
- ACH numbers
- Bank account numbers
- Credit card numbers
- Credit rating
- Location of birth
- Driver's license information
- Income history
- Payment history
- Tax return information
- Any information obtained during the processing of a credit card payment transaction that identifies individual consumers and their purchases, such as:
- Account number\credit card number
- Expiration date
- Social security number
- Legal investigations conducted by the University
- Sealed bids
- Contract information between KUMC and third parties
- Trade secrets or intellectual property such as research activities
- Location of assets
- Linking a person with the specific subject about which the library user has requested information or materials
- Configuration of KUMC technology assets (e.g., network diagrams, firewall configurations, etc.)
Jan 20, 2012