Confidential and Sensitive Information
by Dave Smallen
The information security initiative, currently underway, is an effort to upgrade the policies, procedures and practices related to protecting confidential and sensitive information maintained by Hamilton. What exactly makes information confidential?
Confidential information is protected by law, meaning that organizations that collect that information have a legal obligation to assure that the only employees who access to the information have a business “need to know.”
Some Relevant Laws
FERPA (Family Education Rights and Privacy Act) protects student educational records, that is, records related to a student’s academic program. Examples of educational records include class rosters, admissions applications, or transcripts.
HIPPA (Health Insurance Portability and Accountability Act) protects personal health information. Such information includes personally identifiable information about the past, present or future health of a person, what health care services were provided to a person or any payments the individual made relative to his/her health care. For example, records about students who go to the Health Center or Counseling Center are covered by HIPPA. HIPPA protects similar information about employees.
There are other laws that protect financial information about individuals that Hamilton uses to do its business.
At the other end of the spectrum, there is the information that we typically make available to the public, for example, things we put on our institutional website or print in college publications. This information is generally available to anyone who wants to know. We call that information “public.”
All the other information between these extremes is called internal/private. It can still be sensitive, for example, about our alumni or about employment history of current employees. While it might not be protected by law its release might be embarrassing to individuals. Another example would be computer programs that we write to provide strategic advantage to our administrative offices. The inappropriate use of internal/private information, although not specifically protected by statute, regulations, or other legal obligations or mandates, could cause financial loss or damage to Hamilton College’s reputation.
The first step in protecting confidential and sensitive information is identifying where it resides and who should have access to it. This process will be overseen by the newly appointed Information Security Board of Review (ISBR) and the administrative offices who “own” the data.