What is Sensitive Data?
UW-Madison classifies data into one of four risk-based categories: Public, Internal, Sensitive, and Restricted. Data is classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data is classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.
Can I share Sensitive Data with others?
Sensitive Data may not be shared without verification that those receiving the data are specifically authorized to access the data.
When can I access and use Sensitive Data?
Sensitive Data may be accessed and used only for legitimate business purposes, which include:
- Meeting regulatory or compliance requirements that require handling of the data.
- Management or operational processes (business or academic) that require handling of the data.
- System development, administration, or maintenance that requires handling of the data.
- Other legitimate required or properly approved use that improves instructional practice, educational outcomes, or student experience for students at UW–Madison that requires handling of the data.
An individual authorized to access Sensitive Data must do so only to fulfill the job duties for which the authorization was granted. An individual authorized to access Sensitive Data may not access Sensitive Data for personal use.
What are my responsibilities for protecting Sensitive Data?
Sensitive Data must be protected by passwords or strong authentication, such as smart cards or certificates, or physically stored under lock and key. Sensitive Data must not be left unattended.
Sensitive Data may be modified only by the information owner or other parties authorized by the owner.
Sensitive Data will be deleted or destroyed once the associated task is completed or when the legitimate business use of the data no longer exists.