Understand risks to data
Knowing how to work with data safely, securely, and appropriately before engaging in a new project or effort is empowering for you, your peers, and to those who have entrusted us with their data.
The University data classification standards help us have better understand data types, potential risks, and best practices we should take when working with data.
Is Your Data at Risk?
High risk or sensitive data needs extra care. Once your data is classified, you will understand how that data can be used in the safest possible way. If your data is high risk, sensitive, or internal, ask yourself questions to help reduce the risk of data breach or loss.
Copying or Sharing Data
Do I need to make a copy of restricted data?
- If you can view the restricted data without making a copy on your own computer or making a print copy, do that. Data classified as high risk cannot be stored on your computer unless special permissions are obtained.
Do I need to share restricted data with someone else?
- Transmitting restricted data creates more copies and increases the risk that it will be intercepted. The university has not approved email as a method to send Sensitive (in particular, student data) or High Risk data because it does not guarantee encryption outside the illinois.edu mail domain.
- To transfer Sensitive or High Risk data, use a tool approved for that purpose:
High Risk data = Box Health Data folder or a Box High Risk Data folder
Student data = a standard Box folder
- Take care so that individuals only see data they are authorized to see. Place data for each recipient in a separate folder. (For research collaborators, each project/protocol should be in a separate folder). Send each recipient an invitation to only the folder with their data.
- PEAR (Protected Email Attachment Repository) is another tool approved for this purpose when Sensitive (not High Risk) data is being sent within the Illinois system. It is a secure file delivery tool operated by AITS. (https://www.aits.uillinois.edu/services/application_services/PEAR)
How long do I need to keep a copy of restricted data?
- Unless you need to use the same restricted data on a regular basis (once a week or more), destroy or securely archive any copies.
If you need assistance with data classification and risk, send an email to the Governance, Risk and Compliance Team: email@example.com
If working with data also means disclosing it to third parties, such as placing University data inside a cloud vendor service, there could also be legal requirements to be met in order to place the data there. You can engage the GRC (Governance, Risk and Compliance) subject matter experts to help you navigate the privacy law requirements. GRC can help you see your project to a successful conclusion. Just send an email to firstname.lastname@example.org