Category 1 Storage Standards

These standards apply to the following data types only. Their distinguishing feature is that they are subject to federal, state, or local regulations, or declared sensitive and personally identifiable (Category 1 data) by the University.



Approved or Recommended Storage Locations

Higher Risk or Prohibited Storage Locations



Approved or Recommended Storage Locations

Higher Risk or Prohibited Storage Locations



UA Hosted Services
UAlbany Approved Cloud Services
UAlbany Devices
Personal Device or Account
(i.e., no formal agreement with UAlbany)



Examples: Group and home folders on ITS' Lincoln (U: and V: drives), ITS' lab shares for researchers, Certified1Departmental Servers
UAlbany Email, Calendar Services and O365 Apps (e.g., OneDrive for Business, Microsoft Teams)
Note: Data stored in O365 Applications is encrypted at rest
Hosted Services with Properly Reviewed and Executed Contracts
University Owned and Supported Workstations & Laptops
University Owned Smart Phones & Tablets
Multi-function Devices (printers, faxes, scanners)
Personally owned device (e.g., home computer, smartphone, tablet, laptop, portable [USB, thumb] drives)2
Personally maintained services (e.g., Dropbox, OneDrive, Gmail, Google Drive, SurveyMonkey)2

Data Type



Collected, Sent or Shared
Internally3
Sent or Shared
Externally













A. Student Educational Records (FERPA)
Yes
Yes
No4
Yes
Password Protected5
Password Protected5
No
Password Protected5
Not recommended
B. Personally Identifiable Information per NYS Information Security Breach Notification Act (i.e., Names + SSNs or DMV # or Financial Account #)
Must be Encrypted in Storage


Must be Encrypted in Storage
Must be Encrypted Prior to Transmission
Must be Encrypted in Storage
No
No
No
No
No
C. Declared Category 1 data (PeopleSoft IAS and System Administrator authentication credentials, attorney/client privilege documents, passport numbers).
Must be Encrypted in Storage


Must be Encrypted in Storage
Must be Encrypted Prior to Transmission
Must be Encrypted in Storage
No
No
No
No
No
D. HR Data: not PHI, not SSNs, not payroll; otherwise see C.
Yes
Yes
Yes
Yes
Password Protected5
Password Protected5
No
Password Protected5
No
E. Gramm Leach Bliley (GLBA) e.g., student loan, financial aid data:  not SSNs, not financial account #s; otherwise see C.
Yes
Yes
Yes
Yes
Password Protected5
Password Protected5
No
Password Protected5
No
F. Human Subjects Research
Yes
Conditional6
Conditional6
Conditional6
Password Protected5
Password Protected5
No
Conditional6
Conditional6
G. Export Controlled Research (ITAR, EAR)
Yes
Yes
Conditional7
Conditional7
Conditional7
Conditional7
No
No
No
H. Payment Card Information, PCI-DSS (No Primary Account Numbers, otherwise see C.)
Yes
Yes
No
No
No
No
No
No
No
1Servers that are in compliance with UAlbany's Standards for Connecting Servers to the University Network.
2Storing University business records within personally owned or maintained storage services exposes the institution to additional risk with respect to e-discovery, security breaches, and data retention and recovery. Furthermore, the University exerts a claim of ownership over business records saved on personally maintained devices or sites.
3Internal email correspondence (albany.edu-to-albany.edu) is encrypted in transit. However, personally identifiable or health information should be sent as encrypted attachments to prevent exposure in the event the recipient has their mail forwarded to a non-albany.edu account.
4FERPA correspondence with students is limited to albany.edu accounts. Sharing is limited to properly contracted partners.
5Mobile/portable devices must be password protected and reported when missing. For additional security recommendations, please see http://www.fcc.gov/smartphone-security.
6Subject to Office of Regulatory Research Compliance (ORRC) and/or Institutional Review Board (IRB) determination of compliance with applicable regulations, sponsor requirements, data use agreements, and University policies which might impose additional obligations and requirements.
7Export Controlled Research is highly regulated. Sanctions for violations can include criminal charges. PIs are urged to carefully review and comply with the terms and conditions of their research contracts.