Category 1 Storage Standards

These standards apply to the following data types only. Their distinguishing feature is that they are subject to federal, state, or local regulations, or declared sensitive and personally identifiable (Category 1 data) by the University.

	Approved or Recommended Storage Locations				Higher Risk or Prohibited Storage Locations

	Approved or Recommended Storage Locations				Higher Risk or Prohibited Storage Locations
	UA Hosted Services	UAlbany Approved Cloud Services			UAlbany Devices			Personal Device or Account (i.e., no formal agreement with UAlbany)
	Examples: Group and home folders on ITS' Lincoln (U: and V: drives), ITS' lab shares for researchers, Certified¹Departmental Servers	UAlbany Email, Calendar Services and O365 Apps (e.g., OneDrive for Business, Microsoft Teams) Note: Data stored in O365 Applications is encrypted at rest		Hosted Services with Properly Reviewed and Executed Contracts	University Owned and Supported Workstations & Laptops	University Owned Smart Phones & Tablets	Multi-function Devices (printers, faxes, scanners)	Personally owned device (e.g., home computer, smartphone, tablet, laptop, portable [USB, thumb] drives)²	Personally maintained services (e.g., Dropbox, OneDrive, Gmail, Google Drive, SurveyMonkey)²
Data Type		Collected, Sent or Shared Internally³	Sent or Shared Externally
A. Student Educational Records (FERPA)	Yes	Yes	No⁴	Yes	Password Protected⁵	Password Protected⁵	No	Password Protected⁵	Not recommended
B. Personally Identifiable Information per NYS Information Security Breach Notification Act (i.e., Names + SSNs or DMV # or Financial Account #)	Must be Encrypted in Storage	Must be Encrypted in Storage	Must be Encrypted Prior to Transmission	Must be Encrypted in Storage	No	No	No	No	No
C. Declared Category 1 data (PeopleSoft IAS and System Administrator authentication credentials, attorney/client privilege documents, passport numbers).	Must be Encrypted in Storage	Must be Encrypted in Storage	Must be Encrypted Prior to Transmission	Must be Encrypted in Storage	No	No	No	No	No
D. HR Data: not PHI, not SSNs, not payroll; otherwise see C.	Yes	Yes	Yes	Yes	Password Protected⁵	Password Protected⁵	No	Password Protected⁵	No
E. Gramm Leach Bliley (GLBA) e.g., student loan, financial aid data: not SSNs, not financial account #s; otherwise see C.	Yes	Yes	Yes	Yes	Password Protected⁵	Password Protected⁵	No	Password Protected⁵	No
F. Human Subjects Research	Yes	Conditional⁶	Conditional⁶	Conditional⁶	Password Protected⁵	Password Protected⁵	No	Conditional⁶	Conditional⁶
G. Export Controlled Research (ITAR, EAR)	Yes	Yes	Conditional⁷	Conditional⁷	Conditional⁷	Conditional⁷	No	No	No
H. Payment Card Information, PCI-DSS (No Primary Account Numbers, otherwise see C.)	Yes	Yes	No	No	No	No	No	No	No

¹Servers that are in compliance with UAlbany's Standards for Connecting Servers to the University Network.

²Storing University business records within personally owned or maintained storage services exposes the institution to additional risk with respect to e-discovery, security breaches, and data retention and recovery. Furthermore, the University exerts a claim of ownership over business records saved on personally maintained devices or sites.

³Internal email correspondence (albany.edu-to-albany.edu) is encrypted in transit. However, personally identifiable or health information should be sent as encrypted attachments to prevent exposure in the event the recipient has their mail forwarded to a non-albany.edu account.

⁴FERPA correspondence with students is limited to albany.edu accounts. Sharing is limited to properly contracted partners.

⁵Mobile/portable devices must be password protected and reported when missing. For additional security recommendations, please see http://www.fcc.gov/smartphone-security.

⁶Subject to Office of Regulatory Research Compliance (ORRC) and/or Institutional Review Board (IRB) determination of compliance with applicable regulations, sponsor requirements, data use agreements, and University policies which might impose additional obligations and requirements.

⁷Export Controlled Research is highly regulated. Sanctions for violations can include criminal charges. PIs are urged to carefully review and comply with the terms and conditions of their research contracts.

Category 1 Storage Standards

UA Hosted Services

UAlbany Approved Cloud Services

UAlbany Devices

Personal Device or Account

(i.e., no formal agreement with UAlbany)

Examples: Group and home folders on ITS' Lincoln (U: and V: drives), ITS' lab shares for researchers, Certified1Departmental Servers

UAlbany Email, Calendar Services and O365 Apps (e.g., OneDrive for Business, Microsoft Teams)

Note: Data stored in O365 Applications is encrypted at rest

Hosted Services with Properly Reviewed and Executed Contracts

University Owned and Supported Workstations & Laptops

University Owned Smart Phones & Tablets

Multi-function Devices (printers, faxes, scanners)

Personally owned device (e.g., home computer, smartphone, tablet, laptop, portable [USB, thumb] drives)2

Personally maintained services (e.g., Dropbox, OneDrive, Gmail, Google Drive, SurveyMonkey)2

Data Type

Collected, Sent or Shared

Internally3

Sent or Shared

Externally

A. Student Educational Records (FERPA)

Yes

Yes

No4

Yes

Password Protected5

Password Protected5

No

Password Protected5

Not recommended

B. Personally Identifiable Information per NYS Information Security Breach Notification Act (i.e., Names + SSNs or DMV # or Financial Account #)

Must be Encrypted in Storage

Must be Encrypted in Storage

Must be Encrypted Prior to Transmission

Must be Encrypted in Storage

No

No

No

No

No

C. Declared Category 1 data (PeopleSoft IAS and System Administrator authentication credentials, attorney/client privilege documents, passport numbers).

Must be Encrypted in Storage

Must be Encrypted in Storage

Must be Encrypted Prior to Transmission

Must be Encrypted in Storage

No

No

No

No

No

D. HR Data: not PHI, not SSNs, not payroll; otherwise see C.

Yes

Yes

Yes

Yes

Password Protected5

Password Protected5

No

Password Protected5

No

E. Gramm Leach Bliley (GLBA) e.g., student loan, financial aid data: not SSNs, not financial account #s; otherwise see C.

Yes

Yes

Yes

Yes

Password Protected5

Password Protected5

No

Password Protected5

No

F. Human Subjects Research

Yes

Conditional6

Conditional6

Conditional6

Password Protected5

Password Protected5

No

Conditional6

Conditional6

Examples: Group and home folders on ITS' Lincoln (U: and V: drives), ITS' lab shares for researchers, Certified¹Departmental Servers

Personally owned device (e.g., home computer, smartphone, tablet, laptop, portable [USB, thumb] drives)²

Personally maintained services (e.g., Dropbox, OneDrive, Gmail, Google Drive, SurveyMonkey)²

Internally³

No⁴

Password Protected⁵

Password Protected⁵

Password Protected⁵

Password Protected⁵

Password Protected⁵

Password Protected⁵

Password Protected⁵

Password Protected⁵

Password Protected⁵

Conditional⁶

Conditional⁶

Conditional⁶

Password Protected⁵

Password Protected⁵

Conditional⁶

Conditional⁶

Conditional⁷

Conditional⁷

Conditional⁷

Conditional⁷

¹Servers that are in compliance with UAlbany's Standards for Connecting Servers to the University Network.

³Internal email correspondence (albany.edu-to-albany.edu) is encrypted in transit. However, personally identifiable or health information should be sent as encrypted attachments to prevent exposure in the event the recipient has their mail forwarded to a non-albany.edu account.

⁴FERPA correspondence with students is limited to albany.edu accounts. Sharing is limited to properly contracted partners.

⁵Mobile/portable devices must be password protected and reported when missing. For additional security recommendations, please see http://www.fcc.gov/smartphone-security.

⁶Subject to Office of Regulatory Research Compliance (ORRC) and/or Institutional Review Board (IRB) determination of compliance with applicable regulations, sponsor requirements, data use agreements, and University policies which might impose additional obligations and requirements.

⁷Export Controlled Research is highly regulated. Sanctions for violations can include criminal charges. PIs are urged to carefully review and comply with the terms and conditions of their research contracts.