Category 1 Storage Standards
These standards apply to the following data types only. Their distinguishing feature is that they are subject to federal, state, or local regulations, or declared sensitive and personally identifiable (Category 1 data) by the University.
Approved or Recommended Storage Locations | Higher Risk or Prohibited Storage Locations | ||||||||
---|---|---|---|---|---|---|---|---|---|
UA Hosted Services | UAlbany Approved Cloud Services | UAlbany Devices | Personal Device or Account(i.e., no formal agreement with UAlbany) | ||||||
Examples: Group and home folders on ITS' Lincoln (U: and V: drives), ITS' lab shares for researchers, Certified1Departmental Servers | UAlbany Email, Calendar Services and O365 Apps (e.g., OneDrive for Business, Microsoft Teams)Note: Data stored in O365 Applications is encrypted at rest | Hosted Services with Properly Reviewed and Executed Contracts | University Owned and Supported Workstations & Laptops | University Owned Smart Phones & Tablets | Multi-function Devices (printers, faxes, scanners) | Personally owned device (e.g., home computer, smartphone, tablet, laptop, portable [USB, thumb] drives)2 | Personally maintained services (e.g., Dropbox, OneDrive, Gmail, Google Drive, SurveyMonkey)2 | ||
Data Type | Collected, Sent or SharedInternally3 | Sent or SharedExternally | |||||||
A. Student Educational Records (FERPA) | Yes | Yes | No4 | Yes | Password Protected5 | Password Protected5 | No | Password Protected5 | Not recommended |
B. Personally Identifiable Information per NYS Information Security Breach Notification Act (i.e., Names + SSNs or DMV # or Financial Account #) | Must be Encrypted in Storage | Must be Encrypted in Storage | Must be Encrypted Prior to Transmission | Must be Encrypted in Storage | No | No | No | No | No |
C. Declared Category 1 data (PeopleSoft IAS and System Administrator authentication credentials, attorney/client privilege documents, passport numbers). | Must be Encrypted in Storage | Must be Encrypted in Storage | Must be Encrypted Prior to Transmission | Must be Encrypted in Storage | No | No | No | No | No |
D. HR Data: not PHI, not SSNs, not payroll; otherwise see C. | Yes | Yes | Yes | Yes | Password Protected5 | Password Protected5 | No | Password Protected5 | No |
E. Gramm Leach Bliley (GLBA) e.g., student loan, financial aid data: not SSNs, not financial account #s; otherwise see C. | Yes | Yes | Yes | Yes | Password Protected5 | Password Protected5 | No | Password Protected5 | No |
F. Human Subjects Research | Yes | Conditional6 | Conditional6 | Conditional6 | Password Protected5 | Password Protected5 | No | Conditional6 | Conditional6 |
G. Export Controlled Research (ITAR, EAR) | Yes | Yes | Conditional7 | Conditional7 | Conditional7 | Conditional7 | No | No | No |
H. Payment Card Information, PCI-DSS (No Primary Account Numbers, otherwise see C.) | Yes | Yes | No | No | No | No | No | No | No |