Critical Data

Inapropriate handling of this data could result in criminal or civil penalties, identity theft, personal financial loss, invasion of privacy, and/or unauthorized access. Access will typically be granted on a case-by-case basis to a very small group of individuals. This data must be encrypted while being stored or transmitted.

Examples of critical data include the following: 

  • Protected Health Information (HIPAA) and health insurance policy ID numbers *
  • FERPA - student data including but not limited to grades, exams, rosters, official correspondence, financial aid, scholarship records, enrollment, etc.
  • Data subject to the Children's Online Privacy Protection Act (COPPA) - information collected from children under the age of 13 Student Loan Application Information (GLBA)
  • Financial account numbers (debit/credit, bank account, investment account, P-card, etc)
  • Credit card/E-Commerce data (PCI)
  • Attorney-client privileged information
  • Data subject to Defense Federal Acquisition Regulation Supplement (DFARS) or Federal Acquisition (FAR) requirements Export controlled information--International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) Passwords/PINs
  • Personally Identifiable Information (PII) including SSN, passport numbers, visa numbers, other national ID numbers, and driver's license numbers
  • Audit working papers
  • Biometric identifiers, including finger and voice prints
  • Other data covered by federal and/or state confidentiality laws
  • Criminal Justice Information (KCJIS)
  • Tax information (W-2, W-4, 1099, etc)
  • Sensitive identifiable human subject research data *

*Under HIPPA (Health Insurance Portability and Accountability Act), PHI is considered individually identiable if it contains one or more of the following identifiers: 

  • Name
  • Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)
  • All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate number Device identifiers and serial numbers
  • Universal Resource Locators (URLs)
  • Internet protocol (IP) addresses
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic or code that could identify an individual

PHI is individually identifiable health information that relates to the:

  • Past, present, or future physical or mental health or condition of an individual
  • Provision of health to the individual by a covered entity (for example, hospital or doctor)
  • Past, present, or future payments for the provision of health care to the individual

See the Data Handling Guide for appropriate storage and sending of critical data.