Location: Bowdoin / IT / FYI / Information Security / FAQ / Handling Restricted & Sensitive Data

Handling Restricted & Sensitive Data

Get Help

Submit Help Ticket 24/7

Live Chat

Faculty/Staff
x3030 or 207-725-3030
Students
x5050 or 207-721-5050

Restricted Data Overview

In addition to standard safe computing habits, there are additional suggested guidelines for dealing with restricted data.

  • First of all, be aware.  Know what is considered restricted data at Bowdoin.  Know that the information you have may be confidential, protected by law, or can not be shared indiscriminately.
  • Know where your restricted data is stored, and where it is going (in whatever form)!
  • If you handle restricted data, your computing password should be changed more frequently than the recommended once a semester.  Quarterly is a good habit.  Some departments may have a policy requiring more frequent changes.

Sharing Restricted Data:

  • Always check with your data owner to ensure the data may be shared.
  • Never share restricted data within the body of a regular e-mail message.  Even if it is sent within campus, it could be forwarded off-campus.
  • Think again.  Does the other party really need the restricted part of the information?
  • You may encrypt a document, and then e-mail this as an attachment.  Do not include the password to decrypt the attachment in this or any e-mail.  Communicating the password by phone is recommended.
  • When sending restricted information by common carrier (US Postal Service, Federal Express, UPS, etc.), encrypt the data and use a tracked shipping method.
  • If you routinely exchange restricted data with others, consider using digital certificates.  For more information on how to set this up, please contact Bowdoin IT Security at:

                    E-mail:  itsecurity@bowdoin.edu
                    Phone:  207-725-3471

Safeguarding Restricted Data:

  • If you regularly store restricted data on your computer, use encryption to protect it.  Determine how to organize the restricted data and decide what files to encrypt.
  • It is not a good practice to store restricted data on laptop or portable devices.  If there is no viable alternative, see the section on encrypting laptops.
  • If you do use encryption, remember there is no way to recover the data if you lose the password.

More Security Requirements for Handling Information

"Handling" information relates to when you view, update, or delete data.  It also relates to when you transfer the data from one location to another.  The data does not have to be electronically stored.  It could be stored in a filing cabinet or in a binder.  The data could be in a report or in a memo.

Based upon how the data is classified (Restricted, Sensitive, Public), it may have certain precautions which need to be taken when handled.

Any comments regarding these requirements should be emailed to itsecurity@bowdoin.edu.  Keep in mind these requirements evolve as the technology improves.

General Data Protection Requirements

Requirements Data Classification
Restricted Sensitive Public
Access - Read Only Individually Authorized Role Based No Controls
Access - Write Individually Authorized Role Based Role Based
Secondary Use Prohibited As Authorized As Authorized
Physical Data Storage Access controlled by area Non-public Area No Controls
Communication Encryption may be required for external tranmission Encryption generally not required No Controls
Data Tracking Location of data should be tracked None None
Destruction Overwrite or Destroy Media Erase Media No Controls
Auditing Log All Changes Log Changes No Controls
Workstation Placement Non-public Area Non-public Area No Controls


Some information was adapted from Purdue University.

Last updated May 21, 2009