Regulated Data Chart

Regulated Data is any data that is controlled by regulations that the University must comply with in storing, transmitting, or using that data. Before using any service to send, store, or share Institutional Data, review which systems are approved for regulatory compliance. The Regulated Data Chart helps you understand which software and systems are safe to store different types of Regulated Data in. These restrictions are often dictated by the security of the system as well as contractual agreements between the university and the service provider.

How to interpret the Regulated Data Chart

Hover over or click on chart icons for more details about restrictions.

Use Permitted - No technical, policy, or contractual issues exist that prohibit use of this data type with this service. You may send, store or share the regulated data type with this service if your data steward and your department/unit policies permit you to do so.

Use Restricted - Use of this service with the regulated data type is restricted and approval is required. To use this service or to learn more about the restrictions in place, contact the CIS Business Systems Team .

Use Prohibited - Use of this service with the regulated data type is prohibited. Do not use this service to send, store or share the regulated data type.

Paper
	FERPA Education Records	PII / Internal Data Personal Data	Confidential Data	HIPAA Health Records	GLBA Bursar Records	Common Rule Human Subjects Research
Paper files
Computing
CIS Managed Computers
Personal / Non-Managed Computers
Mobile Devices
USB Drives (unencrypted)
USB Drives (encrypted)
Files Shares / Collaboration Services
JIRA
SPU Wiki
SharePoint
Department File Share
SPU OneDrive for Business
OneDrive / Dropbox / Google Docs
Communications
MS Teams
Slack / Google Hangouts
Office 365 SPU Email
Personal or non-SPU Email
	FERPA Education Records	PII / Internal Data Personal Data	Confidential Data	HIPAA Health Records	GLBA Bursar Records	Common Rule Human Subjects Research
Academic Systems
Canvas
TK20
Zoom PRO / Panopto
Administrative Systems
Adobe Sign
Banner
CBord Odyssey
Destiny One
JumpForward
Medicat
PeopleGrove
Raiser's Edge
Slate
TerraDotta Study Abroad / ISSS
Tools
FormStack
Microsoft Forms

Regulated and Confidential Data Definitions

FERPA (Education Records): Education records (i.e., files and documents which contain information related to an identifiable student) are protected by the Family Educational Rights and Privacy Act (FERPA). Examples: class lists, grade rosters, records of advising sessions, grades, financial aid applications. See SPU's Family Educational Rights and Privacy Act (FERPA) policy.

HIPAA (Health Records): Certain health information is protected by the Health Information Portability and Accountability Act (HIPAA) and is considered confidential if it is individually identifiable and held or transmitted by a covered entity. Examples: health records, patient treatment information, health insurance billing information. Use of HIPAA-covered data at SPU is highly restricted and limited to the Health Services clinic. See HIPAA to learn more.

Personally Identifiable Information (PII): Personal identifiers are Social Security numbers, birth dates, credit card numbers, driver’s license numbers, passport ID, and bank account numbers. These are considered confidential data when they appear in conjunction with an individual’s name or other identifier.

GLBA (Bursar Records): SPU's Bursar records are protected by GLBA (Gramm-Leach-Bliley/Financial Services Modernization Act) and also by FERPA.

Common Rule (Human Subjects): Sensitive Identifiable Human Subject Research: Information that reveals or can be associated with the identities of people who serve as research subjects. Examples: names, fingerprints, full-face photos, a videotaped conversation, or information from a survey filled out by an individual. Human Subject data is regulated by the Common Rule.