Storing Restricted, Protected, and Sensitive Information @ USNH

SharePoint and OneDrive are the preferred storage locations for restricted and sensitive data.

  • USNH Information Classifications and Storage

    • Public Information(no lock): No restrictions on storage in OneDrive and SharePoint
    • Sensitive Information(1 lock): No restrictions on storage in OneDrive and SharePoint
    • Protected Information(2 locks): May be stored in OneDrive or SharePoint with Data Steward approval or proper configuration.
    • Restricted (legally protected) Information(3 locks): Restricted Informationcan be stored in SharePoint when properly configured. Never store Restricted Data in OneDrive, or SharePoint without first consulting the ET&S M365 team. If you must store Restricted Data in SharePoint, submit a ticket - https://td.unh.edu/TDClient/60/Portal/Requests/ServiceDet?ID=139
  • Don't store unnecessary data:

    • Scan existing files with Identity Finder (where possible) before transfer to OneDrive and SharePoint to locate SSN's and credit card numbers.
    • Old and outdated files no longer useful (e.g., "just in case")
    • No business need for the data (or obsolete business need).
    • Legal exposure; data is discoverable in lawsuits.
    • Define and use a record retention policy (USNH Policy)
  • *SharePoint is the only acceptable cloud storage location for the below information- when configured properly by the M365 team.

    • Protected health information (PHI) subject to HIPAA/HITECH regulations
      • Understand "cover entity"
      • PHI not covered by HIPAA still must be protected
    • Credit Card information
      • Customer data; does not apply to P-Cards
      • Policy, not law
    • Export controlled research data
      • Sharing risk
  • Be wary of syncing desktop files and SharePoint when storing restricted information.

    • Places inappropriate information on local devices
    • Use only with encrypted devices when storing restricted data

Can I store my own sensitive data in OneDrive and SharePoint?

While we do not explicitly prohibit incidental personal use of OneDrive, or SharePoint, we strongly discourage and do not recommend using OneDrive, and SharePoint for personal files. Remember that OneDrive and SharePoint is a university-provided resource, subject to legal and right-to-know discovery.


If you have any questions about the storage of information or classifications, please contact Cybersecurity.GRC@usnh.edu.

Further Reading: Introducing USNH IT Information Classification - Approved Storage Locations

Details

Article ID: 609
Created
Fri 7/19/19 5:28 PM
Modified
Fri 4/8/22 12:13 PM
Applicable Institution(s):
Granite State College (GSC)
Keene State College (KSC)
Plymouth State University (PSU)
University of New Hampshire (UNH)
USNH System Office