Safeguarding Personally Identifiable Information (PII) and Other Sensitive Information

This document provides guidelines for handling high and moderate risk Personally Identifiable Information (PII) within a university setting.

Handling high and moderate risk Personally Identifiable Information (PII) within a university setting requires additional care to ensure compliance with data privacy requirements and other various regulations.

Data Classification

Data is classified into High Risk, Moderate Risk and Low Risk as defined by UW System Policy #1031, Data Classification and Protection. Examples of high-risk data include information protected by specific laws such as social security numbers, DNA information, protected health information, payment card information etc.

High risk also includes data that if compromised would have a significant impact to the institution, this may be financial, reputational, life/safety, etc.

Moderate risk data includes small amounts of Personally Identifiable Information, research data, data related to requests for proposals, etc. Almost any data that does not meet the definition of high-risk data but is not public is moderate risk

Low risk data includes public information such as web sites, non-restricted student directory information, published research, course descriptions, and other information that would not cause damage if compromised.

Handling Requirements for UW-Stout Data

Handling Requirements for UW-Stout Data include, but are not limited to:

Access to high and moderate risk data: All access to high and moderate risk data must be restricted to authenticated users with a business purpose to access the data. The ability to modify publicly accessible low risk data must also be similarly restricted. (UW-System Policy #1030, Authentication).

Data Stewardship: The assigned Data Steward is responsible for ensuring the appropriate controls are in place to meet security and data retention requirements. It is important you do not store or process any personally identifiable information (PII) outside of the processes and procedures defined by the data steward. (UW-Stout Data Steward Responsibilities and Protocols Policy)

Data Lifecycle: All UW-Stout data must be handled in accordance with UW Policy and all other applicable law and policy, from data collection through secure destruction. The handling of data must be documented in the Unit Records Management Plan. (UW-System Policy 650, Public Records Management Roles and Responsibilities reference effective January 2026).

Data Retention: Data retention requirements apply to all UW-Stout data within the systems and services you use in any format including both digital and physical. This includes your email, content in Teams and SharePoint, and other data you have personal control of. These retention requirements include how long certain data must be retained as well as requiring destruction at the end of the retention period. Some data must be archived as historical information into perpetuity. UW-Stout Library: Records Management

Storing and Processing of PII: Employees must not store or process UW-Stout data using unapproved systems or services. Users must avoid storing such information in unapproved systems such as personal Dropboxes, Google Drive folders, or personal email accounts (KB Article - Data Storage and Processing).

Sharing Data: All data must only be shared for specific approved business purposes. Moderate and high-risk data cannot be shared with anyone, internal or external, without a business purpose. This includes sharing with any third-party.

Reporting security incidents: All incidents of a data compromise or breach must be reported to the Help Desk and you must notify your supervisor. This includes lost or stolen assets (including personally owned devices which contain UW-Stout data), any physical intrusion into secure areas, the discovery of malware or unauthorized access to information assets, and any inappropriately shared data, etc. (UW System Policy 1033, Incident Response).
If you are in danger or a crime is suspected, contact University Police (715-232-2222 for campus non-emergencies or 911 for emergencies).

Personal use of UW-Stout Systems and Services: While not directly related to UW-Stout data handling, UW-System policy does allow for “minimal use for private or personal purposes” However, there are specific limitations including inappropriate use, financial costs to the institution, etc. Please keep this in mind as you consider safe data handling practices.

Storing high and moderate data, including PII

Practices for storing high and moderate data, including PII:

You should not save personal information in UW-Stout systems. Remember, we are a public institution, and our data is all subject to open records laws, even if it is your personal information.

Data storage has a cost. Deleting unnecessary data will reduce our data storage needs and reduce costs to the institution.

Storing excessive personal information is likely to exceed the “minimal” use provided by policy based on these storage costs.

Keep printed private information always secure and never leave paper documents unattended or unsecured.

Never leave laptops or devices that contain private information unattended in open areas such as public spaces, cars, restaurants.

Never leave your computer monitor open towards public view when private information is being accessed.

Do not store Moderate or High-Risk data on personally owned machines outside of UW-Stout provided approved services such as your Stout email or Teams.

Remember that all PII must be stored in accordance with Unit Records Management Plan.

For example, you may collect information and may maintain personal notes during a search process. However, at the completion of each stage of the process all personally maintained information should be deleted once the required records have been saved to the approved service, such as TAM or Workday. Do not keep copies in email, OneDrive, Teams, or personal files.

The data lifecycle begins with the collection of data and ends with the secure destruction of the records. This applies to all the data you use in your role at Stout.

Sharing and Accessing high and moderate data, including PII

Practices for sharing and accessing high and moderate data, including PII:

You must have a work-related reason to access, use, and disclose private information

You should use only the minimum amount of private information necessary to do your job

Avoid displaying PII when presenting to a group via Teams, AirMedia, or other platforms. Close any PII files prior to presenting to avoid accidentally displaying private data.

Student directory information may be shared for specific purposes. However, there is no requirement to share student directory information.

Student data related to students who choose to suppress their data, indicated by a window icon in AccessStout, is classified as high or moderate risk.

Even if information is classified as low risk, you should not share it without a business purpose.

You do not have to share just because it is public. Refer any information sharing requests to the registrar ofr the appropriate functional unit.

Make sure to secure sharing permissions for PII files, and revoke access when no longer required. Avoid using “anyone with this link” access for files with PII.

For the sake of policy, third parties includinge a student’s parents; contractors; individuals contacting you as a reference; business partners; external committee members; organizations with a contractual agreement such as memorandums of understanding, accreditation agencies, articulation agreements, end user license agreements, click through software agreements; etc.

Laws, policies, and agreements that may impact data management

This is far from an exclusive list. It is provided to give you an idea of the type of agreements that may include data management requirements.

FERPA-for all educational records

GLBA-compliance for financial data (impacting financial aid)

HIPAA-compliance for medical records (impacting SVRI)

GDPR, CCPA, and other regional privacy requirements affecting data subjects based on the location of the data, the individual, or the service provider.