Using encryption to protect sensitive data is recommended in many situations and is potentially required in still others. Read through the steps below to determine if you should be using encryption to protect data on your personal computer or portable device.
Note: New University of Iowa policy requires the removal of all Social security numbers (SSNs) from users' computers where it is not needed. Click here for more information if you work with SSNs on your computer.
What is sensitive data?
Sensitive data can be any information that if stolen could potentially result in damages for yourself, someone else, or the University of Iowa. Some examples include social security numbers, credit card numbers, official student grades, financial aid data, and individuals’ health information. Social Security Numbers, student transcripts, financial aid information, and health records are federally protected under laws like the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). This kind of information is classified by the University as Level 3: High Sensitivity. Find out more about how data is classified and examples of Level 3 data at the Security Office's Guide on sensitive data.
How do I find my sensitive data?
The University of Iowa provides a tool called Identity Finder to help you search your local hard drives and personal network storage drive for protected information like SSNs and credit card numbers. You may download the Identity Finder tool at the ITS Software Services Download Site. The Identity Finder tool will "crawl" through your personal files to find instances of SSNs or credit card numbers and give you a report letting you know exactly which files might contain these pieces of information.
For data types other than SSNs and credit card numbers you will have to manually search your machine.
Does my data need to be encrypted?
Once you have determined whether or not your computer contains sensitive data, you should ask yourself if you really do need that data any longer. If the answer is no, you can just delete the information and not worry about encryption or other security measures.
If however, you answer "yes" to the above question, then you should ask yourself if you need to have the sensitive data stored on your local computer? Could you get by with the data being stored on University of Iowa network storage? If so, all you may need to do is transfer the sensitive information to your personal network storage.
If you decide that you do need to have the data stored on your local computer, you may need to implement an encryption scheme. If the information that you work with can be classified as "level 3 sensitive data" or above, University of Iowa policy will require you to use encryption. The University of Iowa considers level 3 information as data that is highly sensitive and may have personal privacy considerations, or may be restricted by federal or state law. If stolen, this kind of data would not only have a negative impact on the owner but also potentially on the University.
Final Thoughts
It is ultimately up to you, the user, on whether or not you feel your data should be encrypted. In most cases it is best to err on the side of caution and use encryption to not only protect the data but protect yourself and the university. If after reading the material above you decide that you should be encrypting your computer, then click on the link below to continue.