Regulated Data Chart
Regulated Data is any data that is controlled by regulations that the University must comply with in storing, transmitting, or using that data. Before using any service to send, store, or share Institutional Data, review which systems are approved for regulatory compliance. The Regulated Data Chart helps you understand which software and systems are safe to store different types of Regulated Data in. These restrictions are often dictated by the security of the system as well as contractual agreements between the university and the service provider.
How to interpret the Regulated Data Chart
Hover over or click on chart icons for more details about restrictions.
Use Permitted - No technical, policy, or contractual issues exist that prohibit use of this data type with this service. You may send, store or share the regulated data type with this service if your data steward and your department/unit policies permit you to do so.
Use Restricted - Use of this service with the regulated data type is restricted and approval is required. To use this service or to learn more about the restrictions in place, contact the CIS Business Systems Team.
Use Prohibited - Use of this service with the regulated data type is prohibited. Do not use this service to send, store or share the regulated data type.
| Education Records | Personal Data |
| Health Records | Bursar Records | Human Subjects Research |
Paper |
|
|
|
|
|
|
|---|---|---|---|---|---|---|
Paper files |
|
|  PII data classified as Confidential can be stored on paper, but some regulations require restriction of physical access (locked rooms/file cabinets). See Data Laws and Regulations for regulatory compliance info specific to the data you want to store. | Health records are highly regulated and should not be stored outside of the SPU health center. Paper storage of HIPAA-regulated data is permitted but highly restricted.
| GLBA data can be stored on paper with proper restriction of physical access (locked rooms/file cabinets). | Human Subjects data can be stored on paper with proper restriction of physical access (locked rooms/file cabinets). |
Computing |
|
|
|
|
|
|
CIS Managed Computers |
|
| PII data classified as Confidential can be stored on paper, but some regulations require restriction of physical access (locked rooms/file cabinets). See Data Laws and Regulations for regulatory compliance info specific to the data you want to store. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | GLBA data can be stored on CIS Managed computers. No other computers are compliant with regulatory restrictions. | Human Subjects data can be stored on CIS-managed computers. No other computers are compliant with regulatory restrictions. |
Unsupported SPU-Owned Computers* | FERPA data may be stored on a personal computer if it is password protected, encrypted and follows the DOE guidelines on the secure storage and transmission of FERPA protected data. | Some types of PII may be stored on a personal computer if it is password protected, encrypted, and secured with an up-to-date operating system and security features. Ensure you understand the regulatory controls governing the data. | Data classified as confidential cannot be stored personal devices. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
Personal Computers | FERPA data may be stored on a personal computer if it is password protected, encrypted and follows the DOE guidelines on the secure storage and transmission of FERPA protected data. | Some types of PII may be stored on a personal computer if it is password protected and encrypted. Ensure you understand the regulatory controls governing the data. | Data classified as confidential cannot be stored personal devices. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
Mobile Devices | FERPA data may be stored on a mobile device if it is password protected, encrypted and follows the DOE guidelines on the secure storage and transmission of FERPA protected data. | PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store. | Data classified as confidential cannot be stored personal devices. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
USB Drives (unencrypted) | FERPA data may only be stored on a external storage or USB drives if it is password protected, encrypted, and follows the DOE guidelines on the secure storage and transmission of FERPA protected data. | PII data classified as Internal or Confidential cannot be stored on external drives per SPU's Identity Theft Prevention Program implemented in accorance with the FTC Red Flags Rule. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store. | Data classified as Internal or Confidential cannot be stored on external drives per SPU's Identity Theft Prevention Program implemented in accorance with the FTC Red Flags Rule. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store. | Unencrypted and unauthenticated storage does not meet the minimum regulatory compliance requirements for HIPAA protected data. | Unencrypted and unauthenticated storage does not meet the minimum regulatory compliance requirements for GLBA protected data. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
USB Drives (encrypted) | FERPA data may be stored on an external storage or USB drives if it is password protected, encrypted, and follows the DOE guidelines on the secure storage and transmission of FERPA protected data. | PII data classified as Internal or Confidential can legally be stored on encrypted external storage, however it is inadvisable. | PII data classified as Internal or Confidential can legally be stored on encrypted external storage, however it is inadvisable. | Unencrypted and unauthenticated storage does not meet the minimum regulatory compliance requirements for HIPAA protected data. | Unencrypted and unauthenticated storage does not meet the minimum regulatory compliance requirements for GLBA protected data. | FERPA data may be stored on an external storage or USB drives if it is password protected, encrypted, and follows the DOE guidelines on the secure storage and transmission of FERPA protected data. |
Files Shares / Collaboration Services | ||||||
JIRA | FERPA data can be stored in JIRA as long as the permissions limit access to appropriate staff. See the DOE guidelines on the secure storage and transmission of FERPA protected data that you must follow. | PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store. | Data classified as Confidential cannot be stored in this system. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
SPU Wiki |
| PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store. | Data classified as Confidential cannot be stored in this system. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
SharePoint |
|
| PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | GLBA data can be stored with permissions restricting access to appropriate employees. | Human Subjects data can be stored with permissions restricting access to appropriate employees. |
Department File Share |
|
| PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data | GLBA data can be stored with permissions restricting access to appropriate employees. | Human Subjects data can be stored with permissions restricting access to appropriate employee |
SPU OneDrive for Business |
|
| PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | GLBA data can be stored with permissions restricting access to appropriate employees. | Human Subjects data can be stored with permissions restricting access to appropriate employees. |
OneDrive / Dropbox / Google Docs | | This platform does not meet regulatory compliance standards for PII. | This platform does not meet regulatory compliance standards for confidential data. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
Communications | ||||||
MS Teams |
|
| PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store. | Teams can be used in a HIPAA-Compliant manner but is not inherently HIPAA-Compliant. Please consult with IT and/or University Counsel before using Teams for HIPAA-protected information. | GLBA data can be stored with permissions restricting access to appropriate employees. | Human Subjects data can be stored with permissions restricting access to appropriate employees. |
Slack / Google Hangouts | | Data classified as Internal cannot be transmitted by SPU employees using personal email. Students may use personal email to transmit this information to an SPU employee. | Data classified as confidential cannot be stored in this system. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data. Notably, if the Team is being used as a SharePoint site, see the usage under SharePoint. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
Office 365 SPU Email |
| PII data classified as Internal or Confidential can be sent only to recipients with SPU email addresses, NOT external email addresses. | Data classified as confidential cannot be stored in this system. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data. Notably, if the Team is being used as a SharePoint site, see the usage under SharePoint. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
Personal or non-SPU Email | | Data classified as Internal cannot be transmitted by SPU employees using personal email. Students may use personal email to transmit this information to an SPU employee. | Data classified as confidential cannot be stored in this system. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data. Notably, if the Team is being used as a SharePoint site, see the usage under SharePoint. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
| Education Records | Personal Data |
| Health Records | Bursar Records | Human Subjects Research |
Academic Systems | ||||||
Canvas |
|
| PII data classified as Internal can be transmitted via SPU email between employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to transmit. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data. Notably, if the Team is being used as a SharePoint site, see the usage under SharePoint. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
TK20 |
|
| Data classified as confidential cannot be stored in this system. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data. Notably, if the Team is being used as a SharePoint site, see the usage under SharePoint. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
Zoom PRO / Panopto |
|
| Data classified as confidential cannot be stored in this system. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data. Notably, if the Team is being used as a SharePoint site, see the usage under SharePoint. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
Administrative Systems | ||||||
Adobe Sign | |
|
| This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
Banner |
|
|
| This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this. |
| This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
CBord Odyssey | |
| Some specific types of Confidential data can be stored in for identity verification and generating ID card. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this. |
| This system does not meet the minimum regulatory compliance requirements for Human Subject protected data |
Destiny One |
|
| Some specific types of Confidential data can be stored in for online student registration and identity verification purposes. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this. |
| This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
JumpForward |
|
| Some specific types of Confidential data can be stored in JumpForward for the purposes of managing student athletes. Check with Athletics for regulatory requirements and NCAA compliance. | This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this. | This system does not meet the minimum regulatory compliance requirements for GLBA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this. | This system does not meet the minimum regulatory compliance requirements for Human Subject protected data. |
Medicat | |
|
|
| | |