/
Regulated Data Chart

Regulated Data Chart

Owned by Micah Schaafsma
Last updated: Apr 01, 2025 by Josh Kanehen

Regulated Data is any data that is controlled by regulations that the University must comply with in storing, transmitting, or using that data.  Before using any service to send, store, or share Institutional Data, review which systems are approved for regulatory compliance.  The Regulated Data Chart helps you understand which software and systems are safe to store different types of Regulated Data in.  These restrictions are often dictated by the security of the system as well as contractual agreements between the university and the service provider.

How to interpret the Regulated Data Chart

Hover over or click on chart icons for more details about restrictions.

(tick) Use Permitted  - No technical, policy, or contractual issues exist that prohibit use of this data type with this service. You may send, store or share the regulated data type with this service if your data steward and your department/unit policies permit you to do so.

  Use Restricted  -  Use of this service with the regulated data type is restricted and approval is required. To use this service or to learn more about the restrictions in place, contact the CIS Business Systems Team .

(error) Use Prohibited  - Use of this service with the regulated data type is prohibited. Do not use this service to send, store or share the regulated data type.



FERPA

Education Records

PII / Internal Data

Personal Data

Confidential Data


HIPAA

Health Records

GLBA

Bursar Records

Common Rule

Human Subjects Research

Paper





Paper files

(tick) 

Health records are highly regulated and should not be stored outside of the SPU health center. Paper storage of HIPPA regulated data is permitted but highly restricted.

Computing





CIS Managed Computers

(tick) 

(tick) 

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

GLBA data can be stored on CIS Managed computers. No other computers are compliant with regulatory restrictions.

Human Subjects data can be stored on CIS Managed computers. No other computers are compliant with regulatory restrictions.

Unsupported SPU-Owned Computers*

FERPA data may be stored on a personal computer if it is password protected, encrypted and follows the DOE guidelines on the secure storage and transmission of FERPA protected data .

Some types of PII may be stored on a personal computer if it is password protected, encrypted, and secured with an up to date operating system and security features. Ensure you understand the regulatory controls governing the data.

Data classified as confidential cannot be stored personal devices

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

This system does not meet the minimum regulatory compliance requirements for GLBA protected data

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

Personal ComputersFERPA data may be stored on a personal computer if it is password protected, encrypted and follows the DOE guidelines on the secure storage and transmission of FERPA protected data .Some types of PII may be stored on a personal computer if it is password protected and encrypted. Ensure you understand the regulatory controls governing the data.Data classified as confidential cannot be stored personal devicesThis system does not meet the minimum regulatory compliance requirements for HIPAA protected dataThis system does not meet the minimum regulatory compliance requirements for GLBA protected dataThis system does not meet the minimum regulatory compliance requirements for Human Subject protected data
Mobile Devices

FERPA data may be stored on a mobile device if it is password protected, encrypted and follows the DOE guidelines on the secure storage and transmission of FERPA protected data .

PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store.

Data classified as confidential cannot be stored personal devices

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

This system does not meet the minimum regulatory compliance requirements for GLBA protected data

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

USB Drives (unencrypted)

FERPA data may only be stored on a external storage or USB drives if it is password protected, encrypted, and follows the DOE guidelines on the secure storage and transmission of FERPA protected data .

PII data classified as Internal or Confidential cannot be stored on external drives per SPU's Identity Theft Prevention Program implemented in accorance with the FTC Red Flags Rule.See Data Laws and Regulations for regulatory compliance info specific to the data you want to store.

Data classified as Internal or Confidential cannot be stored on external drives per SPU's Identity Theft Prevention Program implemented in accorance with the FTC Red Flags Rule.See Data Laws and Regulations for regulatory compliance info specific to the data you want to store.

Unencrypted and unauthenticated storage does not meet the minimum regulatory compliance requirements for HIPAA protected data

Unencrypted and unauthenticated storage does not meet the minimum regulatory compliance requirements for GLBA protected data

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

USB Drives (encrypted)

FERPA data may be stored on a external storage or USB drives if it is password protected, encrypted, and follows the DOE guidelines on the secure storage and transmission of FERPA protected data .

PII data classified as Internal or Confidential can legally be stored on encrypted external storage, however it is inadvisable.

PII data classified as Internal or Confidential can legally be stored on encrypted external storage, however it is inadvisable.

Unencrypted and unauthenticated storage does not meet the minimum regulatory compliance requirements for HIPAA protected data

Unencrypted and unauthenticated storage does not meet the minimum regulatory compliance requirements for GLBA protected data

FERPA data may be stored on a external storage or USB drives if it is password protected, encrypted, and follows the DOE guidelines on the secure storage and transmission of FERPA protected data .

Files Shares / Collaboration Services
JIRA
FERPA data can be stored in JIRA as long as the permissions limit access to appropriate staff. See the DOE guidelines on the secure storage and transmission of FERPA protected data that you must follow.

PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store.

Data classified as Confidential cannot be stored in this system.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

This system does not meet the minimum regulatory compliance requirements for GLBA protected data

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

SPU Wiki

(tick)


PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store.

Data classified as Confidential cannot be stored in this system.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

This system does not meet the minimum regulatory compliance requirements for GLBA protected data

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

SharePoint

(tick) 

(tick) 

PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

GLBA data can be stored with permissions restricting access to appropriate employees.

Human Subjects data can be stored with permissions restricting access to appropriate employees.

Department File Share

(tick) 

(tick) 

PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

GLBA data can be stored with permissions restricting access to appropriate employees.

Human Subjects data can be stored with permissions restricting access to appropriate employees.

SPU OneDrive for Business

(tick) 

(tick) 

PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

GLBA data can be stored with permissions restricting access to appropriate employees.

Human Subjects data can be stored with permissions restricting access to appropriate employees.

OneDrive / Dropbox / Google Docs

This platform does not meet regulatory compliance standards for PII

This platform does not meet regulatory compliance standards for confidential data.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

This system does not meet the minimum regulatory compliance requirements for GLBA protected data

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

Communications
MS Teams

(tick) 

(tick) 

PII data classified as Internal or Confidential can be stored with permissions restricting access to appropriate employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to store.

GLBA data can be stored with permissions restricting access to appropriate employees.

Human Subjects data can be stored with permissions restricting access to appropriate employees.

Slack / Google Hangouts

Data classified as Internal cannot be transmitted by SPU employees using personal email. Students may upse personal email to transmit this information to an SPU employee.

Data classified as confidential cannot be stored in this system.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

This system does not meet the minimum regulatory compliance requirements for GLBA protected data. Notably, if the Team is being used as a SharePoint site, see the usage under SharePoint.

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

Office 365 SPU Email

(tick) 

PII data classified as Internal or Confidential can be sent only to recipients with SPU email addresses, NOT external email addresses.

Data classified as confidential cannot be stored in this system.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

This system does not meet the minimum regulatory compliance requirements for GLBA protected data. Notably, if the Team is being used as a SharePoint site, see the usage under SharePoint.

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

Personal or non-SPU Email

Data classified as Internal cannot be transmitted by SPU employees using personal email. Students may upse personal email to transmit this information to an SPU employee.

Data classified as confidential cannot be stored in this system.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

This system does not meet the minimum regulatory compliance requirements for GLBA protected data. Notably, if the Team is being used as a SharePoint site, see the usage under SharePoint.

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data


FERPA

Education Records

PII / Internal Data

Personal Data

Confidential Data


HIPAA

Health Records

GLBA

Bursar Records

Common Rule

Human Subjects Research

Academic Systems
Canvas

(tick) 

(tick) 

PII data classified as Internal can be transmitted via SPU email between employees. See Data Laws and Regulations for regulatory compliance info specific to the data you want to transmit.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

This system does not meet the minimum regulatory compliance requirements for GLBA protected data. Notably, if the Team is being used as a SharePoint site, see the usage under SharePoint.

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

TK20 

(tick) 

(tick) 

Data classified as confidential cannot be stored in this system.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

This system does not meet the minimum regulatory compliance requirements for GLBA protected data. Notably, if the Team is being used as a SharePoint site, see the usage under SharePoint.

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

Zoom PRO / Panopto

(tick) 

(tick) 

Data classified as confidential cannot be stored in this system.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

This system does not meet the minimum regulatory compliance requirements for GLBA protected data. Notably, if the Team is being used as a SharePoint site, see the usage under SharePoint.

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

Administrative Systems
Adobe Sign

(tick) (tick) 

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

This system does not meet the minimum regulatory compliance requirements for GLBA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

Banner

(tick) 

(tick) 

(tick) 

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

(tick) 

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

CBord Odyssey

(tick) 

Some specific types of Confidential data can be stored in for identity verification and generating ID card.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

(tick) 

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

Destiny One

(tick) 

(tick) 

Some specific types of Confidential data can be stored in for online student registration and identity verification purposes.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

(tick) 

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

JumpForward

(tick) 

(tick) 

Some specific types of Confidential data can be stored in JumpForward for the purposes of managing student athletes. Check with Athletics for regulatory requirements and NCAA compliance.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

This system does not meet the minimum regulatory compliance requirements for GLBA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

Medicat

(tick) 

(tick) 

(tick) 

This system does not meet the minimum regulatory compliance requirements for GLBA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

PeopleGrove(tick) (tick) 

Data classified as Confidential cannot be collected or stored in this system.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

This system does not meet the minimum regulatory compliance requirements for GLBA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

Raiser's Edge

(tick) 

(tick) 

(tick) 

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

This system does not meet the minimum regulatory compliance requirements for GLBA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

Slate

(tick) 

(tick) 

(tick) 

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

This system does not meet the minimum regulatory compliance requirements for GLBA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

TerraDotta Study Abroad / ISSS

(tick) 

(tick) 

(tick) 

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data, though we are currently working on securing a Business Associate Agreement between SPU and Adobe that would allow this.

(tick) 

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data


Tools
FormStack

FERPA data can be collected via FormStack if permissions limit access to appropriate staff and the form is encrypted. Encryption is required as SPU's contract agreement with FormStack does categorize them as an school official. See the DOE guidelines on the secure storage and transmission of FERPA protected data that you must follow.

PII data can be collected via FormStack if permissions limit access to appropriate staff and the form is encrypted.

Data classified as Confidential cannot be collected or stored by Formstack.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

This system does not meet the minimum regulatory compliance requirements for GLBA protected data

This system does not meet the minimum regulatory compliance requirements for Human Subject protected data

Microsoft Forms

(tick) 

Select PII data can be collected via Microsoft Forms if permissions limit access to appropriate staff.

Data classified as Confidential cannot be collected or stored in this system.

This system does not meet the minimum regulatory compliance requirements for HIPAA protected data

GLBA data can be stored with permissions restricting access to appropriate employees.

Human Subjects data can be stored with permissions restricting access to appropriate employees.

Regulated and Confidential Data Definitions

FERPA (Education Records)

Education records (i.e., files and documents which contain information related to an identifiable student) are protected by the Family Educational Rights and Privacy Act (FERPA). Examples: class lists, grade rosters, records of advising sessions, grades, financial aid applications. See SPU's  Family Educational Rights and Privacy Act (FERPA) policy. 

HIPAA (Health Records)

Certain health information is protected by the Health Information Portability and Accountability Act (HIPAA) and is considered confidential if it is individually identifiable and held or transmitted by a covered entity. Examples: health records, patient treatment information, health insurance billing information. Use of HIPAA-covered data at SPU is highly restricted and limited to the Health Services clinic. See HIPAA to learn more.

Personally Identifiable Information (PII)

Personal identifiers are Social Security numbers, birth dates, credit card numbers, driver’s license numbers, passport ID, bank account numbers and SPU ID number. These are considered confidential data when they appear in conjunction with an individual’s name or other identifier.

GLBA (Bursar Records)

SPU's Bursar records are protected by GLBA (Gramm-Leach-Bliley/Financial Services Modernization Act) and also by FERPA. 

Common Rule (Human Subjects)

Sensitive Identifiable Human Subject Research: Information that reveals or can be associated with the identities of people who serve as research subjects. Examples: names, fingerprints, full-face photos, a videotaped conversation, or information from a survey filled out by an individual. Human Subject data is regulated by the Common Rule.

* Unsupported SPU-Owned Computers: If a device that is owned by the University, but not purchased through the central PC purchasing program (e.g.: through a grant or other means) continues to be used beyond when it is securable (e.g.: cannot upgrade to a supported operating system) it should not be used for storage of any sensitive data that coul dbe compromised. If you have a use case that you think requires ongoing use of this kind of device, please contact itsupport@spu.edu to discuss what options exist.

Related content