The type of data posted to PennBox and Amazon depends on the level of data sensitivity based on Penn Data Risk Classification guidelines.
Data Type | Storage Allowed? | Device Encryption Required? |
Non-Confidential University Data | YES | NO |
FERPA Data | YES | YES |
HIPAA Data | YES: See Terms Below | YES |
Human subject research data | YES with IRB approval | YES |
Social Security Number | YES: See Terms below | YES |
Credit Card Data | NO | N/A |
ITAR/EAR | NO | N/A |
Other Confidential University Data* | YES | YES |
- Confidential University Data
- HIPAA Terms of Use
- Social Security Number Terms of Use
- Questions or Concerns
Sensitive Personally Identifiable Information: Information relating to an individual that reasonably identifies the individual and, if compromised, could cause significant harm to that individual or to Penn. Examples may include, but are not limited to, Social Security numbers, credit card numbers, bank account information, student grades or disciplinary information, salary or employee performance information, donations, patient health information, information Penn has promised to keep confidential, and account passwords or encryption keys used to protect access to confidential University data.
Proprietary Information: Data, information, or intellectual property in which the University has an exclusive legal interest or ownership right, which, if compromised, could cause significant harm to Penn. Examples may include but are not limited to, business planning, financial information, trade secrets, copyrighted material, and software, or comparable material from a third party when the University has agreed to keep such material confidential.
Other data: Other data whose disclosure would cause significant harm to Penn or its constituents.
Penn has executed HIPAA-compliant Business Associate Agreements with the services named above. This ensures compliance with the contractual requirements set out under HIPAA. To meet additional HIPAA requirements, before putting HIPAA-regulated data on these services:
- Contact your Local Support Provider (LSP) to enable logging and monitoring and settings to run anti-malware scanning against the files
- Use only Penn-approved encrypted devices to access HIPAA Data on these services. Note: for any non-Penn recipients of HIPAA data, appropriate administrative, physical and technical safeguards must be in place including, at a minimum, encryption at rest.
- Periodically review access permissions to ensure only HIPAA-authorized persons can access.
- For AWS, set up a separate account for HIPAA use, and enroll the account in the BAA.
- For AWS, use only HIPAA eligible services for data containing PHI.
- For AWS, ensure you are enrolled in Business or Enterprise level support.
Contact your Local Support Provider (“LSP”). A Social Security Number (SSN) is particularly sensitive data that, if compromised, can cause harm to the individual and to Penn. Please consider carefully whether you need full SSNs for any and all of your academic, research or business processes. Using the last four digits or Penn ID as alternatives, as well as encryption, are effective ways to reduce such risks. See Penn’s Social Security Number Policy at http://www.net.isc.upenn.edu/policy/approved/20071120-ssnpol.html.
Contact ISC's Office of Information Security (security@isc.upenn.edu) or the Privacy Office (privacy@upenn.edu)