Sensitive Data Storage and Transmission
ECU users are responsible for the protection of any sensitive data in their custody. This includes electronic, print, voice or any other form in which the data is captured.
Definitions for the data classification levels detailed below can be found here.
The storage and transmission mediums listed below represent those that are currently supported by ITCS and East Carolina University. If you wish to utilize something that does not appear on the list, you should contact ITCS before doing so.
If you are looking for Generative AI approved software, please click this link to the second table below.
| Data Type | HIPAA | ITPA | PCI | FERPA | HR/ Personnel | GDPR |
|---|---|---|---|---|---|---|
| Regulation Link | HIPAA | ITPA | PCI | FERPA | HR/ Personnel | GDPR |
| Data Classification Level | 4 | 4 | 4 | 3 | 3 | 3 |
| Personally Owned Storage | No | No | No | No | No | No |
| Canvas | No | No | No | Yes | No | Yes |
| Cloud Hosted | Data Owner and CIS Committee Approval Required. | No | Touchnet is the only University-approved solution. Any other solution must be approved by Financial Services and ITCS. | Data owner approval required. | Yes; Data owner approval required. | Data owner approval required. |
| Crash Plan | Yes | No | No | Data owner approval required | Data owner approval required. | Data owner approval required. |
| DocuSign | Yes except for mobile application. | Yes | No | Yes | Yes | Yes |
| Faculty 180 | No | No | No | No | Yes | No |
| Formstack | No | Data owner approval required. | No | Data owner approval required. | Data owner approval required. | Data owner approval required. |
| iTunes (SODM Course Content) | No | No | No | No | No | No |
| MyWeb.ecu.edu (faculty) | No | No | No | No | No | No |
| MyWeb.ecu.edu (Students) | No | No | No | Yes; Users should cautiously control access to any uploaded content. Media consent forms required. | No | Yes; Users should cautiously control access to any uploaded content. Media consent forms required. |
| Exchange and Teams Office 365 Web Apps | Yes except for external collaboration. | No | No | Yes; Exchanges of confidential student information becomes part of the educational record for former and current students. Office 365 Web applications can be used for instruction, sharing and collaboration with students. PirateID authorization required and special consideration should be given to understanding permissions and how to manage access. No other types of sensitive data are allowed. | Yes; Exchanges and storage of confidential employee information becomes part of the official personnel records for former, current, and prospective employees. While the system is technically secure, employees should exercise good judgment when electing to store personnel information here. Records must be appropriately managed and adhere to the relevant records retention, privacy, and security requirements. | Yes; Exchanges of confidential student information becomes part of the educational record for former and current students. Office 365 Web applications can be used for instruction, sharing and collaboration with students. PirateID authorization required and special consideration should be given to understanding permissions and how to manage access. No other types of sensitive data are allowed. |
| OneDrive for Business Part of ECU Office 365 Subscription | Yes except for external collaboration. | Yes | No | Yes; Exchanges of confidential student information becomes part of the educational record for former and current students. | Yes; Exchanges and storage of confidential employee information becomes part of the official personnel records for former, current, and prospective employees. While the system is technically secure, employees should exercise good judgment when electing to store personnel information here. Records must be appropriately managed and adhere to the relevant records retention, privacy, and security requirements. | Yes; Exchanges of confidential student information becomes part of the educational record for former and current students. |
| Panopto | No | No | No | Yes; Media consent forms required. No copyrighted or sensitive data allowed. | Follow video guidelines. Media consent forms required. Data owner approval required. | Yes; Media consent forms required. No copyrighted or sensitive data allowed. |
| Piratedrive | Yes | Yes | No | Yes | Yes | Yes |
| Poll Everywhere | No | No | No | Yes; PirateID Authorization required | No | No |
| Qualtrics | No | No | No | No | No | No |
| REDCap | Yes with Department Chair approval and, when research is being done, IRB approval. | No | No | Yes; Data owner approval required | Yes | Yes; Data owner approval required |
| SharePoint Online | Yes except for external collaboration. | No | No | Yes | Yes; Data owner approval required. While the system is technically secure, employees should exercise good judgment when electing to store personnel information here. Records must be appropriately managed and adhere to the relevant records retention, privacy, and security requirements. | Yes |
| TeamDynamix | No | Yes | No | No | No | No |
| Turning technologies- Canvas LTI | No | No | No | Yes; PirateID authorization required | No | Yes; PirateID authorization required |
| University Encrypted Storage Device (hard drive, data file, USB) | Yes with CIS Committee approval. | Yes | No | Yes with Data Steward Approval | No | Yes |
| Webex | Yes, recording Webex Meetings containing PHI is strictly prohibited. | No | No | Yes; Media consent forms required. No copyrighted or sensitive data allowed. | No | No |
| WordPress | No | No | No | Yes; No copyrighted or sensitive data allowed. | No | Yes; No copyrighted or sensitive data allowed. |
| WordPress for Courses | No | No | No | Yes; Course work: faculty may have blogs limited to viewing by students in courses using ECU-hosted WordPress. | No | Yes; Course work: faculty may have blogs limited to viewing by students in courses using ECU-hosted WordPress. |
| Yammer | No | No | No | Yes | No | Yes |
| Zoom | No | No | No | Instructional Use Only | No | No |
Generative AI approved software and the data classification levels approved for that software.
| Data Type | HIPAA | ITPA | PCI | FERPA | HR/PERSONNEL | GDPR | Internal |
|---|---|---|---|---|---|---|---|
| Regulation Link | HIPAA | ITPA | PCI | FERPA | HR/ Personnel | GDPR | Level 2- Internal |
| Data Classification Level | 4 | 4 | 4 | 3 | 3 | 3 | 2 |
| Generative AI Software | No | No | No | No | No | No | No |