Skip to main content
University of Wisconsin–Madison

Data Security, Management and Retention

A large majority of research performed on campus generates data, procedures, observations, and other notes. Precautions should be taken to maximize security in using and storing data.

Security refers to two main areas: 1) safeguarding the integrity of the data itself and 2) restricting access to sensitive data (such as geographic, administrative, or medical information about individuals).

Handling Sensitive University Data:

While performing your UW-Madison job, you will likely come into contact with many types of information or data, some of which may be considered sensitive (e.g., student grades, enrollment status) or restricted (e.g., social security numbers). It is important to understand your responsibilities for identifying, transmitting, redistributing, storing or disposing of this kind of sensitive information.

To handle data properly, you need to know what kind of data it is and what laws or standards, if any, might govern its use (or misuse).

Some data must be kept private under laws such as FERPA (which protects students’ education records), HIPAA (which protects individually-identifiable health information), Section 134.98 of the Wisconsin Statutes (which requires notification if a data breach occurs). Some data is governed by industry standards such as PCI (which protects credit card holder information). Some data may be subject to public disclosure under laws such as the Wisconsin Public Records law. (Be careful though… data is subject to public records requests doesn’t still needs to be secured and used in accordance with applicable privacy laws!)

For further information about your responsibilities, see the UW System Policy on information security awareness.

UW-Madison has classified its institutional data assets into risk based categories for determining who is allowed to access institutional data and what security precautions must be taken to protect it against unauthorized access and use.

Restricted: Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects.  Data should be classified as Restricted if:

  • protection of the data is required by law or regulation or
  • UW-Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed

Sensitive: Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects.  Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.

Internal: Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates, or research projects.  By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data.

Public: Data should be classified as Public prior to display on web-sites or once published without access restrictions; and when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates.


  • Everyone should keep their digital data safe from attack by computer malware.
  • If you work with sensitive data, you may need to comply with requirements and policies of the university, state, federal government, and granting agencies for keeping it private.  Some of the following policies may be applicable:
Policy Description How to Comply
UW-Madison data policies Protects sensitive personal data handled by UW-Madison personnel in the course of their work.

Campus IT policies, including those for sensitive information.

Data Governance Program.

Methods for handling restricted data.

Risk Management Framework.

HIPAA (Health Insurance Portability and Accountability Act) Rules safeguarding the privacy of personal health information and its access by health care providers and others. Resources to assist UW-Madison researchers with HIPPA compliance

Office of Cybersecurity:

The Office of Cybersecurity supports the CIO and the campus by leading and managing campus efforts to reduce risk. Strategies include appropriate handling of data, continued diagnostics and good processes and procedures to manage our intellectual property and other sensitive information.

Restricted Data:

What Is restricted data?

  • Social Security Number (SSN)
  • Driver’s License Number or State Identification Number
  • Financial Account Number (including credit/debit card) or any security code, access code of password that would permit access to an individual’s financial account
  • Deoxyribonucleic Acid (DNA) Profile as defined in S. 939.74 (2d) (a)
  • Unique Biometric Data, including fingerprint, voice print, retina or iris image or any other unique physical representation
  • Protected health information (PHI) including any information about health status, provision of health care, or payment of health care

If a system processes, stores or otherwise propagates any of these six restricted data elements, it is recommended (and often times required) that enhanced security controls are implemented to protect its confidentiality from unauthorized disclosure and avoid the financial and political burden of breach notifications. Organizations are required by law be in compliance with a specific set of data security standards and controls for some restricted data elements; while standards for the remaining data elements are dictated by the governing bodies of those organizations. Learn more about restricted data.


UW-Madison – CIO – Restricted Data Security Management Policy:

Applies to all Schools, Colleges, Divisions, Centers and other units of UW-Madison, including any associated contractors or other entities or persons.

The policy requires that all UW-Madison units find restricted data in their possession, dispose of any that is no longer needed, store as much as practical of what remains in approved storage locations, and annually report any that is not stored in approved storage locations and provide an appropriate level of protection for it. The policy also requires that, to the extent practical, the responsible parties eliminate or reduce the presence of restricted data in business processes, applications, and data that is used for university business.

Controlled Unclassified Information:

Federal agencies routinely generate, use, store, and share information that requires safeguarding and dissemination controls even though it doesn’t rise to the level of classified national security information.

Controlled Unclassified Information (CUI) is unclassified information that meets the standards for safeguarding and dissemination controls pursuant to law, regulations and government-wide policies. Previously, similar information may have been referred to as Sensitive But Unclassified (SBU) throughout the executive branch; some of this information may meet the requirements to become CUI.

Data Stewardship, Access and Retention Policy:

The University of Wisconsin-Madison has established this policy on Data Stewardship, Access and Retention to assure that research are appropriately maintained, archived for a reasonable period of time, and available for review and use under the appropriate circumstances.  The policy also provides for transfer of data in the event a research leaves UW-Madison.

This policy applies to all University of Wisconsin-Madison faculty, academic staff, visiting scholars, postdoctoral fellows or other trainees, research technicians, and graduate or undergraduate students and any other persons at UW-Madison involved in the design, conduct or reporting of research at or under the auspices of UW-Madison, and it applies to all research projects on which those individuals work, regardless of the source of funding for the project.



The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting protected health information (PHI) for organizations who create, receive, maintain or transmit PHI. In March 2006, Wisconsin’s Personal Information Disclosure Act (statute Section 134.98), was passed. This Act requires an entity to notify the subject of personal information if an unauthorized acquisition of their personal information has occurred. The University of Wisconsin – Madison is required to comply with HIPAA laws for any system which contain PHI.

HIPAA at the University of Wisconsin – Madison


Storage and Encryption Policy:

Applies to anyone who stores restricted data or sensitive data, as defined in the Data Classification Policy.

UW-Madison employees and contractors must encrypt restricted data and sensitive data when it is stored or accessed on desktops, laptops or other portable devices or media, according to the current compliance standards. Learn more about the storage and encryption policy.


Data Classification Policy:

The Data Classification Policy applies to anyone handling UW-Madison data.

There are four data classifications. From highest to lowest risk they are: Restricted (significant risk), Sensitive (moderate risk), Internal (some risk), and Public (little or no risk).


Tangible Property:

The tangible research property policy is intended to address the university’s responsibilities relating to the management of tangible research property. Tangible Research Property (TRP) is defined for purposes of this policy as tangible items produced in the course of conducting research projects at or under the auspices of UW-Madison. TRP includes such items as: biological materials, chemical compounds, physical samples, integrated circuit chips, prototype devices, and equipment.

TRP does not include intangible (or intellectual) property such as patentable inventions and original works protected by copyright or trademark, which are
subject to other policies and guidelines. TRP does not include items purchased or otherwise obtained for the purpose of conducting research.