Sensitive File Storage Guide

August 2020

If you have files / folders that contain sensitive data (examples of sensitive data below), use the following guide to properly protect them.

  1. Refer to the UC Records Retention Schedule for the specific disposition of your departmental documents. If you have questions, contact for a consultation.
  2. If you or your department is required to retain the documents with sensitive data, you have two options: Box or SharePoint.
    • Box
      Box is currently an acceptable record repository for sensitive data at UCOP. Please secure folders containing sensitive data by limiting sharing to authorized staff. See Tips for Securing Sensitive Data in Box for more detailed instructions. The ITS Box team also can meet with you to discuss how to better secure the folders. To request assistance, contact the Service Desk at 510-987-0457 or submit a ServiceNow ticket.

      The following repositories are not secure: Network drives or fileshares, the C:drive (on your laptop or desktop), Smartsheet, and Outlook email folders/archives. All documents stored in these repositories and that contain sensitive data must be immediately moved to Box.
    • SharePoint
      If you are storing documents with sensitive data on your site, there is no requirement to move these documents at this time. However, you must immediately provide the URL(s) to the SharePoint team (via so they can apply an additional security layer to those sites.
  1. If you need to securely send sensitive documents, two methods are available:

Examples of Sensitive Data

Sensitive data is any information for which loss, alteration, misuse or disclosure could adversely affect the interests of the University of California or its administration, faculty, staff, students, applicants or relations therein. By default, this includes any such information held by UC, whether or not such information is subject to legal or regulatory protections or restrictions.

Please discuss file storage with your manager and, if needed, consult with the security team. For more information about sensitive data, see the Classification of Information and IT Resources website. Examples of sensitive data includes but are not limited to the following:

  • Social Security numbers (SSNs)
  • Credit card or other financial account numbers
  • Driver’s license numbers
  • Personally identifiable information (PII) pertaining to individuals (students, applicants, parental/familial relatives, alumni, donors, current and retired faculty and staff)
  • Academic data such as grades and enrollment data (as specified under FERPA)
  • Medical and health data (PHI)
  • Proprietary and/or copyrighted data, such as research data and publications
  • Confidential legal or financial data