Skip to main content
School of Medicine IT

Data Security

School of Medicine websites are public-facing systems and must not be used to store, collect, or display sensitive or restricted information. Following data security requirements protects patients, faculty, staff, students, and the University and helps ensure compliance with UNC and SOM policies.

This page provides an overview of key data security principles for SOM websites and links to authoritative University and School of Medicine policies for full details.

Public Websites and Data Risk

SOM websites are designed to share information publicly. Anything published on a site, including pages, images, documents, and form submissions, may be:

  • Indexed by search engines
  • Accessible to unintended audiences
  • Copied, shared, or archived outside the University’s control

Because of this, sensitive information must never be placed on SOM websites, even temporarily.

Sensitive and Restricted Information

SOM websites must not display, collect, or store information classified as sensitive or restricted under University policy. This includes, but is not limited to:

  • Protected Health Information (PHI)
  • Social Security numbers
  • Financial or banking information
  • Personal addresses, phone numbers, or private email addresses
  • Student education records
  • Personnel records
  • Login credentials or access codes

For a full definition of data types and classifications, review UNC’s Information Classification Standard.

Forms and Data Collection

Forms on SOM websites must be carefully reviewed before publishing.

  • Do not use web forms to collect sensitive or restricted data.
  • Uploaded files can introduce significant security risk.
  • Gravity Forms submissions are automatically deleted after the retention period and should never be treated as secure storage.
  • When collecting sensitive information is required, use approved University systems designed for secure data handling (such as Qualtrics, REDCap, or other ITS-supported platforms).
  • We recommend using Qualtrics if a file upload field is added to a form as there have been issues where sensitive data has inadvertently been uploaded.

For additional guidance, see Safe Computing at UNC – Sensitive Information.

Documents and Media Files

Documents uploaded to SOM websites are publicly accessible, even if linked from a password-protected or private page.

  • Do not upload documents containing sensitive or private data.
  • Review documents carefully if you are not the original creator.
  • Do not assume documents are protected because they are not linked or are buried deep in the site.

If content should not be public, it should not be uploaded to a SOM website.

Password Protection and Private Pages

Password-protected or private pages do not secure media files such as images, PDFs, or Word documents.

  • Files remain publicly accessible by direct URL
  • Files can still be indexed by search engines

Official SOM Web Publishing Security Policy

All SOM websites must comply with the School of Medicine’s Web Publishing Security Policy, which outlines acceptable use, prohibited content, and security responsibilities.

This policy applies to all site administrators, editors, contributors, and anyone responsible for managing web content.

Responsibility of a Site Editor

If you manage content on a SOM website, you are responsible for ensuring:

  • Only appropriate content is published
  • Sensitive data is never uploaded or collected
  • External systems are used when secure data handling is required
  • Policies and standards are followed at all times

If you are unsure whether content is appropriate for the web, do not publish it and contact the Web Team for guidance.