{"id":15340,"date":"2026-02-09T13:47:28","date_gmt":"2026-02-09T18:47:28","guid":{"rendered":"https:\/\/www.med.unc.edu\/webguide\/?page_id=15340"},"modified":"2026-03-02T11:55:31","modified_gmt":"2026-03-02T16:55:31","slug":"data-security","status":"publish","type":"page","link":"https:\/\/www.med.unc.edu\/webguide\/userguide\/web-standards-policies\/data-security\/","title":{"rendered":"Data Security"},"content":{"rendered":"<p>School of Medicine websites are public-facing systems and must not be used to store, collect, or display sensitive or restricted information. Following data security requirements protects patients, faculty, staff, students, and the University and helps ensure compliance with UNC and SOM policies.<\/p>\n<p>This page provides an overview of key data security principles for SOM websites and links to authoritative University and School of Medicine policies for full details.<\/p>\n<hr  style=\"margin:30px 0\"class=\" rule-thin osc-rule\" \/>\n<h2>Public Websites and Data Risk<\/h2>\n<p>SOM websites are designed to share information publicly. Anything published on a site, including pages, images, documents, and form submissions, may be:<\/p>\n<ul>\n<li>Indexed by search engines<\/li>\n<li>Accessible to unintended audiences<\/li>\n<li>Copied, shared, or archived outside the University\u2019s control<\/li>\n<\/ul>\n<p>Because of this, <strong>sensitive information must never be placed on SOM websites, even temporarily<\/strong>.<\/p>\n<hr  style=\"margin:30px 0\"class=\" rule-thin osc-rule\" \/>\n<h2>Sensitive and Restricted Information<\/h2>\n<p>SOM websites must not display, collect, or store information classified as sensitive or restricted under University policy. This includes, but is not limited to:<\/p>\n<ul>\n<li>Protected Health Information (PHI)<\/li>\n<li>Social Security numbers<\/li>\n<li>Financial or banking information<\/li>\n<li>Personal addresses, phone numbers, or private email addresses<\/li>\n<li>Student education records<\/li>\n<li>Personnel records<\/li>\n<li>Login credentials or access codes<\/li>\n<\/ul>\n<p>For a full definition of data types and classifications, review <a href=\"https:\/\/policies.unc.edu\/TDClient\/2833\/Portal\/KB\/ArticleDet?ID=131244\"><strong>UNC\u2019s Information Classification Standard<\/strong><\/a>.<\/p>\n<hr  style=\"margin:30px 0\"class=\" rule-thin osc-rule\" \/>\n<h2>Forms and Data Collection<\/h2>\n<p><a href=\"https:\/\/www.med.unc.edu\/webguide\/userguide\/forms\/\">Forms<\/a> on SOM websites must be carefully reviewed before publishing.<\/p>\n<ul>\n<li>Do not use web forms to collect sensitive or restricted data.<\/li>\n<li>Uploaded files can introduce significant security risk.<\/li>\n<li>Gravity Forms submissions are automatically deleted after the retention period and should never be treated as secure storage.<\/li>\n<li>When collecting sensitive information is required, use approved University systems designed for secure data handling (such as <a href=\"https:\/\/software.sites.unc.edu\/qualtrics\/\">Qualtrics<\/a>, <a href=\"https:\/\/research.unc.edu\/systems\/redcap\/\">REDCap<\/a>, or other ITS-supported platforms).<\/li>\n<li>We recommend using Qualtrics if a file upload field is added to a form as there have been issues where sensitive data has inadvertently been uploaded.<\/li>\n<\/ul>\n<p>For additional guidance, see <strong><a href=\"https:\/\/safecomputing.unc.edu\/data\/sensitive-information\/\">Safe Computing at UNC \u2013 Sensitive Information<\/a><\/strong>.<\/p>\n<hr  style=\"margin:30px 0\"class=\" rule-thin osc-rule\" \/>\n<h2>Documents and Media Files<\/h2>\n<p>Documents uploaded to SOM websites are publicly accessible, even if linked from a password-protected or private page.<\/p>\n<ul>\n<li>Do not upload documents containing sensitive or private data.<\/li>\n<li>Review documents carefully if you are not the original creator.<\/li>\n<li>Do not assume documents are protected because they are not linked or are buried deep in the site.<\/li>\n<\/ul>\n<p>If content should not be public, it should not be uploaded to a SOM website.<\/p>\n<hr  style=\"margin:30px 0\"class=\" rule-thin osc-rule\" \/>\n<h2>Password Protection and Private Pages<\/h2>\n<p>Password-protected or private pages do not secure media files such as images, PDFs, or Word documents.<\/p>\n<ul>\n<li>Files remain publicly accessible by direct URL<\/li>\n<li>Files can still be indexed by search engines<\/li>\n<\/ul>\n<hr  style=\"margin:30px 0\"class=\" rule-thin osc-rule\" \/>\n<h2>Official SOM Web Publishing Security Policy<\/h2>\n<p>All SOM websites must comply with the <strong><a href=\"https:\/\/www.med.unc.edu\/webguide\/wp-content\/uploads\/sites\/419\/2017\/09\/Web-Publishing-Security-Policy-rev-12.pdf\">School of Medicine\u2019s Web Publishing Security Policy<\/a><\/strong>, which outlines acceptable use, prohibited content, and security responsibilities.<\/p>\n<p>This policy applies to all site administrators, editors, contributors, and anyone responsible for managing web content.<\/p>\n<hr  style=\"margin:30px 0\"class=\" rule-thin osc-rule\" \/>\n<h2>Responsibility of a Site Editor<\/h2>\n<p>If you manage content on a SOM website, you are responsible for ensuring:<\/p>\n<ul>\n<li>Only appropriate content is published<\/li>\n<li>Sensitive data is never uploaded or collected<\/li>\n<li>External systems are used when secure data handling is required<\/li>\n<li>Policies and standards are followed at all times<\/li>\n<\/ul>\n<p>If you are unsure whether content is appropriate for the web, do not publish it and contact the Web Team for guidance.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>School of Medicine websites are public-facing systems and must not be used to store, collect, or display sensitive or restricted information. Following data security requirements protects patients, faculty, staff, students, and the University and helps ensure compliance with UNC and SOM policies. This page provides an overview of key data security principles for SOM websites &hellip; <a href=\"https:\/\/www.med.unc.edu\/webguide\/userguide\/web-standards-policies\/data-security\/\" aria-label=\"Read more about Data Security\">Read more<\/a><\/p>\n","protected":false},"author":3206,"featured_media":0,"parent":2197,"menu_order":8,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"layout":"","cellInformation":"","apiCallInformation":"","footnotes":"","_links_to":"","_links_to_target":""},"class_list":["post-15340","page","type-page","status-publish","hentry","odd"],"acf":[],"_links_to":[],"_links_to_target":[],"_links":{"self":[{"href":"https:\/\/www.med.unc.edu\/webguide\/wp-json\/wp\/v2\/pages\/15340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.med.unc.edu\/webguide\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.med.unc.edu\/webguide\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.med.unc.edu\/webguide\/wp-json\/wp\/v2\/users\/3206"}],"replies":[{"embeddable":true,"href":"https:\/\/www.med.unc.edu\/webguide\/wp-json\/wp\/v2\/comments?post=15340"}],"version-history":[{"count":6,"href":"https:\/\/www.med.unc.edu\/webguide\/wp-json\/wp\/v2\/pages\/15340\/revisions"}],"predecessor-version":[{"id":15346,"href":"https:\/\/www.med.unc.edu\/webguide\/wp-json\/wp\/v2\/pages\/15340\/revisions\/15346"}],"up":[{"embeddable":true,"href":"https:\/\/www.med.unc.edu\/webguide\/wp-json\/wp\/v2\/pages\/2197"}],"wp:attachment":[{"href":"https:\/\/www.med.unc.edu\/webguide\/wp-json\/wp\/v2\/media?parent=15340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}