Storage options with data classification

The following is a brief comparison of secure online storage at the University of Nebraska and other online storage services. If you have unique or secure store needs, please use the storage request form.

Review the UN Policy on Risk Classification and Minimum Security Standards for additional details.


  • 1 = In restricted folders with access limited to only NU employees who have a need to know.
  • 2 = With the review and approval of the Security office.
  • 3 = HIPAA compliance includes business office practices in addition to secure storage. A person within the department or office must be responsible for HIPAA compliance and should contact the applicable HIPAA Privacy Officer and HIPAA Security Officer.
  • 4 = Requires IRB approval and sign-off

Data Classification




Data Type Public Data FERPA Confidential Data
(not covered by FERPA)
OneDrive for Business Y Y Y N N N N N N
SharePoint Y Y Y Y, 1, 2, 3 Y, 1, 2 N Y, 1, 2 N N
ITS managed local storage Y Y Y N Y, 1, 2 Y, 1, 2 N N N
Cloud hosted storage or archive storage (AWS/Azure) Y Y Y Y, 1, 2, 3 Y, 2 Y, 1, 2 Y, 1, 2 N N
Microsoft GCC Low / AWS GovCloud Y Y Y Y, 1, 2, 3 Y, 2 Y, 1, 2 Y, 1, 2 Y, 2, 4 N
Microsoft GCC High N N N N N N N N Y, 2, 4

Data Definitions

  • Public Data - Directory Information, any university information publicly available
  • FERPA - Student Grades, Student class schedule, UIN, Advisor Student Notes, Financial Aid data. Note: Banner is the system of record for all academic data
  • Confidential (NOT covered by FERPA) - Internal departmental information, non-public university information not covered by another category
  • HIPAA - Personal Health records, Health Insurance Data
  • PII - (Institutional Data) SSN, Driver License Numbers, Passport Numbers, Biometrics, combinations of information used to identify an individual
  • GLBA - Financial Aid, Customer financial transaction records.
  • PCI-DSS - Credit Card Numbers, Bank Account, and Routing Numbers
  • FedRamp - Standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
  • ITAR - The International Traffic in Arms Regulations (ITAR) is the United States regulation that controls the manufacture, sale, and distribution of defense and space- related articles and services as defined in the United States Munitions List (USML)