HECVAT Category
Privacy of Sensitive Data
Privacy of Sensitive Data covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do you collect, process, or store demographic information?
This question is asking whether your organization collects, processes, or stores demographic information about individuals. Demographic information includes characteristics that describe a population, such as age, gender, ethnicity, education level, religion, geographic location, or occupation.
Do you capture or create genetic, biometric, or behaviometric information (e.g., facial recognition or fingerprints)?
This question is asking whether your organization collects or processes particularly sensitive personal data related to genetic information (DNA, family medical history, genetic test results), biometric data (physical characteristics that can be used for identification like fingerprints, retina scans, or facial recognition), or behaviometric information (behavioral patterns that can identify individuals, such as typing patterns, gait analysis, or voice recognition).
Do you combine institutional data (including "de-identified," "anonymized," or otherwise masked data) with personal data from any other sources?
This question is asking whether your organization combines institutional data (data from colleges or universities) with personal data from other sources. This is a critical privacy question because combining datasets can lead to re-identification of individuals, even when the original institutional data was supposedly anonymized or de-identified.
Is institutional data coming into or going out of the United States at any point during collection, processing, storage, or archiving?
This question is asking whether any institutional data (which typically includes sensitive information like student records, financial data, research data, etc.) crosses international borders at any point in its lifecycle. Specifically, it's asking if data is transmitted to or from locations outside the United States during collection (when data is gathered), processing (when data is manipulated or analyzed), storage (where data resides), or archiving (long-term retention).
Do you capture device information (e.g., IP address, MAC address)?
This question is asking whether your organization or service collects identifying information about the devices that connect to your systems. Device information primarily includes IP addresses (which identify a device on a network) and MAC addresses (a hardware identifier unique to a network interface).
Does any part of this service/project involve a web/app tracking component (e.g., use of web-tracking pixels, cookies)?
This question is asking whether your service or application uses any technologies that track user behavior or collect user data through web browsers or mobile apps. Web tracking components include technologies like:
Does your staff (or a third party) have access to institutional data (e.g., financial, PHI, or other sensitive information) through any means?
This question is asking whether your company's employees or any third-party contractors can access sensitive data belonging to the institution (the organization conducting the security assessment). Sensitive institutional data includes personally identifiable information (PII), protected health information (PHI), financial records, student records, research data, or other confidential information.
Will you handle personal data in a manner compliant with all relevant laws, regulations, and applicable institution policies?
This question is asking whether your organization will comply with all applicable laws, regulations, and institutional policies when handling personal data. Personal data refers to any information that can identify an individual, such as names, addresses, social security numbers, financial information, health records, etc.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
