Does your staff (or a third party) have access to institutional data (e.g., financial, PHI, or other sensitive information) through any means?
Explanation
Access to institutional data is the concern here, namely whether your staff or any third party can reach sensitive information such as financial records or PHI through any means. Sensitive institutional data includes personally identifiable information (PII), protected health information (PHI), financial records, student records, research data, or other confidential information.
The question is being asked to understand the scope of data access and potential exposure points. Organizations need to know who can see their sensitive data to properly assess risk. Even if access is legitimate and necessary for providing your service, it represents a potential security and privacy risk that must be managed.
When answering this question, you should be transparent about:
- Who has access (your staff, support teams, engineers, third-party vendors)
- What type of data they can access
- Why they need this access (troubleshooting, customer support, etc.)
- What controls are in place to protect this access (least privilege, monitoring, etc.)
The guidance note acknowledges that some access may be necessary for legitimate business purposes, so having access isn't automatically problematic - but how that access is managed and protected is critical.
Guidance
Accessing institutional data may be necessary for legitimate business purposes.
Example Responses
Example Response 1
Yes, our technical support staff has access to institutional data on an as-needed basis to troubleshoot customer issues This includes potential access to financial data and other sensitive information stored in our system All access is logged, requires management approval, follows least-privilege principles, and is subject to regular audits Support personnel receive annual privacy and security training specific to handling sensitive data We maintain a data access policy that requires staff to access only the minimum data necessary to resolve the issue, and all access events are monitored in real-time for suspicious activity.
Example Response 2
Yes, our development team has read-only access to a sanitized version of production data for debugging purposes While this data may contain structures similar to institutional data, all personally identifiable information, financial details, and PHI are automatically redacted or replaced with synthetic data before developers can access it Our QA environment never contains actual institutional data For rare cases where production access is required to resolve critical issues, we implement a break-glass procedure with full audit logging, time-limited access, and dual authorization requirements.
Example Response 3
No, our staff and third parties do not have access to institutional data Our solution is designed with a zero-knowledge architecture where all sensitive institutional data is encrypted client-side before being stored in our systems The encryption keys remain solely in the institution's control, and our staff cannot decrypt or access the actual content of stored data However, we should note that this approach means we cannot provide certain support functions like content-specific troubleshooting or data recovery if the institution loses their encryption keys We've made this architectural choice to maximize data privacy, though it does create some functional limitations.
Context
- Tab
- Privacy
- Category
- Privacy of Sensitive Data
Related questions
- Do you collect, process, or store demographic information?
- Do you capture or create genetic, biometric, or behaviometric information (e.g., facial recognition or fingerprints)?
- Do you combine institutional data (including "de-identified," "anonymized," or otherwise masked data) with personal data from any other sources?
- Is institutional data coming into or going out of the United States at any point during collection, processing, storage, or archiving?
- Do you capture device information (e.g., IP address, MAC address)?
- Does any part of this service/project involve a web/app tracking component (e.g., use of web-tracking pixels, cookies)?

