PDAT-07

Does your staff (or a third party) have access to institutional data (e.g., financial, PHI, or other sensitive information) through any means?

Explanation

This question is asking whether your company's employees or any third-party contractors can access sensitive data belonging to the institution (the organization conducting the security assessment). Sensitive institutional data includes personally identifiable information (PII), protected health information (PHI), financial records, student records, research data, or other confidential information. The question is being asked to understand the scope of data access and potential exposure points. Organizations need to know who can see their sensitive data to properly assess risk. Even if access is legitimate and necessary for providing your service, it represents a potential security and privacy risk that must be managed. When answering this question, you should be transparent about: 1. Who has access (your staff, support teams, engineers, third-party vendors) 2. What type of data they can access 3. Why they need this access (troubleshooting, customer support, etc.) 4. What controls are in place to protect this access (least privilege, monitoring, etc.) The guidance note acknowledges that some access may be necessary for legitimate business purposes, so having access isn't automatically problematic - but how that access is managed and protected is critical.

Guidance

Accessing institutional data may be necessary for legitimate business purposes.

Example Responses

Example Response 1

Yes, our technical support staff has access to institutional data on an as-needed basis to troubleshoot customer issues This includes potential access to financial data and other sensitive information stored in our system All access is logged, requires management approval, follows least-privilege principles, and is subject to regular audits Support personnel receive annual privacy and security training specific to handling sensitive data We maintain a data access policy that requires staff to access only the minimum data necessary to resolve the issue, and all access events are monitored in real-time for suspicious activity.

Example Response 2

Yes, our development team has read-only access to a sanitized version of production data for debugging purposes While this data may contain structures similar to institutional data, all personally identifiable information, financial details, and PHI are automatically redacted or replaced with synthetic data before developers can access it Our QA environment never contains actual institutional data For rare cases where production access is required to resolve critical issues, we implement a break-glass procedure with full audit logging, time-limited access, and dual authorization requirements.

Example Response 3

No, our staff and third parties do not have access to institutional data Our solution is designed with a zero-knowledge architecture where all sensitive institutional data is encrypted client-side before being stored in our systems The encryption keys remain solely in the institution's control, and our staff cannot decrypt or access the actual content of stored data However, we should note that this approach means we cannot provide certain support functions like content-specific troubleshooting or data recovery if the institution loses their encryption keys We've made this architectural choice to maximize data privacy, though it does create some functional limitations.

Context

Tab: Privacy
Category: Privacy of Sensitive Data