Policies concerning access to and security for sensitive data have traditionally been based on granting, sustaining, and revoking access to sensitive institutional data. Institutional data is often organized using a tiered data architecture model, according to data classification, security, and protection standards based on legal requirements, level of confidentiality needs, and the necessity of addressing minimum standard protections for the data before access is granted. Identified data stewards, honest brokers, and trusted designees are persons/entities tasked with granting tiered access to individuals. Establishing effective cybersecurity governance is an important part of institutional efforts to safeguard assets and protect people.

Robust data security measures are needed to protect data from breaches and unauthorized access or use. These principles apply to all sensitive data, but the consequences of the misuse of SOGI data could be particularly damaging for LGBTQIA+ communities.

• Store data in secure databases or systems with robust encryption (in transit and at rest) to prevent unauthorized access even if the data is compromised.
• Implement tiered access controls with considerations for more fine-grained control in the future where policy drives. Use an access-control model in which individuals are granted access based on their persona within the institution; this could extend to granting term-limited access or access only to certain of an individual's instructors. Also consider appropriate use by type of application and/or function (e.g., student information systems, directories, research).
• Require data usage agreements. This process should require registration of individuals and flow through a formal approval process.
• Regularly review the data-collection and analysis processes to ensure compliance with ethical standards and applicable regulations.
• Educate staff and faculty members on the importance of data security and privacy. Enforce strict policies regarding data handling, access, and sharing.
• Educational institutions that use third-party services or vendors for data storage or processing must ensure that these entities comply with security standards and protocols. SOGI data should not be provided to third-party services or vendors that do not have a critical need for it, and only the specific variables and data needed should be provided. Contracts and agreements should include stringent security measures and require compliance with data-protection regulations.

Any database that contains SOGI data for identifiable individuals can put those people at risk. As a result, proper security protections are essential to prevent bad actors—whether internal or external to the institution—from gaining access to sensitive information. A new threat, however, sets itself apart from conventional risks: In some circumstances, people in positions of power and authority can access this information through legal, legitimate channels, and the data therein can be used to discriminate and cause harm. As a result, higher education institutions must put new policies and practices in place, including bulk data-deletion policies and processes, to eliminate or mitigate these risks. Given that storing SOGI data in a database may create risks that cannot be adequately mitigated, depending on your circumstances, the safest approach might be an unconventional one: To allow LGBTQIA+ students to be addressed correctly in class, an instructor could create a hand-written list of names and pronouns of students and destroy the list at the end of the term.

Any institutional approach to establishing a security framework should include the following elements:

• Data Inventory and Mapping: Create a data map by identifying all locations where sensitive data is stored, including databases, file servers, cloud services, and physical records. Note the type of record—paper or electronic image, voice/video recording, document, or other.
• Access Controls and Reviews: Determine who has access to the data and for what length of time, and which architecture you will use (tiered, individual access, open by default, closed by default, or a combination).
• Monitoring and Auditing: Implement robust auditing mechanisms to log access and modifications to sensitive data. Set up real-time monitoring and alerting systems to detect unusual or unauthorized access. Implement a regular review and attestation of continued required business need for access.
• Incident Response Plan: Document instructions or procedures to detect, respond to, and limit consequences of malicious cyberattacks.
• Compliance and Legal Considerations: Be aware that compliance with handling requirements for sensitive data is not only a legal obligation but also a strategic imperative. It safeguards individuals' rights, preserves the institution's reputation, and contributes to long-term business success in an increasingly data-centric and regulated world. Failure to comply with data protection laws and regulations can result in severe legal consequences, including fines, penalties, and other court-ordered mandates.
• Continuous Policy/Process Review: Maintain thorough documentation of policy development, implementation, and compliance efforts. Take steps to understand and minimize the ways in which predictive (including AI), prescriptive, or diagnostic analytics involving two or more datasets from one or more units can be used to converge on a vulnerable subject and their details.
• Deletion Processes: Ensure that all SOGI data that is not already legally required to be maintained can be quickly and permanently removed from all institutional databases if needed, per individual or for the entire dataset, and document the procedures for doing so.

When developing a data security policy, consider the following questions, particularly considering the sensitivity of SOGI data:

• Who are the stakeholders? Determine the key stakeholders involved in the management and protection of sensitive data. LGBTQIA+ people themselves should be considered primary stakeholders who must be included. This list may also include IT personnel, legal experts, compliance officers, data owners, and community experts including campus offices that support LGBTQIA+ communities. Most importantly, the list must include data record holders, whose input should be sought before any data is processed, tracked, monitored, and/or disseminated to intended information recipients.
• How will the data be classified? Review existing data classification frameworks and develop a classification scheme to categorize sensitive data into various levels, such as public, internal, confidential, or highly sensitive (a tiered data architecture). This work will be complex and should include as many stakeholders as possible without jeopardizing speed.
• Are policy objectives clearly identified? Clearly state purposes and boundaries around the data use. Explicitly define the objectives of the policy, including data protection, regulatory compliance, and privacy considerations.
• What is the policy scope? When determining scope, include the types of data covered; the relevant systems, locations, or departments; and any time limits that apply.
• What are the guidelines for data storage, transfer, sharing, monitoring, and tracking? Establish guidelines for tracking, handling, and securing sensitive data throughout the data life cycle (who, what, when, and how long).
• Is there a data recall, overwrite, and retention policy? If yes, what is that policy? If not, why doesn't such a policy exist, and should it?