What is confidential data?

Confidential data is data belonging to a customer about its constituents or its business details, such as internal processes, which is not subject to regulations and privacy agreements.

Note: This information is meant to serve as a guide to aid you as you architect and develop your applications. It is not comprehensive in scope, but will aid you in completing your attestation.

The below items, or any combination thereof, should be considered sensitive information and extreme care should be taken when processing or storing them. Additionally, these items are considered to be "restricted data types", thus should never appear in any debug info, error or exception logs, or any other logging method.

Confidential data type examples

  • Card holder data (CHD)

  • Sensitive Personally Identifiable Information (PII)

  • Protected Health Information (PHI)

  • Data about a charity’s financial performance

  • Fundraising totals for a particular charity

See additional examples and key information below.

  • Primary Account Number (PAN)

  • CID or CAV2/CID/CVC2/CVV2

  • PIN or PIN Block

  • Magnetic Stripe or Chip data

Sensitive personal data means any personal data that:

  1. requires a high degree of protection by law and where loss or unauthorized disclosure would require notification by Blackbaud to customers, government agencies, individuals or law enforcement;

  2. any information that, if made public, could expose individuals to a risk of physical harm, fraud, or identity theft; and/or

  3. Protected Health Information

Examples of Sensitive Personal Data include, but are not limited to:

  • Social security numbers

  • National government issued identification numbers, such as passport and visa numbers

  • State or province-issued identification numbers

  • Driver’s license numbers

  • Tax identification numbers

  • Dates of birth

  • Bank account numbers

  • Credit card numbers

  • Debit card information

  • Medical information

  • Customer authentication credentials.

    Note: Authentication credentials, encryption keys, and encryption passwords used to protect Sensitive Personal Data are themselves classified as Sensitive Personal Data.-

  • Medical record numbers

  • Health Insurance numbers

  • Healthcare related information

  • Medical insurance information

  • Certificate / License numbers

  • Vehicle identifiers

  • Biometric identifiers (finger, retinal, and voice prints)

  • Medical diagnose information

Strong encryption is the use of encryption technologies, with minimum key lengths of 128-bits for symmetric encryption and 2048-bits for asymmetric encryption, whose strength provides reasonable assurance that it will protect the encrypted information from unauthorized access and is adequate to protect the confidentiality and privacy of the encrypted information. It should also incorporate: 

  • A documented policy for the management of the encryption keys

  • Associated processes adequate to protect the confidentiality and privacy of the keys and passwords used as inputs to the encryption algorithm