Data protection rule

University of Alabama at Birmingham

DATA PROTECTION RULE

January 27, 2017

 Related Policies, Procedures, and Resources

  • Data Protection and Security Policy
  • Data Classification Rule

 1.0 Introduction

The objective of this data protection rule is to assist the UAB community in the protections requirements of data and systems based on the Data Classification Rule.

2.0 Scope and Applicability

All UAB data stored, processed, or transmitted must be protected in accordance with this requirement.  Based on classification; users are required to implement appropriate security controls.

3.0 Responsibilities for Protecting Institutional Data

All users with access to UAB data are required to protect these data appropriately.

3.1 Specific Roles and Responsibilities for Protecting Institutional Data

3.2 Data Stewards have administrative control and are officially accountable for a specific information asset.  Data Stewards shall:

  • assign an appropriate classification to the information;
  • govern processes for determining access to information assets; and
  • ensure compliance with policies and regulatory requirements related to the information.

Examples:  VP of Financial Affairs & Administration - financial and HR data; VP of Research & Economic Development - research administration data; Deans and Department Chairs and data from their respective academic area.

3.3 Data Custodians safeguard the data on behalf of the Data Steward.

  • UAB’s central Information Technology (IT) units shall be responsible for protecting all Institutional Data maintained/stored in the institutional information systems.

3.4 UAB Information Security

Members of the UAB Information Security team are responsible for developing and implementing an information security program as well as the supporting data security and protection policies, standards and procedures.

3.5 Information Security Liaison

Each unit or department senior manager will designate at least one ISL who will act as a liaison to the UAB information Security Team.  Liaisons oversee information security responsibilities for the units, including assisting with security awareness and security incident response.

3.6 System Administrators

System Administrators are individuals within the central IT/HSIS or school/department units with day-to-day responsibility for maintaining information systems.

3.7 Data Users

Data Users are individuals authorized to access UAB data and are responsible for protecting the information assets on a daily basis through adherence to UAB policies.

 

4.0 Protection Requirements Based on Classification

The table below defines minimum protection requirements for each category of data when being used or handled in a specific context (e.g. Sensitive Data sent in an email message). Please note that these protections are not intended to supersede any regulatory or contractual requirements for handling data.

 

Public Data

Collection and Use

No protection requirements

Granting Access or Sharing

No protection requirements

Disclosure, Public Posting, etc.

No protection requirements

Electronic Display

No protection requirements

Open Records Requests

Data can be readily provided upon request. However, individuals who receive a request must coordinate with University Relations Office before providing data.

Exchanging with Third Parties, Service Providers, Cloud Services, etc.

No protection requirements

Storing or Processing: Server Environment

Servers that connect to the UAB network must comply with IT Security Practices.

Storing or Processing: Endpoint Environment (e.g. laptop, phone, desktop, tablet, etc.)

Systems that connect to the UAB network must comply with IT Security Practices.

Storing on Removable Media (e.g. thumb drives, CDs, tape, etc.)

No protection requirements

Electronic Transmission

No protection requirements

Email and other electronic messaging

No protection requirements

Printing, mailing, fax, etc.

No protection requirements

Disposal

No protection requirements

 

Sensitive Data

Collection and Use

Limited to authorized uses only.

Units/Colleges that collect and/or use Sensitive Data should participate in the Information Security Program by reporting servers to the Enterprise Information Security Office.

In addition, any/all servers that process or store Sensitive Data must meet all requirements associated with applicable laws and/or standards.

Additionally, sensitive institutional data must be stored and managed in unit or higher systems.

Granting Access or Sharing

Access shall be limited to authorized University officials or agents with a legitimate academic or business interest and a need to know as outlined by UAB policies.

All access shall be approved by an appropriate data owner and tracked in a manner sufficient to auditable.

Before granting access to external third parties, contractual agreements which outline responsibilities for security of the data shall be approved through the UAB contract process.

Disclosure, Public Posting, etc.

Sensitive Data shall not be disclosed without consent of the data owner.

Sensitive Data may not be posted publicly.

Directory information can be disclosed without consent. However, per FERPA, individual students can opt out of directory information disclosure.

Electronic Display

Only to authorized and authenticated users of a system.

Open Records Requests

Sensitive Data is typically not subject to open records disclosure. However, some open records requests can be fulfilled by redacting sensitive portions of records. Individuals who receive a request must coordinate with the University Relations Office.

Exchanging with Third Parties, Service Providers, Cloud Services, etc.

A contractual agreement (or MOU if governmental agency) outlining security responsibilities shall be in place and approved through the UAB contract process before exchanging data with the third party / service provider.

UAB Box.com – no special requirements.

Storing or Processing: Server Environment

Servers that process and/or store sensitive institutional data must comply with IT Security Practices, as well as applicable laws and standards.  Additionally, sensitive institutional data must be stored and managed in unit or higher systems.

Storing or Processing: Endpoint Environment (e.g. laptop, phone, desktop, tablet, etc.)

Systems that connect to the UAB network must comply with IT Security Practices, as well as applicable laws and standards.

In addition, any/all systems that process or store Sensitive Data must be encrypted volume and endpoint must require PIN and/or password for access to device.

Storing on Removable Media (e.g. thumb drives, CDs, tape, etc.)

Sensitive Data shall only be stored on removable media in an encrypted file format or within an encrypted volume.

Electronic Transmission

Sensitive Data shall be transmitted in either an encrypted file format or over a secure protocol or connection.

Email and other electronic messaging

Messages shall only be sent to authorized individuals with a legitimate need to know.

Messages with Sensitive Data shall be transmitted only to other uab.edu or uabmc.edu email recipients.

Sensitive Data may be shared through approved UAB services.

Printing, mailing, fax, etc.

Printed materials that include Sensitive Data shall only be distributed or available to authorized individuals or individuals with a legitimate need to know.

Access to any area where printed records with Sensitive Data are stored shall be limited by the use of controls (e.g. locks, doors, monitoring, etc.) sufficient to prevent unauthorized entry.

Do not leave printed materials that contain Sensitive Data visible and unattended.

Disposal

Follow the UAB Secure Media Destruction process for the secure disposal of discs, CDs, DVDs, tapes and hard drives.

Repurposed for University Use - Multiple pass overwrite.  NOT Repurposed for University Use - Physically destroy.

Follow the Destruction of University Records Procedure for printed materials.

 

 

Restricted/PHI Data

Collection and Use

Limited to authorized uses only.

Unit/Colleges that collect and/or use Restricted should participate in the Information Security Program by reporting servers to the Enterprise Information Security Office.

In addition, any/all servers that process or store Restricted Data must meet all requirements associated with applicable laws and/or standards.

Additionally, restricted/PHI data must be stored on servers located in the UAB data center and managed by Central IT.

SSNs may not be used to identify members of the UAB community if there is a reasonable alternative.

SSNs shall not be used as a username or password.

SSNs shall not be collected on unauthenticated individuals.

All credit/debit card uses must be approved by the VP of Financial Affairs and Administration Office.

Granting Access or Sharing

Access shall be limited to authorized University officials or agents with a legitimate academic or business interest and a need to know as outlined by UAB policies.

All access shall be approved by an appropriate data owner and tracked in a manner sufficient to auditable.

Before granting access to external third parties, contractual agreements which outline responsibilities for security of the data shall be approved through the UAB contract process.

Disclosure, Public Posting, etc.

Not permitted unless required by law.

Electronic Display

Restricted data shall be displayed only to authorized and authenticated users of a system.

Identifying numbers or account number shall be, at least partially, masked or redacted.

Open Records Requests

Restricted data is typically not subject to open records disclosure. However, some open records requests can be fulfilled by redacting Restricted portions of records. Individuals who receive a request must coordinate with the University Relations Office.

Exchanging with Third Parties, Service Providers, Cloud Services, etc.

A contractual agreement (or MOU if governmental agency) and/or Business Associate Agreement (BAA) outlining security responsibilities shall be in place and approved through the UAB contract process before exchanging data with the third party / service provider.

UAB Box.com – Subject to any applicable laws.

Storing or Processing: Server Environment

Servers that process and/or store sensitive institutional data must comply with IT Security Practices, as well as applicable laws and standards.  Additionally, restricted/PHI data must be stored on servers located in the UAB data center and managed by Central IT.

Storing Credit/Debit card PAN data is not permitted.

Storing or Processing: Endpoint Environment (e.g. laptop, phone, desktop, tablet, etc.)

Servers that connect to the UAB network must comply with IT Security Practices.

In addition, any/all systems that process or store Restricted Data must be encrypted volume and endpoint must require PIN and/or password for access to device.

Storing Credit/Debit card PAN data is not permitted.

Storing Restricted Data on personally owned devices is not permitted.

Devices storing or processing restricted data must be physically secure at all times.

Avoid storing Restricted Data on portable devices.

Storing on Removable Media (e.g. thumb drives, CDs, tape, etc.)

Not permitted unless required by law.

If required by law, Restricted Data stored on removable media shall be encrypted and the media shall be stored in a physically secured environment. Storing restricted data on personally-owned media is not permitted.

Electronic Transmission

Secure, authenticated connections or secure protocols shall be used for transmission of Restricted Data.

Email and other electronic messaging

Not permitted without express authorization or unless required by law.

Messages with Restricted Data shall be transmitted in either an encrypted file format or only through secure, authenticated connections or secure protocols.

Restricted Data may be shared through approved UAB services.

SSNs may not be shared through email or other electronic messaging.

Credit card data may not be shared through email or other electronic messaging.

Printing, mailing, fax, etc.

Printed materials that include Restricted Data shall only be distributed or available to authorized individuals or individuals with a legitimate need to know.

Access to any area where printed records with Restricted Data are stored shall be limited by the use of controls (e.g. locks, doors, monitoring, etc.) sufficient to prevent unauthorized entry.

Do not leave printed materials that contain Restricted Data visible and unattended.

Social Security Numbers shall not be printed on any card required to access services.

New processes requiring the printing of SSN on mailed materials shall not be established unless required by another state agency or a federal agency.

Disposal

Follow the UAB Secure Media Destruction process for the secure disposal of discs, CDs, DVDs, tapes and hard drives.

Repurposed for University Use - Multiple pass overwrite.  NOT Repurposed for University Use - Physically destroy.

Follow the Destruction of University Records Procedure for printed materials.

Restricted Data that is no longer necessary for University business should be disposed to minimize risk of data breach.

 

Last modified on March 03, 2017