University of Alabama at Birmingham
DATA PROTECTION RULE
January 27, 2017
Related Policies, Procedures, and Resources
- Data Protection and Security Policy
- Data Classification Rule
The objective of this data protection rule is to assist the UAB community in the protections requirements of data and systems based on the Data Classification Rule.
2.0 Scope and Applicability
All UAB data stored, processed, or transmitted must be protected in accordance with this requirement. Based on classification; users are required to implement appropriate security controls.
3.0 Responsibilities for Protecting Institutional Data
All users with access to UAB data are required to protect these data appropriately.
3.1 Specific Roles and Responsibilities for Protecting Institutional Data
3.2 Data Stewards have administrative control and are officially accountable for a specific information asset. Data Stewards shall:
- assign an appropriate classification to the information;
- govern processes for determining access to information assets; and
- ensure compliance with policies and regulatory requirements related to the information.
Examples: VP of Financial Affairs & Administration - financial and HR data; VP of Research & Economic Development - research administration data; Deans and Department Chairs and data from their respective academic area.
3.3 Data Custodians safeguard the data on behalf of the Data Steward.
- UAB’s central Information Technology (IT) units shall be responsible for protecting all Institutional Data maintained/stored in the institutional information systems.
3.4 UAB Information Security
Members of the UAB Information Security team are responsible for developing and implementing an information security program as well as the supporting data security and protection policies, standards and procedures.
3.5 Information Security Liaison
Each unit or department senior manager will designate at least one ISL who will act as a liaison to the UAB information Security Team. Liaisons oversee information security responsibilities for the units, including assisting with security awareness and security incident response.
3.6 System Administrators
System Administrators are individuals within the central IT/HSIS or school/department units with day-to-day responsibility for maintaining information systems.
3.7 Data Users
Data Users are individuals authorized to access UAB data and are responsible for protecting the information assets on a daily basis through adherence to UAB policies.
4.0 Protection Requirements Based on Classification
The table below defines minimum protection requirements for each category of data when being used or handled in a specific context (e.g. Sensitive Data sent in an email message). Please note that these protections are not intended to supersede any regulatory or contractual requirements for handling data.