Handling Restricted Data
Every data set at UAB has a value, and that value is determined by UAB’s Data Classification Rule. As UAB constituents, it is incumbent upon all of us to understand the value of institutional data sets that we interact with and protect them at the appropriate level. UAB’s most valuable data sets are classified by the university as Restricted/PHI data (or Restricted).
1.0 Overview
Restricted data is data that is highly confidential in nature, carries significant risk from unauthorized access, or uninterrupted accessibility is critical to UAB operation. Privacy and Security controls are typically required by law or contract.
Examples
- HIPAA PHI
- Social Security numbers (SSNs)
- Credit card numbers (PCI DSS)
- GLBA data
- Export Controlled data
- FISMA regulated data
- Log-in credentials
- Information protected by non-disclosure agreements
2.0 Protecting Restricted Data
Any compromise of restricted data would damage UAB’s reputation significantly and could result in hefty punitive fines being levied against the university. Everyone who handles Restricted data at UAB is responsible for protecting it. By protecting it, we also better protect ourselves and our fellow students and employees by reducing the chance that a compromise or a breach will occur.
Should a compromise of Restricted data occur there is a strong likelihood that the UAB employee who sent or stored that data will be held responsible for the compromise. This, in turn, could lead to job loss, per UAB’s Data Protection and Security Policy.
3.0 Institutional Restricted Data?
In order to provide added measures of protection for Restricted data, UAB has adopted the Data Protection Rule. This standard prescribes a number of security controls designed to protect each of the three data classifications. Anyone at UAB who handles institutional Restricted data is responsible for ensuring that the Protection Rule requirements are followed in order to protect that data. The following are key strategies that aid in safeguarding Restricted data:
- Review your data, files, and workflow processes to determine if you store, process, or transmit Restricted data, such as SSNs and/or credit card numbers. Storing UAB institutional data that is classified as Restricted on personally owned devices is not permitted.
- If you determine that you do handle Restricted data, ask whether it actually is necessary to store, process, or transmit that data. If the answer is no, then delete those files and change your business process so that Restricted data is no longer a part of that process.
- Delete unnecessary files that have not been modified within the last seven years, especially if they contain Restricted data.
3.1 PHI Data
If you are storing, processing, or transmitting patient data (PHI), there are specific policies that govern the protection of such data. Consult UAB’s HIPAA policies to determine if you are in compliance with those policies. If not, you will need to delete or encrypt the files containing the patient data and change any business processes that involve that data to ensure the patient data is correctly protected.
3.2 Credit Card Numbers
Never store credit card numbers, and delete all files that contain credit card numbers. All storage, processing, and transmission of credit card data must belong to business processes that are approved by Financial Affairs and meet both the security requirements set forth by UAB policy and the Payment Card Industry Data Security Standard (PCI DSS).
3.3 Social Security Numbers
If SSNs must be collected and the associated business processes cannot be re-engineered, adhere to the requirements specified in the UAB Data Protection Rule to secure the Restricted data. First and foremost, do not store SSNs in an unprotected state, such as an unencrypted file or database.
3.4 Deleting Restricted Data
For guidelines on how to delete, redact, or replace Restricted data, review the “Data Reduction” and “Options for Dealing with Social Security Numbers” sections of UAB’s Data Reduction site.