Data Protection Rule establishes responsibilities for data classification

Protecting UAB data — from personal health and financial information to top-notch research — is one of the most important responsibilities at the University.

UAB’s Data Protection Rule establishes roles and responsibilities for those individuals and groups who will safeguard and use UAB data.

UAB IT and UAB Health System officials worked together to develop the Data Classification Rule, which has three levels of data: public, sensitive and restricted/PHI (personal health information).

The accompanying Data Protection Rule establishes six specific roles for those protecting institutional data.

“While the people with the most accountability for securing University data are in leadership and information technology, all of us at UAB have a responsibility to safeguard our data according to the proposed classification standard,” said Brian Rivers, assistant vice president and chief information officer. “That responsibility protects the university and the individuals who work here and attend school here.”

Data stewards

Data stewards have administrative control and are officially accountable for a specific information set. Examples include the vice president of Financial Affairs and Administration; the vice president for Research and Economic Development; deans and department chairmen overseeing data from their respective academic areas; and hospital managers or directors and vice presidents overseeing data from their respective clinic areas.

Data custodians

Data custodians safeguard the data on behalf of the data steward. While data stewards are ultimately responsible for the security of data, data custodians ensure the security controls are in place. UAB’s central Information Technology units (UAB IT) will be responsible for protecting all institutional data maintained and stored in the institutional information systems. UAB Health Services Information Services (HSIS) will be responsible for protecting all Health System data maintained and stored in the institutional information systems.

UAB Information Security

Members of the UAB IT and UAB Health System information security teams are responsible for developing and implementing the information security program, as well as the supporting data security and protection policies and procedures.

Departmental security administrators

Each unit or department senior manager will choose one DSA to act as a liaison with the UAB Information Security team. DSAs oversee information security responsibilities for the departments, including security awareness and security incident response.

System administrators

System administrators in UAB IT, HSIS and school/department units who are responsible for day-to-day maintenance of information systems are responsible for following data security protection procedures and practices.

Data users

Data users refers to individuals authorized to access UAB data and who are responsible for protecting information assets on a daily basis through adherence to UAB policies.
Last modified on February 22, 2017