Data Protection

From ITS Wiki - Information Technology Services - University of Rhode Island

Jump to: navigation, search

Background and Purpose

The University of Rhode Island uses and creates data that requires protection, and conforms to federal and state law, as well as university policies. This policy is meant to guide the University community in using adequate data protection procedures.

Definitions

Data Protection

Everyone should ensure the security and confidentiality of their sensitive data such as name, date of birth, social security numbers, credit card numbers, driver's license numbers, proprietary research data, privileged legal information, and data protected by law. When this data is stored electronically, the person responsible for the data should take extra precautions to provide confidentiality and security.

Data Authority

Information Technology Services is responsible for ensuring that people protect all of their sensitive information maintained on the university's information systems. Any department or entity that stores information on mobile devices will be responsible for protecting and securing that information. When the data is stored on department systems, the department head is responsible for the protection of that data.

System Administrators

System Administrators are responsible for the daily maintenance of the information systems and follow data security and protection procedures. When they discover any security breaches, they are required to report them to their supervisors. System Administrators perform risk assessment and data backups as well as secure storage for the backups. They also execute disaster recovery plans, and provide system documentation.

Users

The URI community is responsible for following all policies for the systems that they are using. Users should not download or transfer sensitive data without permission and the proper security in place. Users are also responsible for reporting activities that may compromise URI data to their supervisors.


Student Information

Private Information

The following data may not be revealed by the University without student consent.

  • Grades
  • Student financial information
  • Credit card numbers
  • Bank accounts
  • Wire transfers
  • Payment history
  • Financial aid, or grants
  • Student bills

Public Information

The following data may ordinarily be revealed by the University without student consent unless the student designates otherwise.

  • Name
  • Date of birth
  • Place of birth
  • Phone number
  • Electronic mail address
  • Mailing address
  • Campus office address (graduate students)
  • Secondary mailing, or permanent address
  • Residence assignment and room, or apartment number
  • Specific quarters, or semesters of registration at URI
  • Major(s)
  • Minor(s)
  • Field(s)
  • Degree(s) awarded and date(s)
  • University degree honors
  • Institution attended immediately prior to URI
  • Identification card photographs for University classroom use


To suppress this information, the following steps can be taken once you are signed into your ecampus account.


From the ecampus home page, select:

Self Service -> Campus Personal Information -> Privacy Settings -> Edit FERPA/Directory Restrictions (button at bottom of the screen)

Employee Information

The following data may not be revealed by the University without employee consent.

  • Social security number (includes partials such as last four digits)
  • Salary
  • Date of birth
  • Home address or personal contact information
  • Performance reviews

Donor Information

The following data may not be revealed by the University without donor consent.

  • Name
  • Graduating class & degree(s)
  • Credit card numbers
  • Bank account numbers
  • Social security numbers
  • Giving history
  • Addresses
  • Telephone / fax numbers
  • Email addresses URLs
  • Employment information
  • Family information (spouse(s) / children / grandchildren)

Scope of Restrictions

The privacy of information is protected for:

  • Every individual within the community of URI
  • Every system and all data including systems created or operated by third party vendors under the direction of URI, and data within said systems.

General Provisions

These guidelines address the handling of data, whether communicated orally, in hard copy, or electronic format, for all members of the URI community, (including staff, faculty, students, affiliates, volunteers or others). This document applies to information stored on mobile and cellular devices or moved to media such as CD, tape, flash memory, or paper.

Although other information is also protected, particular emphasis is placed on University-sensitive information, defined as information which should not be made public and which should only be disclosed under limited circumstances, and includes but is not limited to:

  • All information identifiable to an individual (including students, staff, faculty, trustees, donors, and alumni) including but not limited to social security numbers, dates of birth, student education records, medical information, benefits information, compensation, loans, financial aid data, alumni information, donor information, and faculty and staff evaluations.
  • The University's proprietary information including but not limited to intellectual research findings, intellectual property, financial data, and donor and funding sources.
  • Information, the disclosure of which is regulated by federal, state, and/or local government (e.g., FERPA, GLBA and data collected from human subjects)

Specific Provisions

When handling information, Faculty, staff and students should exercise care and good judgment to ensure adequate protection of sensitive information. It is recommended that everyone:

  • Adopt clean desk practices. Do not leave paper documents containing sensitive information unattended; protect such documents from the view of passers-by or office visitors.
  • Any confidential documents should have a cover sheet. [Sample cover sheet, sample confidentiality statements ]
  • Close office doors when away from your office.
  • Add a "Confidential" watermark to a Word document. (Steps vary by operating system and version. Consult the directions found in the MS Word Help menu.)
  • Store paper documents containing sensitive information in locked files with a controlled key system (a list of individuals who have access should be documented) or an appropriately secured area.
  • Lock file cabinets containing sensitive information before leaving the office each day.
  • Do not leave the keys to file drawers containing sensitive information in unlocked desk drawers or other areas accessible to unauthorized staff.
  • Store paper documents that contain information that is critical to University business in secure file cabinets. Keep copies in an alternate location.
  • Shred paper documents containing sensitive information when they are no longer needed, making sure that such documents are secured until shredding occurs. If a shredding service is employed, the service provider should have clearly defined procedures in the contractual agreement that protect discarded information, and ensure that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
  • Immediately retrieve or secure documents containing sensitive information as they are printed on copy machines, fax machines or printers. Double-check fax messages containing confidential information:
    • Recheck the recipient's number before you hit 'Start.'
    • Verify the security arrangements for a fax's receipt prior to sending.
    • Verify that you are the intended recipient of faxes received on your machine. If you are not, contact the intended recipient and make arrangements for the proper dispatch of the fax.
  • Do not discuss sensitive information outside of the workplace or with anyone who does not have a specific "need to know." Be aware of the potential for others to overhear communications containing sensitive information in offices, on telephones, and in public places like elevators, restaurants, and sidewalks.
  • Ensure that electronic equipment containing sensitive information is securely transferred or disposed of in a secure manner,all hard drives for copying machines or scanners that have been used for confidential documents need to be removed from the machine and destroyed.
  • Immediately report the theft of URI electronic computing equipment to Campus Security. Loss or suspected compromise of data containing sensitive information should be immediately reported to the office of IT Information Security)

Policy Violations

Violation of this policy by any employee or any student will result in disciplinary action, according to established procedures.

Impact on Other Policies

Takes precedence over Acceptable Usage.

Effective Date: Interim or Permanent

June 2007 [Permanent]

Supersedes

None.

Next Review Date

As necessary, should new developments require a change in policy.

Policy Contact

Information Security Office 401-874-4787

Authority

Vice Provost of Information Technology Services