Acceptable Use of Research Foundation Proprietary Data Outside the RF Business System
The integrity and confidentiality of Research Foundation (RF)
data must be protected when RF proprietary data are combined into a
non-RF business system.
RF proprietary data are private and confidential data that must
be protected. All proprietary data extracted from the RF business
system must be protected from unauthorized access. Individuals with
authorized access to RF proprietary data are required to adhere to
the following University at Buffalo (UB) information security
policies to provide a secure environment where the privacy and
confidentiality of proprietary data are protected.
New York State Information Security Policy
The New York State (NYS) Information Security Policy is a
comprehensive policy that sets forth the minimum requirements,
responsibilities and accepted behaviors to establish and maintain a
secure environment. UB has adopted the NYS Information Security
Policy as its umbrella computer and information security
University at Buffalo Policy on Securing Network-Connected Devices
This policy details the requirements that must be followed when
devices are connected to the university network.
University at Buffalo Password Policy
This policy establishes the requirements that all UB passwords
University at Buffalo Protection of Regulated Private Data Policy
This policy outlines the university’s commitment to
protecting regulated private data to safeguard the privacy of the
university community, reduce the threat of identity theft, and
comply with state and federal laws and regulations.
University at Buffalo Standards for Securing Regulated Private Data
The security measures required to protect regulated private data
are detailed in this policy.
University at Buffalo Data Access and Security Policy
This policy defines the access requirements for regulated
private data and includes the roles and responsibilities for those
The Research Foundation central office has issued the Policy
on Acceptable Use of Research Foundation Data Outside of RF
Business Systems, providing campus requirements for access to
and use of proprietary data the RF considers being private and
confidential. In order to comply with the RF policy, a
University at Buffalo campus policy is required to ensure that:
- the university provides a secure environment with proper
controls to protect the privacy, integrity, and confidentiality of
extracted proprietary data combined in a non-RF business
- appropriate campus policies, procedures, and standards are in
place to ensure that access and use of the data are consistent with
a business need-to-know.
This policy applies to all university entities, any official or
administrator with responsibilities for managing extracted
proprietary RF data, and those employees who are entrusted with
extracted proprietary RF data.
Any employee or student who breaches this policy on
confidentiality of extracted proprietary RF data will be subject to
disciplinary action and/or sanctions up to and including discharge
and dismissal in accordance with university policy and
Corporate, agency, and sponsored
program data that is classified into two types: proprietary
RF data that is private and
confidential. Examples include, but are not limited to:
• Biographical data (e.g.,
age, sex, marital status)
• Elected benefits
• Financial sponsored program data at the detail
• FLSA designation (exempt or non-exempt)
• Health Insurance Portability and Accountability Act
(HIPAA) related data
• Home address
• Home phone
• Job title
• Social Security Number
High-level data that is not
considered private and confidential including financial sponsored
program data at the aggregate level (no detail) and personal data
limited to name, work telephone number, department/location, and
employee identification number (as long as this number or its
placement in a sequence of numbers does not identify the
person’s employer as the RF).
Operations Manager (OM)
- Certify that an environment with appropriate policies,
procedures, and controls is in place to protect RF data.
- Authorize access to RF proprietary data consistent with a
business need to know.
- Utilize the Authorization for Use of Research Foundation
Data outside the RF Business System form, to annually provide
the RF with a list (by name or job description) of university
employees authorized to access extracted proprietary data.
- In the event of a security breach or a suspected security
breach, contact the RF. Follow the process outlined in the
RF’s Notification Procedure for Electronic Breach of
The OM or designee is authorized to provide proprietary RF data
to a sponsor if the data is related to an applicable sponsored
program grant or contract for which there is a contractual
obligation to provide the information, or if providing the data is
a requirement of obtaining a sponsored program grant or
Information Security Officer
- Conduct annual security reviews of approved systems storing and
handling extracted proprietary RF data.
- Periodic scans of workstations, servers, and network traffic,
for RF data may also be implemented.
Individuals Authorized to Access Extracted RF Proprietary Data
- Complete the University at Buffalo Access
to Information Compliance Form before access will be granted in
order to acknowledge their responsibilities to protect the
extracted proprietary RF data, comply with confidentiality
requirements, and comply with all UB information security and data
Information Security Officer
517 Capen Hall
Buffalo, NY 14260
Related Documents, Forms, Links