Date Established: 12/3/2008
Date Last Udated: –
Sponsored Projects Services
Vice President for Research and Economic Development
The integrity and confidentiality of Research Foundation (RF) data must be protected when RF proprietary data are combined into a non-RF business system.
RF proprietary data are private and confidential data that must be protected. All proprietary data extracted from the RF business system must be protected from unauthorized access. Individuals with authorized access to RF proprietary data are required to adhere to the following University at Buffalo (UB) information security policies to provide a secure environment where the privacy and confidentiality of proprietary data are protected.
The New York State (NYS) Information Security Policy is a comprehensive policy that sets forth the minimum requirements, responsibilities and accepted behaviors to establish and maintain a secure environment. UB has adopted the NYS Information Security Policy as its umbrella computer and information security policy.
This policy establishes the requirements that all UB passwords must follow.
This policy outlines the university’s commitment to protecting regulated private data to safeguard the privacy of the university community, reduce the threat of identity theft, and comply with state and federal laws and regulations
This policy defines the access requirements for regulated private data and includes the roles and responsibilities for those granting access.
These standards detail the requirements that must be followed when devices are connected to the university network.
The Research Foundation central office has issued the Policy on Acceptable Use of Research Foundation Data Outside of RF Business Systems, providing campus requirements for access to and use of proprietary data the RF considers being private and confidential. In order to comply with the RF policy, a University at Buffalo campus policy is required to ensure that:
This policy applies to all university entities, any official or administrator with responsibilities for managing extracted proprietary RF data, and those employees who are entrusted with extracted proprietary RF data.
Any employee or student who breaches this policy on confidentiality of extracted proprietary RF data will be subject to disciplinary action and sanctions up to and including discharge and dismissal in accordance with university policy and procedures.
Corporate, agency, and sponsored program data that is classified into two types: proprietary and non-proprietary.
RF data that is private and confidential. Examples include, but are not limited to:
• Biographical data (e.g., age, sex, marital status)
• Elected benefits
• Financial sponsored program data at the detail level
• FLSA designation (exempt or non-exempt)
• Health Insurance Portability and Accountability Act (HIPAA) related data
• Home address
• Home phone
• Job title
• Social Security Number
High-level data that is not considered private and confidential including financial sponsored program data at the aggregate level (no detail) and personal data limited to name, work telephone number, department, location, and employee identification number (as long as this number or its placement in a sequence of numbers does not identify the person’s employer as the RF).
The OM or designee is authorized to provide proprietary RF data to a sponsor if the data is related to an applicable sponsored program grant or contract for which there is a contractual obligation to provide the information, or if providing the data is a requirement of obtaining a sponsored program grant or contract.
|Information Security Officerfirstname.lastname@example.org|