University at Buffalo Crest

Policy Information

Date Established: 5/6/2010
Date Last Revised: 4/4/2018
Category: Information Technology
Responsible Office: Information Security Office
Responsible Executive: Vice President and Chief Information Officer

Policy Contents

Protection of University Data Policy

Summary

UB data must be protected to safeguard privacy, reduce the threat of identity theft, and maintain compliance with state and federal laws and regulations.

Policy Statement

The University at Buffalo (UB, university) is committed to collecting, handling, storing, and using university data properly and securely. This policy establishes a framework of safeguards to:

  • Protect university data from accidental or intentional alteration, theft, or other risks
  • Comply with applicable laws and contractual requirements
  • Increase awareness of the need to protect university data

Use of University Data

Access, collection, storage, and/or transmission of university data must be approved by a data trustee. Approval to use university data is contingent upon the unit’s demonstrated operating needs, as well as the risk mitigation measures in place to protect the data. Risk mitigation measures include, but are not limited to the collection, storage, and transmission of these data by third-party service providers (e.g., cloud services).

Reporting Potential or Actual Exposure of University Data

A suspected or confirmed exposure of university data, or security breach of a system containing university data, must be reported immediately to the Information Security Officer (ISO).

Compliance

An employee or student who breaches the confidentiality of Category 1 – Restricted Data or Category 2 – Private Data may be subject to disciplinary action in accordance with university policy and procedures.

Background

University information is a valuable asset that requires appropriate protection. University policies and procedures must include controls to protect the confidentiality, integrity, and availability of data and comply with laws and contractual obligations.

Applicability

This policy applies to all university employees, students, and third-party vendors who access, manage, store, or in other capacities use university data.

For data regulated by the Health Insurance Portability and Act (HIPAA), refer to the applicable HIPAA policies or Director of UB HIPAA Compliance.

Definitions

Category 1 – Restricted Data

Protection of the data is required by law or regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Restricted data includes the definition of private information in the New York State (NYS) Security and Breach Notification Act as a foundation: bank account, credit card, and debit card numbers; social security numbers; state-issued driver license numbers; and state-issued non-driver identification numbers. To this list, university policy adds protected health information (PHI), computer passwords, other computer access protection data, and passport numbers.

Category 1 – Restricted Data are exempt from disclosure or release under the NYS Freedom of Information Law (FOIL). The NYS Information Security Breach and Notification Act requires the university to disclose any breach of the data to New York residents. (State entities must also notify non-residents; see the NYS Information Security Policy.)

Individuals who access, process, store, or in any other way handle Category 1 – Restricted Data must implement controls and security measures as required by relevant laws, regulations, and university policy. In instances where laws and/or regulations conflict with university policy, the more restrictive policy, law, or regulation governs.

Category 2 – Private Data

Includes university data not identified as Category 1 – Restricted Data, and data protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA)-protected student records and electronic records that are specifically exempt from disclosure by the NYS FOIL.

Category 2 – Private Data must be protected to ensure that they are not disclosed in a FOIL request. Private data must be protected in order to ensure that they are only disclosed as required by law, including FOIL. Decisions about disclosure must be made by the Records Management Officer.

The National Institute Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations maps to the Category 2 – Private Data risk classification.

Data Trustees

Senior leaders of the university (i.e., vice presidents, vice provosts, deans) who have responsibility for areas that have systems of record.

Data Users

Individuals who need and use university data as part of their assigned duties or to fulfill their role in the university community.

Responsibility

Data Trustee

  • Ensure that data stewards in their area are compliant with data governance principles.

Data User

  • Follow appropriate safeguards to protect data based on its classification.

Information Security Officer

  • Review and approve departmental collection, storage, and transmission of data when necessary according to its classification.
  • Serve on the Cloud Services Review Committee.
  • Conduct periodic security reviews of systems approved for storing and handling protected data.

Records Management Officer

  • Make decisions about records disclosure of information.

Vendors

  • Complete the Vendor Questionnaire (obtained from Purchasing).

Vice President and Chief Information Officer

  • Oversee all components of UB information technology.

Contact Information

Contact Phone Email
Office of the Vice President and Chief Information Officer 716-645-7979 cio@buffalo.edu
Information Security Office
716-645-6997 sec-office@buffalo.edu
Director of UB HIPAA Compliance 716-829-3172 hipaa-compliance@buffalo.edu
Records Management Officer
716-645-5464 hines@buffalo.edu

Related Information

University Links

Forms

Related Links

History

April 2018 Full review. Updated the policy to:
• Change the title from Protection of Regulated Private Data Policy to Protection of University Data Policy
Update content to reflect the revised Data Risk Classification Policy
• Update references in the Related Information section
• Remove procedural language
• Update data role terminology
• Add HIPAA compliance reference
• Direct readers to the Data Risk Classification Policy for data categories

Presidential Approval

Signed by President Satish K. Tripathi

Satish K. Tripathi, President

4/4/2018

Date