Date Established: 5/6/2010
Date Last Revised: 4/4/2018
Category: Information Technology
Responsible Office: Information Security Office
Responsible Executive: Vice President and Chief Information Officer
UB data must be protected to safeguard privacy, reduce the threat of identity theft, and maintain compliance with state and federal laws and regulations.
The University at Buffalo (UB, university) is committed to collecting, handling, storing, and using university data properly and securely. This policy establishes a framework of safeguards to:
Access, collection, storage, and/or transmission of university data must be approved by a data trustee. Approval to use university data is contingent upon the unit’s demonstrated operating needs, as well as the risk mitigation measures in place to protect the data. Risk mitigation measures include, but are not limited to the collection, storage, and transmission of these data by third-party service providers (e.g., cloud services).
A suspected or confirmed exposure of university data, or security breach of a system containing university data, must be reported immediately to the Information Security Officer (ISO).
An employee or student who breaches the confidentiality of Category 1 – Restricted Data or Category 2 – Private Data may be subject to disciplinary action in accordance with university policy and procedures.
University information is a valuable asset that requires appropriate protection. University policies and procedures must include controls to protect the confidentiality, integrity, and availability of data and comply with laws and contractual obligations.
This policy applies to all university employees, students, and third-party vendors who access, manage, store, or in other capacities use university data.
For data regulated by the Health Insurance Portability and Act (HIPAA), refer to the applicable HIPAA policies or Director of UB HIPAA Compliance.
Category 1 – Restricted Data
Protection of the data is required by law or regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
Restricted data includes the definition of private information in the New York State (NYS) Security and Breach Notification Act as a foundation: bank account, credit card, and debit card numbers; social security numbers; state-issued driver license numbers; and state-issued non-driver identification numbers. To this list, university policy adds protected health information (PHI), computer passwords, other computer access protection data, and passport numbers.
Category 1 – Restricted Data are exempt from disclosure or release under the NYS Freedom of Information Law (FOIL). The NYS Information Security Breach and Notification Act requires the university to disclose any breach of the data to New York residents. (State entities must also notify non-residents; see the NYS Information Security Policy.)
Individuals who access, process, store, or in any other way handle Category 1 – Restricted Data must implement controls and security measures as required by relevant laws, regulations, and university policy. In instances where laws and/or regulations conflict with university policy, the more restrictive policy, law, or regulation governs.
Category 2 – Private Data
Includes university data not identified as Category 1 – Restricted Data, and data protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA)-protected student records and electronic records that are specifically exempt from disclosure by the NYS FOIL.
Category 2 – Private Data must be protected to ensure that they are not disclosed in a FOIL request. Private data must be protected in order to ensure that they are only disclosed as required by law, including FOIL. Decisions about disclosure must be made by the Records Management Officer.
The National Institute Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations maps to the Category 2 – Private Data risk classification.
Senior leaders of the university (i.e., vice presidents, vice provosts, deans) who have responsibility for areas that have systems of record.
Individuals who need and use university data as part of their assigned duties or to fulfill their role in the university community.
|Office of the Vice President and Chief Information Officerfirstname.lastname@example.org|
|Information Security Office ||email@example.com|
|Director of UB HIPAA Compliancefirstname.lastname@example.org|
|Records Management Officer ||email@example.com|
|April 2018||Full review. Updated the policy to: |
• Change the title from Protection of Regulated Private Data Policy to Protection of University Data Policy
• Update content to reflect the revised Data Risk Classification Policy
• Update references in the Related Information section
• Remove procedural language
• Update data role terminology
• Add HIPAA compliance reference
• Direct readers to the Data Risk Classification Policy for data categories