University at Buffalo Crest.

Policy Information

Date Established: 12/3/2008
Date Last Udated:
Category:  Research
Responsible Office:
Sponsored Projects Services
Responsible Executive:
Vice President for Research and Economic Development

Policy Contents


Acceptable Use of Research Foundation Proprietary Data Outside the RF Business System Policy


The integrity and confidentiality of Research Foundation (RF) data must be protected when RF proprietary data are combined into a non-RF business system.   

Policy Statement

RF proprietary data are private and confidential data that must be protected. All proprietary data extracted from the RF business system must be protected from unauthorized access. Individuals with authorized access to RF proprietary data are required to adhere to the following University at Buffalo (UB) information security policies to provide a secure environment where the privacy and confidentiality of proprietary data are protected. 

New York State Information Security Policy

The New York State (NYS) Information Security Policy is a comprehensive policy that sets forth the minimum requirements, responsibilities and accepted behaviors to establish and maintain a secure environment. UB has adopted the NYS Information Security Policy as its umbrella computer and information security policy.

University at Buffalo Password Policy

This policy establishes the requirements that all UB passwords must follow.

University at Buffalo Protection of Regulated Private Data Policy

This policy outlines the university’s commitment to protecting regulated private data to safeguard the privacy of the university community, reduce the threat of identity theft, and comply with state and federal laws and regulations

University at Buffalo Data Access and Security Policy

This policy defines the access requirements for regulated private data and includes the roles and responsibilities for those granting access.

UB Minimum Security Standards for Desktops, Laptops and Other Endpoint Devices

UB Minimum Server Security and Hardening Standards

These standards detail the requirements that must be followed when devices are connected to the university network. 


The Research Foundation central office has issued the Policy on Acceptable Use of Research Foundation Data Outside of RF Business Systems, providing campus requirements for access to and use of proprietary data the RF considers being private and confidential. In order to comply with the RF policy, a University at Buffalo campus policy is required to ensure that:

  • The university provides a secure environment with proper controls to protect the privacy, integrity, and confidentiality of extracted proprietary data combined in a non-RF business system
  • Appropriate campus policies, procedures, and standards are in place to ensure that access and use of the data are consistent with a business need-to-know


This policy applies to all university entities, any official or administrator with responsibilities for managing extracted proprietary RF data, and those employees who are entrusted with extracted proprietary RF data.


Any employee or student who breaches this policy on confidentiality of extracted proprietary RF data will be subject to disciplinary action and sanctions up to and including discharge and dismissal in accordance with university policy and procedures.


RF Data

Corporate, agency, and sponsored program data that is classified into two types:  proprietary and non-proprietary.

Proprietary Data

RF data that is private and confidential. Examples include, but are not limited to:

•  Biographical data (e.g., age, sex, marital status)
•  Elected benefits
•  Financial sponsored program data at the detail level
•  FLSA designation (exempt or non-exempt)
•  Health Insurance Portability and Accountability Act (HIPAA) related data
•  Home address
•  Home phone
•  Job title
•  Salary
•  Social Security Number

Non-proprietary Data

High-level data that is not considered private and confidential including financial sponsored program data at the aggregate level (no detail) and personal data limited to name, work telephone number, department, location, and employee identification number (as long as this number or its placement in a sequence of numbers does not identify the person’s employer as the RF).


Operations Manager (OM)

  • Certify that an environment with appropriate policies, procedures, and controls is in place to protect RF data.
  • Authorize access to RF proprietary data consistent with a business need to know.
  • Utilize the Authorization for Use of Research Foundation Data outside the RF Business System form, to annually provide the RF with a list (by name or job description) of university employees authorized to access extracted proprietary data.
  • In the event of a security breach or a suspected security breach, contact the RF. Follow the process outlined in the RF’s Notification Procedure for Electronic Breach of Information Security.

The OM or designee is authorized to provide proprietary RF data to a sponsor if the data is related to an applicable sponsored program grant or contract for which there is a contractual obligation to provide the information, or if providing the data is a requirement of obtaining a sponsored program grant or contract.

Information Security Officer

  • Conduct annual security reviews of approved systems storing and handling extracted proprietary RF data.
  • Periodic scans of workstations, servers, and network traffic, for RF data may also be implemented.

Individuals Authorized to Access Extracted RF Proprietary Data

  • Complete the University at Buffalo Access to Information Compliance Form before access will be granted in order to acknowledge their responsibilities to protect the extracted proprietary RF data, comply with confidentiality requirements, and comply with all UB information security and data protection policies.

Contact Information

Contact An Expert
Contact Phone Email
Information Security Officer 716-645-6997

Related Information

University Links


Related Links

Presidential Approval

Signed by President John B. Simpson

John B. Simpson, President