Protection of Category 1 and Category 2 Data

UB has legal and ethical obligations to ensure that university data in any form is secured in a manner that minimizes risk of unauthorized or inappropriate use or disclosure, and complies with all laws and regulations regarding data including the New York State Information Security Breach and Notification Act. Examples of Category 1, Restricted Data and Category 2, Private Data can be found within the Guidance to UB’s Data Protection Categories.

The Protection of University Data Policy establishes the requirements for protecting university data. Any university office that utilizes Category 1 or Category 2 data must ensure that the data is stored in a secure and confidential environment, the data is only used for its intended purpose, and follow university guidelines for the disposal of records containing the data.

Any suspected or confirmed exposure of Category 1 or Category 2 data or the security breach of a system containing such data must be reported immediately to the Information Security Office (ISO). UB complies with the New York State Information Security Breach and Notification Act.

Individuals who suspect a misuse of standards and policies related to Category 1 or Category 2 data must report their concerns to their applicable Data Trustee or the ISO. Individuals who misuse data and/or illegally access data are subject to sanctions or penalties in accordance with employee relations policies.

Sanctions or penalties are based on the standards outlined in university policy, state or federal regulations, and the appropriate collective bargaining agreements. Individuals found to be in violation of policies related to restricted data may face corrective action commensurate with the violation, up to and including termination or expulsion.