Responsibilities when Storing and Accessing Restricted Data in UBbox

Using UBbox and complying with restricted data requirements is a shared responsibility. Through a combination of training, adherence to guidelines and procedures, and proper Box folder configurations, UBbox can be used for restricted data.

The data steward is responsible for:

  • Obtaining approval for storing restricted data in UBbox.
  • Ensuring proper technical configuration of UBbox folder.
  • Ensuring any required data sharing agreements and business associate agreements (BAA) are in place.
  • Ensuring restricted data is only accessible by authorized individuals.
  • Ensuring restricted data is only used for a specifically stated intended purpose.
  • Auditing and monitoring of restricted data access.
  • Immediately reporting any suspected data breach involving restricted data.
  • Reconfirming the need for sensitive data in UBbox on an annual basis.
  • Ensuring that PII or other sensitive data is not used to name UBbox files or folders.

All people granted access to restricted data stored in UBbox are responsible for:                   

  • Taking appropriate restricted data handling training courses (see training links).
    *Note: If you are working with regulated data such as HIPAA or PCI, please contact the Information Security Office for more information on training.
  • Adhering to all established guidelines and procedures for accessing restricted data in UBbox.
  • Immediately reporting to the appropriate security/privacy officials any suspected data breach involving restricted data.
  • Note that UBIT Box Administrators will need to be included as part of all covered functions that use Box for HIPAA data.