Data Protection Requirements

Note - Data received from outside sources should carry the same sensitivity level on which it has been sent.

Action

Form

Non-Sensitive

Sensitive

Highly Sensitive

Collecting

No restrictions

Reduce or eliminate collection where not required for business function.

Reduce or eliminate collection where not required for business function. Collection of some types of highly sensitive data about individuals may require the approval of the appropriate Data owner(s).

Accessing

No restrictions

Access should be provided as required for business. Devices used to access sensitive (non-Public) information must meet minimum security standards.

Access to some Confidential data requires approval of a Data Trustee on a per-individual basis. Devices used to access highly sensitive information must meet minimum security standards. Ensure protocols are in place to immediately remove access upon change in employment status of any individual with access.

Sharing

No restrictions

Share with employees as needed.  Share with vendors/third-parties as approved by department head.

For types of data that are governed by a Data Owner, this information may be shared only for business purposes and only as approved by the Data Owner. Information concerning a small number of individuals may be shared internally without Owner review if the recipient of the data has a need-to-know and is entrusted with the same type of information for their job function. A confidentiality agreement may be appropriate under these circumstances. For types of data that are not governed by a Data Trustee, the information may be shared internally on a need-to-know basis. Information may be shared with the subject of the record or with another party with the subject's approval, as appropriate.

Printing, Copying, Scanning

 

No restrictions

Printers often store the printed document on a local hard drive, potentially allowing unauthorized access to the information. Avoid printing Sensitive data unnecessarily.

Printers often store the printed document on a local hard drive, potentially allowing unauthorized access to the information. Avoid printing Highly Sensitive data unnecessarily.

Sending

Paper

No restrictions

Send in a manner that protects the information from incidental or casual reading.

Address to the specific intended party and send in sealed envelopes. Mark with “For intended recipient only”.  Outside the University, paper should be sent via certified mail or with a courier and require a signature upon delivery.

 

Electronic

No restrictions

Use a method that requires recipient to authenticate prior to receipt, such as e-mail, a web site that requires Web Login, or a file server that requires a password.  Use secure e-mail service for more private data

Particularly sensitive data or large volumes of confidential data should be encrypted during transmission. If confidential information is to be stored on a device (CD/DVD/USB) in order to be shared, such devices must be properly handled.

 

Fax

No restrictions

If a fax must be used, consider taking reasonable steps to protect the data, including the use of a cover sheet stating that the fax is Confidential and to be read only by the named recipient. Also consider coordinating with the intended recipient so he or she is on hand to directly receive the fax before you begin to send.

Fax machines often store the faxed messages in memory, potentially allowing unauthorized access. Consider alternatives to faxing Highly Sensitive data where possible. If a fax must be used, consider taking reasonable steps to protect the data, including the use of a cover sheet stating that the fax is Confidential and to be read only by the named recipient. Also consider coordinating with the intended recipient so he or she is on hand to directly receive the fax before you begin to send.

 

Smart Phones and Tablets

No restrictions

The use of smart phones to access Sensitive data, such as through e-mail, puts that data at higher risk of unintended disclosure. Individuals accessing Sensitive Data via such a device must comply with the standards set forth in minimum security standards.

The use of smart phones to access Highly Sensitive data, such as through e-mail, puts that data at higher risk of unintended disclosure. Individuals accessing Highly Sensitive Data via such a device must comply with the standards set forth in minimum security standards.

Storing

Paper

No restrictions

Keep in non-public areas when not in use.

Should be stored in physically secure areas that are accessible only by authorized individuals.

 

Electronic

No restrictions

Devices used to store sensitive (non-Public) information must meet minimum security standards.

Encryption of stored data is recommended. Devices used to store Highly Sensitive Information must meet minimum security standards. Should be stored only on departmental or central servers.  Cloud or SAAS providers should undergo an assessment prior to deployment.

 

Electronic Media (CD, DVD, USB)

No restrictions

Store media in a secure location when not in use. Media should be erased or destroyed as soon as it is no longer needed.

Encryption of stored data is recommended.Store media in a secure location when not in use. Media should be erased or destroyed as soon as it is no longer needed.

Auditing

 

Conduct a periodic review to ensure data is not out of date

Conduct a periodic review of where this data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols.

Each department should conduct an annual review of where Highly Sensitive data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols.  Verify that procedures for removing access are documented and accurate.

Incident Reporting

 

Any unauthorized disclosure or loss of this information must be reported to the appropriate dean or department head or to the TSC Help Desk

Any unauthorized disclosure or loss of this information must be reported to the appropriate dean or department head or to the TSC Help Desk

Any unauthorized disclosure or loss of this information must be reported to the appropriate dean or department head or to the TSC Help Desk

Destroying

Paper and Disposable Electronic Media (CD, DVD)

Dispose of based on sustainability policy

Physically destroy using a shredder or similar appropriate technology and then recycle or discard. 

Physically destroy using a shredder or similar appropriate technology and then recycle or discard. 

 

Electronic files (Data) Reusable Electronic Storage Devices (USB sticks, disk drives)

Use standard operating system utilities to delete files.

Delete using an approved secure deletion program. 

Delete using an approved secure deletion program. 

 

All Electronic Storage Media at End of Life

Use standard operating system utilities to delete files.

Functional electronic media that can be overwritten using a secure erase tool then may be recycled or disposed of. Non-functional electronic media (damaged disk drives) must be physically destroyed.

Functional electronic media that can be overwritten using a secure erase tool then may be recycled or disposed of. Non-functional electronic media (damaged disk drives) must be physically destroyed.