Data Protection Requirements
Note - Data received from outside sources should carry the same sensitivity level on which it has been sent.
|
Action |
Form |
Non-Sensitive |
Sensitive |
Highly Sensitive |
|
Collecting |
No restrictions |
Reduce or eliminate collection where not required for business function. |
Reduce or eliminate collection where not required for business function. Collection of some types of highly sensitive data about individuals may require the approval of the appropriate Data owner(s). |
|
|
Accessing |
No restrictions |
Access should be provided as required for business. Devices used to access sensitive (non-Public) information must meet minimum security standards. |
Access to some Confidential data requires approval of a Data Trustee on a per-individual basis. Devices used to access highly sensitive information must meet minimum security standards. Ensure protocols are in place to immediately remove access upon change in employment status of any individual with access. |
|
|
Sharing |
No restrictions |
Share with employees as needed. Share with vendors/third-parties as approved by department head. |
For types of data that are governed by a Data Owner, this information may be shared only for business purposes and only as approved by the Data Owner. Information concerning a small number of individuals may be shared internally without Owner review if the recipient of the data has a need-to-know and is entrusted with the same type of information for their job function. A confidentiality agreement may be appropriate under these circumstances. For types of data that are not governed by a Data Trustee, the information may be shared internally on a need-to-know basis. Information may be shared with the subject of the record or with another party with the subject's approval, as appropriate. |
|
|
Printing, Copying, Scanning |
|
No restrictions |
Printers often store the printed document on a local hard drive, potentially allowing unauthorized access to the information. Avoid printing Sensitive data unnecessarily. |
Printers often store the printed document on a local hard drive, potentially allowing unauthorized access to the information. Avoid printing Highly Sensitive data unnecessarily. |
|
Sending |
Paper |
No restrictions |
Send in a manner that protects the information from incidental or casual reading. |
Address to the specific intended party and send in sealed envelopes. Mark with “For intended recipient only”. Outside the University, paper should be sent via certified mail or with a courier and require a signature upon delivery. |
|
|
Electronic |
No restrictions |
Use a method that requires recipient to authenticate prior to receipt, such as e-mail, a web site that requires Web Login, or a file server that requires a password. Use secure e-mail service for more private data |
Particularly sensitive data or large volumes of confidential data should be encrypted during transmission. If confidential information is to be stored on a device (CD/DVD/USB) in order to be shared, such devices must be properly handled. |
|
|
Fax |
No restrictions |
If a fax must be used, consider taking reasonable steps to protect the data, including the use of a cover sheet stating that the fax is Confidential and to be read only by the named recipient. Also consider coordinating with the intended recipient so he or she is on hand to directly receive the fax before you begin to send. |
Fax machines often store the faxed messages in memory, potentially allowing unauthorized access. Consider alternatives to faxing Highly Sensitive data where possible. If a fax must be used, consider taking reasonable steps to protect the data, including the use of a cover sheet stating that the fax is Confidential and to be read only by the named recipient. Also consider coordinating with the intended recipient so he or she is on hand to directly receive the fax before you begin to send. |
|
|
Smart Phones and Tablets |
No restrictions |
The use of smart phones to access Sensitive data, such as through e-mail, puts that data at higher risk of unintended disclosure. Individuals accessing Sensitive Data via such a device must comply with the standards set forth in minimum security standards. |
The use of smart phones to access Highly Sensitive data, such as through e-mail, puts that data at higher risk of unintended disclosure. Individuals accessing Highly Sensitive Data via such a device must comply with the standards set forth in minimum security standards. |
|
Storing |
Paper |
No restrictions |
Keep in non-public areas when not in use. |
Should be stored in physically secure areas that are accessible only by authorized individuals. |
|
|
Electronic |
No restrictions |
Devices used to store sensitive (non-Public) information must meet minimum security standards. |
Encryption of stored data is recommended. Devices used to store Highly Sensitive Information must meet minimum security standards. Should be stored only on departmental or central servers. Cloud or SAAS providers should undergo an assessment prior to deployment. |
|
|
Electronic Media (CD, DVD, USB) |
No restrictions |
Store media in a secure location when not in use. Media should be erased or destroyed as soon as it is no longer needed. |
Encryption of stored data is recommended.Store media in a secure location when not in use. Media should be erased or destroyed as soon as it is no longer needed. |
|
Auditing |
|
Conduct a periodic review to ensure data is not out of date |
Conduct a periodic review of where this data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols. |
Each department should conduct an annual review of where Highly Sensitive data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols. Verify that procedures for removing access are documented and accurate. |
|
Incident Reporting |
|
Any unauthorized disclosure or loss of this information must be reported to the appropriate dean or department head or to the TSC Help Desk |
Any unauthorized disclosure or loss of this information must be reported to the appropriate dean or department head or to the TSC Help Desk |
Any unauthorized disclosure or loss of this information must be reported to the appropriate dean or department head or to the TSC Help Desk |
|
Destroying |
Paper and Disposable Electronic Media (CD, DVD) |
Dispose of based on sustainability policy |
Physically destroy using a shredder or similar appropriate technology and then recycle or discard. |
Physically destroy using a shredder or similar appropriate technology and then recycle or discard. |
|
|
Electronic files (Data) Reusable Electronic Storage Devices (USB sticks, disk drives) |
Use standard operating system utilities to delete files. |
Delete using an approved secure deletion program. |
Delete using an approved secure deletion program. |
|
|
All Electronic Storage Media at End of Life |
Use standard operating system utilities to delete files. |
Functional electronic media that can be overwritten using a secure erase tool then may be recycled or disposed of. Non-functional electronic media (damaged disk drives) must be physically destroyed. |
Functional electronic media that can be overwritten using a secure erase tool then may be recycled or disposed of. Non-functional electronic media (damaged disk drives) must be physically destroyed. |