Policy No: 2009
Responsible Office: Compliance
Last Review Date: 08/19/2024
Next Required Review: 08/19/2029
|
Personal Data Protection
1. Purpose
1.1 This policy sets forth minimum requirements for the collection, use, maintenance, storage, sharing, processing, and destruction of Personal Data, in order to protect it from misuse or breach. While certain policies already exist which address protection of patient and student information, respectively, this policy addresses protections of the personal information of any person, including but not limited to employees, students, contractors, alumni, patients, visitors, and other 3rd parties.
1.2 Specifically, this policy outlines essential roles and responsibilities for members of the University of South Alabama (USA) community to assure we maintain an environment that safeguards Personal Data from breaches or other unauthorized access or use, and establishes a comprehensive data protection program consistent with applicable state, federal and international acts, standards, regulations and laws.
1.3 Protection and management of other forms of sensitive institutional information such as Controlled Unclassified Information (CUI), Intellectual Property, and/or other forms of sensitive or proprietary University information (i.e., confidential information), while handled similarly to Personal Data, will be covered in separate policies.
2. Applicability
This policy applies to all members of the USA community (University General Division), full and part-time, paid and unpaid, temporary and permanent; also includes students, contractors, agents, vendors, trustees, and all other members of the University community who have access to Personal Data of any person, either via electronic systems, or paper filing systems.
3. Definitions
Personal Data: for purposes of this policy, means any information relating to an identified or identifiable person that is protected by state or federal privacy regulations, not subject to the Open Records Act, and which one would reasonably expect to be kept protected, whereby unauthorized disclosure, alteration or destruction could cause a significant level of risk to the University, its affiliates, or individual members of the University community. Personal Data may be stored in electronic or paper form. The following types of Personal Data are defined by various associated laws, regulations, acts, and standards (some of which are referenced in section 7, “Related Documents”):
Protected Health Information (PHI): (as defined by the HIPAA Privacy and Security Rules) means any and all “individually identifiable health information” (IIHI) held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. IIHI is information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or, the past, present or future payment for the provision of health care to the individual. IIHI is information that identifies the individual, or provides a reasonable basis to believe it can be used to identify the individual. IIHI includes many common identifiers (e.g., name, address, birth date, (SSN), etc.).
Sensitive Personally Identifying Information: (as defined by the Alabama Data Breach Notification Act of 2018) consists of an Alabama resident’s first name (or initial) and last name, in combination with one or more of the following of the same Alabama resident: SSN (full or portions of), tax ID number, Driver’s License or state-issued ID number, passport number, military ID number, or any other unique ID number issued on a government document used to verify an individual's identity; financial account numbers, in combination with any security or access code, password, expiration date or PIN necessary to access the financial account; any PHI/IIHI (as described above); electronic account access information such as username or e-mail address in combination with a password or security question and answer that would permit access to an online account affiliated with USA; that is reasonably likely to contain or is used to obtain sensitive personally identifying information.
Personally Identifiable Information for Education Records: is a Family Educational Rights and Privacy Act (FERPA) term referring to identifiable information that is maintained in education records and includes direct identifiers, such as a student’s name or identification number, indirect identifiers, such as a student’s date of birth, or other information which can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information.
Personal Data: (As defined by the European Union’s Global Data Protection Regulation (GDPR)) means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Cardholder Data: refers to any personally identifiable information (PII) associated with a cardholder. This information includes the primary account number (PAN), cardholder name, expiration date, and service code. Additionally, it may also include sensitive authentication data, such as the full magnetic stripe data or the card verification value (CVV2).
A Breach: of Personal Data occurs if the data has been inappropriately accessed or received by an unauthorized person or group, whether intentionally or inadvertently, such that the acquisition could present a financial or reputational risk to the Data Subjects.
Data Subjects: include, but are not limited to, any person (USA employee, employee dependent, student, parent of student, patient, trustee, contractor, vendor, volunteer, agent, customer, visitor, alumni, donor, etc.) whose personal information has been collected and retained by or on behalf of USA.
Data Owners: have administrative control and have been officially designated as accountable for a specific information asset dataset. Some examples of Data Owners include the Registrar for student data; the Controller for financial accounting data; and the Associate Vice President of Human Resources for employee data. This role may have some similarities to USA record Custodians as defined in the University's Records Disposition Authority (policy).
Data Custodians: have technical control over an information asset dataset. Usually, this person has the administrator/admin, sysadmin/sysadm, sa, or root account or equivalent level of access. This is a critical role and it must be executed in accordance with the access guidelines developed by the Data Owner.
Users: include all members of the USA community who have authorized access to Personal Data, including employees, students, consultants, temporary employees, etc.
4. Policy Guidelines
4.1 “Minimum Necessary” Concept
USA-wide implementation of a “Minimum Necessary” concept will obligate department leaders and Data Owners to review who has access to various types of Personal Data and assure such access is reasonable and necessary for one to do his or her job. Department leaders and Data Owners will identify certain types of information that should be withheld from Users due to lack of a legitimate “need to know” reason. Data Owners will evaluate a User’s request for access to Personal Data based on a “need to know” standard and may approve access request forms on behalf of the User’s unit or department director.
All Users with job duties that require them to handle Personal Data should seek access to only that which is necessary to complete their job assignment. Data Owners must periodically review the various levels of access to Personal Data held by their direct reports and adjust as necessary. Data Owners should assure their Users:
4.1.1 Don’t access Personal Data not directly relevant to their specifically assigned tasks;
4.1.2 Don’t disclose, discuss or provide Personal Data to any individual not authorized to view or access that data, including but not limited to third parties, volunteers, vendors and other University employees; and
4.1.3 Don’t access any Personal Data from electronic systems without advanced approval based on the User's role-based need. Any User’s access to Personal Data should result from role-based determinations made by supervisors on a case by case basis.
4.2 User responsibility for protection of Personal Data
This section sets forth guidelines for Users to assure their access, use, sharing, or deleting of Personal Data is appropriate, and minimizes the risk of a Breach.
Users are required to safeguard the Personal Data under their charge and only use or disclose it as expressly authorized or when specifically required in the course of performing their job duties. Users who have been assigned personal access codes to work with systems that generate, store, manage, share or destroy Personal Data bear the responsibility for safeguarding such codes, to ensure against unauthorized use by any other person. Misuse of Personal Data can be intentional (acts and/or omissions), or a product of negligence or inadvertence. Misuse includes but is not limited to:
4.2.1 Intentional reckless, careless, negligent, or improper handling, storage or disposal of Personal Data, including electronically stored and/or transmitted data, printed documents and reports containing Confidential Data;
4.2.2 Deleting or altering Personal Data without authorization;
4.2.3 Using Personal Data viewed or retrieved from the systems for personal or any other unauthorized or unlawful use;
4.2.4 Sharing Personal Data with others who don’t have a legitimate need to know; and
4.2.5 Logging-in to USA data bases and administrative systems with one’s personal access codes and then permitting another person to access Personal Data in those data bases and/or systems; and
4.2.6 Electronically Sharing Personal Data outside the USA environment in an unprotected manner. All data shared with 3rd parties pursuant to a legitimate business reason must not be shared as plain text in an email. It must only be shared as a password protected document, with the password provided to the recipient via a separate communication. All email within the USA business environment is encrypted both at rest, and in transit. However, password protection for documents shared outside the USA environment is required because USA cannot verify the security capabilities of external networks.
Users who have any reason to believe or suspect that someone else is using their personal access codes must immediately notify their supervisor, as this would be a violation of USA policy. The Computer Services Center (CSC) could help determine where such a breach is occurring. Users who have access to Personal Data are expected to know and understand associated security requirements, and to take measures to protect the information, regardless of the data storage medium being used, e.g., printed media (forms, work papers, reports, microfilm, microfiche, books), computers, data/voice networks, physical storage environments (offices, filing cabinets, drawers), and magnetic and optical storage media (hard drives, diskettes, tapes, CDs, flash drives). Computer display screens should be positioned so that only authorized Users can view Personal Data, and Personal Data should be discarded in a way that will prevent inappropriate discovery or disclosure (e.g., in a shred box, or cross-shredded if discarded in a trash can or recycling bin).
4.3 Contracts with vendors who have access to or store Personal Data of USA individuals
USA vendors whose services are secured via written contract, purchase order, or otherwise who will require the use of Personal Data of members of the USA community as a processor of the data (or store and/or have access to it), must be made aware by USA of their obligation to render the same protections of the Personal Data as applies to University employees, under applicable policies, laws and regulations. Any such legal obligations should be set forth in writing, and acknowledged and agreed upon by both parties via signature.
All new or revised contracts must be submitted to the Office of General Counsel via DocRoute for review and approval. The individual submitting the contract should note whether the vendor’s service to USA will involve the vendor needing access to Personal Data of members of the USA community, and if so, should briefly describe the type of Personal Data involved and its contemplated use. If a vendor requires access to such Personal Data (and in the opinion of the Office of General Counsel such access rises above mere incidental access), the contract must contain specific language that obligates vendor to (1) abide by the applicable laws and regulations governing use and access to the type of Personal Data to which it will have access; (2) assure any subcontractors utilized by the vendor to process Personal Data will abide by the same terms; (3) report Breaches timely; and (4) coordinate/collaborate with USA on Breach responses.
The University utilizes a data protection addendum (DPA) to accompany vendor service agreements; the vendor may at times prefer their own DPA be used, which will be acceptable if it contains the same components as the University's version. If a vendor is not in agreement with contract language which complies with this policy, General Counsel's office will discuss with the contract's host department the risk of proceeding without specific language, and options for how to proceed.
4.4 Adherence to document retention policy
Data Owners will review the required retention time periods for data/documents per the "Public Universities of Alabama Functional Analysis & Records Disposition Authority" (April 2022) and the University's Records Disposition Authority policy, and determine if current retention schedules are on target for the various types of Personal Data collected and maintained under their purview. Data Owners should identify the need to destroy certain subsets of Personal Data that is kept beyond the legally or policy-prescribed time periods, unless there are recognized operational needs to retain the information longer than what is stated by the State and USA RDAs.
At the department level, supervisors will also review Personal Data retained in their areas to determine if actual retention is in accordance with what is prescribed by the State and USA RDAs. When Personal Data has been determined by the Data Owner and supervisors to have reached its minimum required retention period with no operational need to retain it, the Personal Data should be appropriately destroyed per the University's Records Disposition Authority policy.
4.5 Maintain reasonable security measures to protect Personal Data
Protection of Personal Data is of utmost importance, and USA’s Computer Services Center (CSC) will spearhead the employment of reasonable security measures to assist in protecting the privacy, integrity, and accessibility of Personal Data. Their goal is to safeguard Personal Data, regularly review the security measures in place, and continue to expand the USA security strategy as new vulnerabilities, threats, and countermeasures arise. Reasonable security measures employed by the CSC include but are not limited to:
4.5.1 Installing and updating antivirus software on USA computers;
4.5.2 Installing the latest operating system (as budget allows) and application patches on USA computers;
4.5.3 Assuring Users complete Information Security Training when assigned;
4.5.4 Configuring all University email accounts for multi factor authentication.
4.5.5 Only use a University issued employee email account for sending and receiving Personal Data. Student employees whose job responsibilities require them to access, handle, receive or send Personal Data, as defined by this policy, will be required to have an employee email account created for them.
4.6 Personal Data Protection Guidelines for Users. The risk of Breaches of Personal Data will be kept significantly lower if all users adhere to the following guidelines:
4.6.1 Log out of computers and/or information systems upon leaving their workstations, particularly if located in an open area;
4.6.2 Don’t leave Personal Data unattended at their desks or anywhere else, unless it is secure in an area where only those with a “need to know” will see it;
4.6.3 Dispose of paperwork or other physical material containing Personal Data no longer needed into a shred bin, or cross-shred or render indecipherable with the use of a black marker or other means, if disposed in a normal trash can or dumpster;
4.6.4 Delete electronic Personal Data no longer needed from databases, and virtual files or folders where such electronic Personal Data may also reside (see section 4.4, Adherence to document retention policy);
4.6.5 Assure correct email addresses for intended recipients of Personal Data are entered (review addresses to assure “auto-complete” function does not inadvertently select another person);
4.6.6 Carefully examine any e-mail you receive from new sources, including those that may appear like routine notices from Human Resources, Payroll or Computer Services Center, especially if the e-mail (with attachments and links) asks you to enter any personal data (e.g. name, Jag number, username, password, or other Personal Data). Before interacting with any unsolicited/unexpected email correspondence, Users should identify the sender, and communicate with them via means other than email to ensure they intended to send the suspect link(s) or attachment(s). To report any suspicious e-mails, contact the USA Office of Information Security (InfoSec) at suspiciousemail@southalabama.edu, who will help determine if the e-mail is malicious and take appropriate steps to mitigate/remove the risk;
4.6.7 Users should never, under any circumstance, share their usernames and passwords to systems containing Personal Data; with a co-worker or other person;
4.6.8 Users are encouraged to store Personal Data on USA servers/sharepoint folders rather than on their desktop computer hard drives (check with CSC for more support). Electronic Personal Data must be stored in a designated file, and must not be stored in an unprotected area such as the downloads file or undeleted trash;
4.6.9 Do not store or keep copies of Personal Data on personal or freely available cloud solutions such as DropBox, OneDrive, personal Google Drive accounts, etc. Such practices may expose USA to civil liability in the event of a Breach. The storage of Personal Data on the USA G-Suite platform, which is associated with an employee's USA email account, is allowed but not encouraged. The storage of Personal Data should be on USA managed servers whenever possible.
5. Procedures
-
- Inadvertent release, exposure, or compromise of confidential Personal Data, the loss or compromise of portable computing devices or removable media containing Personal Data, or the discovery of unauthorized access to Personal Data on a computer or data storage device;
- The use of USA computing resources in the commission of fraudulent activities that threaten to disclose Personal Data.
The University encourages stakeholders to report other concerns, suspected violations, or criminal activity to their supervisor or other campus entities as appropriate. In case of a “High Severity” incident, the USA Cyber Response Team (CRT) will be responsible for response. The Director of Information Security is responsible for coordinating the CRT and augments staff with subject matter experts as necessary.
6. Enforcement
Components of this policy may be subject to periodic reviews by applicable internal departments/personnel and external entities to ensure compliance. Suspected violations of this policy should be reported to infosec@southalabama.edu. Violations of the policy may result in the loss of system, network, and data access privileges, and administrative sanctions (up to and including termination or expulsion) as outlined in the Staff Employee Handbook, Section 7.3, Progressive Discipline, and the Faculty Handbook ("Termination/Dismissal").
7. Related Documents
7.1 USA Health “HIPAA Breach Notification”
7.2 USA Health “Minimum Necessary”
7.3 Information Systems Security (policy)
7.4 USA Privacy Statement (USA Website, for browsers)
7.5 Public Universities of Alabama Functional Analysis & Records Disposition Authority (Apr 2022)
7.6 The Records Disposition Authority Policy of the University of South Alabama
7.7 USA Records Management / Records Destruction Notice
7.8 Cardholder Data Environment (policy)
7.9 Payment Card Industry (PCI) General Merchant (policy)
7.10 Controlled Unclassified Information (CUI) Research (policy)
7.11 HIPAA Privacy Compliance Plan for Research
7.12 Alabama Data Breach Notification Act of 2018
7.13 Social Security Number (SSN) Protection (USA CSC Policy Website)
7.14 InfoSec Incident Response (policy)
7.15 Multi-Factor Authentication (policy)
7.16 Summary of Applicable Laws, Regulations, Acts, and Standards