Library Document Details

Data Protection and Security Policy

Abstract:
Data (electronic) created at UAB must be protected and maintained in accordance with all applicable federal and state laws and university policies.
Effective Date:
2/22/2017
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

 

University of Alabama at Birmingham  

DATA PROTECTION AND SECURITY POLICY  

February 22, 2017  

(Replaces policy dated March 19, 2007) 

 

Related Policies, Procedures, and Resources
Data Classification Rule
Data Protection Rule
FAQs

  
INTRODUCTION
 
UAB electronic information assets (data) must be protected and maintained in accordance with all applicable federal and state laws and university policies.  The intent of this policy is to provide a framework to ensure that electronic data, in all forms, are adequately protected.  This policy specifically outlines:
·        The roles and responsibilities of the UAB community for data protection and security;
·        Additional requirements associated with the use and maintenance of systems containing sensitive information.
 
SCOPE AND APPLICABILITY OF POLICY
 
Managing and protecting data are responsibilities shared by all members of the UAB community (i.e., all individuals (faculty/staff/students/visitors), schools, departments, affiliates, and/or other similar entities within the UAB, including employees of contracted or outsourced non-UAB entities).  This policy applies to all UAB data and systems including, but not limited to, centralized institutional systems, departmental/unit systems, systems created or operated by third party vendors under the direction of UAB, and UAB data in any system.
 
POLICY STATEMENT
 
All members of the UAB community should protect their data and data under their control and periodically review all applicable data security, confidentiality, and acceptable use policies.  The following rules and policies apply to data classification and protection:
·        Institutional Data must be classified according the UAB Data Classification Rule.
·        University Data must be protected according to the UAB Data Protection Rule.
·        Health System data must be protected according to the UAB HIPAA Policies.
 
Any information system that stores, processes or transmits institutional data must be secured in a manner that is considered reasonable, appropriate, and compliant with university policies and Federal and State Laws.  The required level of security depends on the nature of the data, as defined in the UAB Data Classification Rule.
 
Risk Assessment
Deans and administrative unit heads (in conjunction with UAB Information Technology) are responsible for ensuring the assessment and periodic review of the business processes and technical risks associated with implementing any planned, proposed, or existing electronic information system or data collection system.  Risk assessments must identify specific procedures to minimize risks and the impact of potential breach/compromise of data.
 
Other Data Security Policies at UAB
Other data security policies implemented at UAB (campus-wide or locally by/for a specific department, school, or system) may be more restrictive than this UAB-wide policy but may not be less restrictive.  Each university department/unit is responsible for implementing, reviewing, and monitoring internal policies, practices, etc. to assure compliance with this policy.
 
Incident Reporting and Management
Any suspected breach or compromise of sensitive or restricted data must be reported immediately to the Information Security Office in the Office of the Vice President for Information Technology and to the dean or administrative unit head.  Specific procedures for reporting a suspected or actual breach/compromise of data are located on the Information Security web site.  Upon receiving the report, the Information Security Office will be responsible for conducting or coordinating the investigation, making or assessing recommendations for corrective action, reporting the incident to the Executive Computer Incident Response Team (ECIRT) and other administrative units as needed, and maintaining documentation of the incident.
 
Exception
Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate academic or business needs.  To request a security exception, complete the Information Security Exception Request Form.
 
NON-COMPLIANCE
 
Confirmed violations of this policy will result in consequences commensurate with the offense, up to and including termination of employment, appointment, student status, or other relationships with UAB.
 
MAINTENANCE
 
This policy will be reviewed by the UAB’s Information Security Office periodically or as deemed appropriate.
 
IMPLEMENTATION
 
The Vice President for Information Technology is responsible for the oversight and implementation of this policy, including the overall procedures related to its implementation and management.