|| Department of Information Technology
|| Department of Information Technology
|| President’s Cabinet
|Date of Approval:
|| May 10, 2016
|Date of Last Revision:
|| May 10, 2016
|Next Review Date:
|| May 2017
In support of its educational mission, Heritage University acquires, develops, maintains, and archives information. Some of this information is confidential or restricted, either for the business purposes of the University or for the purpose of protecting the privacy and security of the individuals who work and learn there. This policy is intended to provide guidance and requirements for identifying and protecting the sensitive information with which it is entrusted.
Reason for Policy/Purpose
Information with sensitive data is found throughout the campus community in various forms. It is collected, stored, archived and often transmitted by printing, electronically, and orally. Heritage University is committed to protecting the privacy and security of the information entrusted to it. In addition there are legal mandates for securing some of this data. Everyone who handles or has access to sensitive information is responsible for protecting information in a legal, judicious, and secure way.
Who Needs to Know this Policy
This program applies to the administrative, technical and physical security of all University information that is acquired, transmitted, processed, stored, transferred and/or maintained by Heritage University or any Heritage University auxiliary organization. It applies to all Heritage students, employees, consultants, contractors or any person having access to University information in any form or format.
Website Address for this Policy
For more information about this policy, please contact James Bush, Vice President for Information Technology.
Personally Identifiable Information (PII): A piece of data or combination of data that permits an entity the ability to uniquely recognize or infer the identity of a person. This data is considered sensitive if when compromised or disclosed it could result in harm, embarrassment, inconvenience or unfairness to an individual.
Data are generally considered sensitive PII especially in combination with a person’s full name or other unique identifier such as address or phone number. The following is a list of Sensitive PII, although this list is not exhaustive.
- Social Security Number
- Financial account numbers such as credit cards, bank accounts, or brokerage accounts
- Driver’s License
- Passport Number
- State or Federal ID Card Number
- Date of birth
- Citizenship or Immigration Status
Confidential Data: Data which is legally regulated; and data that would provide access to restricted information. All Sensitive PII is considered confidential and must be handled to conformance with the guidelines in this policy.
Restricted data: Data which while not legally protected could be misused to the detriment of the University, its students, faculty, staff, partners, alumni or other third parties; and data protected by contractual obligations.
Sensitive Data: A term covering both confidential and restricted Data.
Data Security Officer: The senior administrator responsible for ensuring that data is handled safely and securely and that this policy is enforced. At Heritage the Vice President r of Information Technology is the Data Security Officer.
Mobile Device: A small, portable computing device capable of transmitting and receiving data without physical connection to another source. This includes but may not be limited to laptops, smart phones, tablet computers, USB flash drives, and Personal Digital Assistants. ALL Heritage-related confidential and restricted information stored on a mobile device must be encrypted.
Encryption: The process of transforming information using an algorithm or cipher to make it unreadable to anyone except those possessing special knowledge or key. Encryption software or devices are available from the Heritage University Information Technology Department.
The guidelines below apply to all confidential data, and where noted to restricted data as well.
1. Limit the collection of confidential data.
- Confidential data should only be collected if necessary for the conduct of business. In particular applications and forms should not ask for PII unless the information must be available to validate or move forward with a process.
- Credit card information should when possible go directly to a secure processing site. The Data Security officer must approve any device that possesses, transmits or stores credit card numbers.
2. Limit the use of confidential and restricted data.
- Access data only in the conduct of University business.
- Requires only the minimum confidential data or restricted data necessary to perform University business.
- Respect the confidentiality and privacy of individuals whose records you may access.
- Observe any ethical restrictions that apply to data to which you have access.
- Know and abide by applicable laws or policies with respect to access, use, or disclosure of data.
3. Minimize the proliferation of confidential and restricted data.
- Avoid all unnecessary duplication of sensitive information. Copy only the information required for the intended purpose. Delete any duplicates once they are no longer needed.
- Confidential and restricted information should be given only to others with a need to know.
- Confidential and restricted information cannot be taken off campus unless authorized by a Vice President and in an encrypted format.
- Confidential data cannot be transmitted through any electronic messaging (i.e. email, instant messaging, text messaging) even to other authorized users, unless encrypted.
- Confidential data in a physical format cannot be transmitted through untracked delivery methods. Campus mail and regular postal services are not tracked delivery methods.
4. Secure confidential and restricted data
- Confidential and restricted data in electronic format must be stored on one of the following: 1) an IT managed secure server (preferred); 2) an IT managed desktop; 3) IT managed mobile device with encryption.
- If encryption is turned off, the IT Department has the authority to remove data from the device.
- Sensitive data may never be stored on a personal device.
- When handling physical documents containing any confidential and/or restricted data types, the documents must be in your possession at all times; otherwise they should be stored in a secure location (e.g. room, file cabinet, etc.) to which only specifically-approved individuals have access through lock and key. When the information is no longer needed, the physical documents must be shredded using a university-approved device prior to being discarded; or destroyed by a university-approved facility.
- In an open office environment paper documents with confidential or restricted information should be stored in locked cabinets. Paper documents should not be left in an unsecured office after work hours.
- Passwords: All account passwords must be complex. A complex password is defined as follows:
- At least 10 characters long
- Cannot contain three or more characters from the user’s account name
- Must contain at least one character from the following categories
- Upper English letter (A to Z)
- Lowercase English letter (a to z)
- Number 0 to 9
Passwords expire after 90 days. Passwords must never be written down or shared with other users.
5. Compliance with this data protection policy is the responsibility of all members of the University community. Violations of these policies will be dealt with seriously and will include sanctions, up to and including termination of employment. Report any privacy incident immediately to your supervisor or the Data Security Officer.
Related Policies and Procedures
Record Management Policy
Information Technology Appropriate Use
TBD HIPAA Policy
Data Security Policy
Approved on 05/10/2016