X-99.16(A)

UMB Protection of Confidential Information

Information Technology   |   Approved April 13, 2015

---

Responsible VP/AVP

Peter J. Murray, PhD, CAS, MS

---

Applies to Staff

---

Revision History

Approved April 13, 2015.

---

Policy Statement

Data and information are important assets of the University and must be protected from loss of integrity, confidentiality, or availability in compliance with University policy, state and federal law and regulations. 

The purpose of this document is to provide guidance in  complying with Section III, Item 3, Confidential Information Standard, of the USM IT Security Standards.  This section states that USM institutions are required to establish an institutional policy for the protection of confidential information.

Purpose

This policy is intended to provide University of Maryland Baltimore faculty and staff with a basic understanding of their responsibilities to protect and safeguard the Confidential Information to which they have access as a result of their employment.

Definitions

PII – Personally Identifiable Information

PHI – Protected Health Information

USM has defined confidential data to include:

Under State Government Article, §10-1301 (SB 676 - 2012), personal information is defined as:
An individual’s first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements: 

a social security number;

a driver’s license number, state identification card number, or other individual identification number issued by a unit; 

a passport number or other identification number issued by the united states government; 

an individual taxpayer identification number; or

a financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s account.

Educational Records, as defined and when protected by 20 U.S.C. § 1232g; 34 CFR Part 99 (FERPA), in the authoritative system of record for student grades

In addition, any Protected Health Information (PHI), as the term is defined in 45 Code of Federal Regulations 160.103 (HIPAA)

Policy Statement

To safeguard PII or other confidential data, the general rules below must be followed:

All employees with job duties that require accessing confidential information are required to safeguard such information and only use it or disclose it as expressly authorized or specifically required in the course of performing their specific job duties.

Employees are prohibited from sharing their user credentials or permitting another employee to access sensitive information in data bases and/or systems.

Employees who have access to confidential information are expected to know and understand associated security requirements, and to take measures to protect the information, regardless of the location of the data, e.g., local personal computers, server file shares, physical storage environments (offices, filing cabinets, drawers), and magnetic and optical storage media (hard drives, diskettes, tapes, CDs, flash drives). Computer display screens should be positioned so that only authorized users can view confidential information, and confidential information should be discarded in a way that will preserve confidentiality (e.g., in a shred box, not in a trash can or recycling bin).  Requirements are contained in the UMB Data Classification Matrix. (add link)

Paper records containing PII or confidential information must be kept in locked files.

Electronic records containing PII or confidential information must be stored on secure servers.

PII or confidential data should not be stored on any mobile devices, including notebook computers, smart phones, external hard drives, USB thumb drives, etc.

When it is necessary to remove records containing PII or confidential data from UMB, employees must safeguard the information and never leave it unattended.

When there is a legitimate need to provide records containing PII or confidential information to a third party, electronic records must be password-protected and encrypted, and paper records must be marked confidential and securely sealed.

Employee misuse of confidential information and/or the systems in which the information is stored is a serious breach of job responsibilities and will result in discipline up to and including termination of employment.