Information to Comply with the Policy on the Handling of Brown Restricted Information
Purpose / University Position
Introduction
Handling Restricted Information
1. Recommended Best Practices
2. Disclosure
3. Computing Recommendations
4. Transmission
5. Data Ownership Responsibilities
6. Managing Access to Restricted Information
7. Disposal of Restricted Information
8. Consequences for Unauthorized Access
Related Policies and Documents
Other Related Brown Policies and Guidelines
Whom to Contact
Purpose / University Position
This information is in support of the Policy on Handling Brown Restricted Information. While these guidelines are in place to ensure the protection of restricted and regulated information, it is the position of the University to minimize the use of such information, and only those departments, processes, and personnel with approval to utilize restricted information are authorized to do so. The Data, Privacy and Record Management (DPRM) Steering Committee is the sole approving board for the University.
Introduction
Information is one of Brown University's most valuable resources and as such requires responsible management by all members of the Brown community. This document establishes guidelines for the proper protection of these valuable resources and promotes Brown's maintenance of strict confidentiality in compliance with applicable policies as well as state and federal regulations.
These guidelines address the handling of Brown data – whether communicated orally, in hard copy or electronic format; stored on desktop machines or mobile devices; or moved to media such as CD, tape, flash memory, or paper – for all members of the Brown community, including staff, faculty, students, affiliates, volunteers, and vendors.
Particular emphasis is placed on Brown Restricted Information, defined as information that should not be made public and which should only be disclosed under limited circumstances.
Handling Restricted Information
1. Recommended Best Practices
Access to Brown Restricted Information should be limited to those who need the information in order to fulfill professional responsibilities. All members of the Brown community who have been granted such access should exercise care and judgment to ensure adequate protection of Brown Restricted Information by following the practices delineated in the document Brown University Checklist for Protecting Information.
2. Disclosure
Individuals should not disclose any Brown Restricted Information that they obtain as a result of their employment at Brown to unauthorized persons. Full employee obligations are outlined in the "Confidentiality" section of the document Employee Responsibilities and Rights.
3. Computing Requirements
Brown Restricted Information should be protected whether it is being stored (on various media), transmitted (via network or email) or archived. The list of computing requirements is found in section 3.0 in the Policy on Handling Brown Restricted Information.
4. Transmission
Brown Restricted Information should never be transmitted over the network “in the clear.” It should always be transmitted using an Information Security Group-approved encryption mechanism. While the University does not currently have an enterprise encryption solution, CIS can supply solutions for secure transmission on a case-by-case basis. These solutions include VPN transmission, secure FTP, and file encryption. Please contact the CIS Help Desk at help@brown.edu for assistance and guidance.
As a onetime alternative for transmitting some forms of restricted information via email, attachments of password-protected documents or spreadsheets can be used in certain cases. Approval must be received in advance from the Chief Information Security Officer, who can provide the standards and requirements necessary.
5. Data Ownership Responsibilities
All Brown Restricted Information should have identified Data/Records Owners, who are responsible for implementing the following good managerial controls:
- Creating and reviewing audit trails of access to restricted data
- Regularly reviewing who has access to what data
- Monitoring preventive controls for compliance in their departments
- Educating end users regarding protection standards – set expectations
- Ensuring that there is appropriate training of staff on proper handling of restricted information
Data/Records Owners who authorize access to Brown Restricted Information should ensure that employees sign a Confidentiality Agreement at least once per year, or as the Data/Records Owners deem appropriate. New employees (including students and volunteers) should sign the agreement prior to access. Anyone who has been entrusted with restricted information has a responsibility to the Data/Records Owners for its proper use and protection.
6. Managing Access to Restricted Information
Strict control should be maintained over access to work locations, records, computer information, cash and other items of value. Individuals who are assigned keys, given special access or assigned job responsibilities in connection with the safety, security or confidentiality of such records, materials, equipment, or items of monetary value should use sound judgment and discretion in carrying out their duties and will be held accountable for any wrongdoing or acts of indiscretion. Furthermore, information may not be divulged, copied, released, sold, loaned, reviewed, altered or destroyed except as properly authorized within the scope of applicable federal or state laws.
At the conclusion of their employment or affiliation with Brown, individuals shall relinquish ownership of all University documents and records. They shall also maintain the confidentiality of University information even after they leave Brown. Questions regarding Brown-owned information should be directed to the employee’s supervisor, Department Chair, Department's Human Resources Representative, General Counsel, Chief Information Security Officer, or the Human Resources Department.
7. Disposal of Restricted Information
All restricted information should be disposed of in a confidential manner. To dispose of such records departments and offices must:
- Take extra measures to wipe clean the hard drive of any machine or device that may contain restricted information before discarding, sending to surplus, or transferring it to another individual or department. (see Electronic Equipment Disposition Policy)
- Shred restricted paper documents that are no longer needed and secure such documents until shredding occurs. If a shredding service is employed, ensure that the service provider has clearly defined procedures in the contractual agreement that protect discarded information and that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
8. Consequences for Unauthorized Access
Unauthorized access to any Brown Restricted Information by the Brown community will be cause for disciplinary and possible legal action. Unauthorized access indicating that privacy, copyright, anti-trust, or other laws may have been broken by an individual unaffiliated with Brown, may be referred to legal authorities.
Related Policies and Documents
Computing | Employees | Students | Faculty | Researchers | Health | General Safety | Federal Regulations
Other applicable policies are found at the following links:
- Computing
- Computing Information Services: Brown Information Checklist for Protecting Information
www.brown.edu/cis/policy/protectinginfo.php - Computing Passwords Policy
www.brown.edu/cis/policy/password.php
- Computing Information Services: Brown Information Checklist for Protecting Information
- Employees
- Human Resources: Employee Responsibilities and Rights
Employee Responsibilities and Rights - Human Resources: Policies and Practices Policy #20.063, Confidential Information and SW Piracy
www.brown.edu/Administration/Human_Resources/policies/20.063.html - Internal Audit: Records Retention Guidelines
http://www.brown.edu/Administration/Internal_Audit/guidance/records - Internal Audit: Brown University's Department Risk-Control Self-Assessment Tool
http://www.brown.edu/Administration/Internal_Audit/guidance/risk.html
- Human Resources: Employee Responsibilities and Rights
- Students
- Principles of the Brown University Community: The Academic Code and Non-Academic Conduct
www.brown.edu/Administration/Dean_of_the_College/academic_code/code.html
- Principles of the Brown University Community: The Academic Code and Non-Academic Conduct
- Faculty
- Faculty Rules & Regulations
http://www.brown.edu/Faculty/Faculty_Governance/rules.html
- Faculty Rules & Regulations
- Researchers
- Office of Sponsored Projects: Policies and Procedures
http://research.brown.edu/rschadmin/osp_policies.php - Brown University Policy for Responding to Allegations of Research Misconduct
http://research.brown.edu/policies/misconduct.php - Brown University Policies and Procedures for the Protection of Human Participants in Research
http://research.brown.edu/policies/hrpo.php - Office of the Provost: Policies and Procedures Relating to Research Privacy
www.brown.edu/Administration/Provost/policies/rpp.html
- Office of Sponsored Projects: Policies and Procedures
- Health
- Brown University Health Services: The Patient Bill of Rights and Responsibilities
http://www.brown.edu/Student_Services/Health_Services/start/rights.html - Brown University Psychological Services: Statement of Confidentiality
www.brown.edu/Student_Services/Psychological_Services/confidentiality.html
- Brown University Health Services: The Patient Bill of Rights and Responsibilities
- General Safety
- Department of Public Safety:
www.brown.edu/Administration/Public_Safety/
- Department of Public Safety:
- Gramm-Leach-Bliley Act (GLBA)
US Senate Banking Committee, Financial Services Modernization Act, Summary of Provisions http://banking.senate.gov/conf/grmleach.htm - Family Educational Rights and Privacy Act (FERPA)
Office of Student Life policy summary: www.brown.edu/Student_Services/Office_of_Student_Life/randr/federal/ferpa.html - Student Employment FERPA Non-Disclosure / Confidentiality Agreement
http://financialaid.brown.edu/Content/Files/FERPAConfdAgre.pdf - US Department of Education, Final regulations (4/16/2004)
www.ed.gov/legislation/FedRegister/finrule/2004-2/042104a.pdf - US Federal Trade Commission Red Flag Rules
http://www.ftc.gov/bcp/edu/microsites/redflagsrule/more-about-red-flags.shtm
Other Related Brown Policies and Guidelines
- Acceptable Use Policy
- Checklist for Protecting Information
- Confidentiality Agreement Template
- Confidential Information and Software Piracy (HR Policy 20.063)
- Data Removal Recommendations
- Electronic Equipment Disposition Policy
- Electronic Mail Policy
- Guidelines for Transfer of Records to the Archives
- Intellectual Property Policies
- Policy on the Handling of Brown Restricted Information
- Records Retention Guidelines
- Responsible Conduct of Research
- Social Security Number – Usage and Protection Requirements
- SSN / Data Classification Questionnaire (document in process)
- SSN Policy Exception Form (document in process)
Whom to Contact
For more information about the management of the certain restricted records, please contact the University office indicated:
- Administrative Records (Departments; University Archives)
- Advancement Records (University Advancement; Medical School)
- Alumni Records (Alumni Relations; University Archives)
- Corporation Records (Secretary of the University; University Archives)
- Electronic Records Security (Chief Information Security Officer)
- Environmental Health and Safety Records (Environmental Health and Safety)
- Facilities and Grounds Records (Facilities Management)
- Faculty Records (Dean of the Faculty)
- Financial/Budget Records (Office of the Controller)
- Intellectual Property Records (Office of the Vice President for Research)
- Legal and Regulatory Compliance Records (General Counsel; Office of the Vice President for Research)
- Personnel Records (Human Resources; Division of Biology and Medicine; Dean of the Faculty)
- Research Records (Office of the Vice President for Research; Office of Sponsored Projects)
- Student Academic Records (Office of the Registrar; Dean of the College; Dean of the Graduate School; Medical School)
- Student Life Records – including medical (Office of Student Life)
- Student Statistics (Office of Institutional Research; Medical School; Graduate School)
- University Archives – historical records (University Archives)
- University Research Data and Compliance (Office of the Vice President for Research)
Questions or comments to: ITPolicy@brown.edu
Effective Date: April 2, 2012