Guidelines for Safeguarding Information

1.0 Purpose
2.0 Scope
3.0 Guidelines
3.1 Data Classification
3.2 Recommended Best Practices
3.2.1 Handling Information
3.2.2 Managing Research Information
3.2.3 Data Stewardship Responsibilities
3.3 Non-Disclosure and Non-Use
3.4 Public Disclosures
3.5 Release of Information
3.6 Proper Disclosure
3.7 Computing Requirements
3.7.1 Data Storage and Transmission
3.7.2 Encryption and Certification
3.8 Access
3.9 Respect for the Confidential Information of Others
3.10 Summary of Guidelines
4.0 Related Policies and Documents
5.0 Other Related Documents

1.0 Purpose

Information is one of Brown University's most valuable resources and as such requires responsible management by all members of the Brown community. This document establishes specific guidelines for the proper protection of these valuable resources and promotes Brown's maintenance of strict confidentiality in compliance with applicable policies as well as state and federal regulations.

2.0 Scope

These guidelines address the handling of Brown data, whether communicated orally, in hard copy or electronic format, for all members of the Brown community, including staff, faculty, students, affiliates, volunteers or others.  This document applies to information stored on mobile and cellular devices or moved to media such as CD, tape, flash memory, or paper.

Particular emphasis is placed on Brown sensitive information, defined as information which should not be made public and which should only be disclosed under limited circumstances, and includes but is not limited to:

  • All information identifiable to an individual (including students, staff, faculty, trustees, donors, and alumni) including but not limited to social security numbers, dates of birth, student education records, medical information, benefits information, compensation, loans, financial aid data, alumni information, donor information, and faculty and staff evaluations.
  • The University's proprietary information including but not limited to intellectual research findings, intellectual property, financial data, and donor and funding sources.
  • Information, the disclosure of which is regulated by federal, state, and/or local government (e.g., FERPA, GLBA and data collected from human subjects).

3.0 Guidelines

Many employees, including student employees, generate or are exposed to sensitive Brown information in the course of their jobs and use it to perform important functions. It is vitally important that all individuals handle Brown sensitive information properly, to protect the individuals whose sensitive information is being processed, as well as those who handle this information.

In addition, such information may contain proprietary content, research findings or other intellectual property that cannot be disclosed beyond those who need it. If such information is disclosed to unauthorized parties, the University could be harmed financially, by reputation, or both.

Circumventing or attempting to circumvent restrictions on the use and dissemination of Brown sensitive information can be considered a serious offense and may result in disciplinary or legal action, up to and including suspension or termination for Brown employees or others working for Brown.

These guidelines allow for the release or exchange of Brown information in accordance with the recommended best practices outlined below. Brown employees must not divulge confidential information regarding Brown University to an outside party except for a legitimate business, research, or academic purpose. If such information has not been made public by Brown, it should be treated as confidential.

Should Brown Sensitive Information be received in error, the recipient has an obligation to report its receipt to IT Security. [contact information | email address].

3.1 Data Classification

For the purpose of these guidelines, Brown University will classify its information in three categories: Brown Confidential, Regulated, or Public.

  • Public information can be shared with anyone without damage to the University.
  • Regulated information is not only confidential but subject to regulatory compliance (e.g., FERPA, GLBA and data collected from human subjects) and external audit.
  • All other information is Brown Confidential. See Brown's data classification chart for examples of data that falls into these categories.

3.2 Recommended Best Practices

3.2.1 Handling Information

Faculty, staff and students should exercise care and judgment to ensure adequate protection of Brown sensitive information (or BSI throughout the following list). It is therefore recommended that they:

  • Adopt "clean desk practices". Don't leave paper documents containing BSI unattended; protect them from the view of passers-by or office visitors. It is recommended that confidential documents contain a cover sheet. [Sample cover sheet, sample confidentiality statements ]
  • Close office doors when away from your office.
  • Add a "Confidential" watermark to a Word document. (Steps vary by operating system and version. Consult the directions found in the Help menu.).
  • Store paper documents containing BSI in locked files with a controlled key system (a list of individuals who have access should be documented) or an appropriately secured area.
  • Lock file cabinets containing BSI before leaving the office each day.
  • Do not leave the keys to file drawers containing BSI in unlocked desk drawers or other areas accessible to unauthorized staff.
  • Store paper documents that contain information that is critical to the conduct of University business in secure file cabinets. Keep copies in an alternate location.
  • Shred paper documents containing BSI when they are no longer needed, making sure that such documents are secured until shredding occurs. If a shredding service is employed, the service provider should have clearly defined procedures in the contractual agreement that protect discarded information, and ensure that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
  • Immediately retrieve or secure documents containing BSI as they are printed on copy machines, fax machines or printers. Double-check fax messages containing confidential information:
    • Recheck the recipient's number before you hit 'Start.'
    • Verify the security arrangements for a fax's receipt prior to sending.
    • Verify that you are the intended recipient of faxes received on your machine. If you are not, contact the intended recipient and make arrangements for the proper dispatch of the fax.
  • Do not discuss BSI outside of the workplace or with anyone who does not have a specific "need to know". Be aware of the potential for others to overhear communications containing BSI in offices, on telephones, and in public places like elevators, restaurants, and sidewalks.
  • Ensure that electronic equipment containing BSI is securely transferred or disposed of in a secure manner, per Brown's Electronic Equipment Disposition Policy.
  • Immediately report the theft of Brown electronic computing equipment to the Department of Public Safety. Loss or suspected compromise of data containing BSI should be immediately reported to IT Security.

3.2.2 Managing Research Information

Research information must be protected as stipulated in university policy.  One of the best protection methods is to keep collected research data in a separate location from its key identifiers (such as names, telephone numbers, birth dates, and social security numbers*).  It is recommended that this separation of data from identifier be part of data collection procedures from the very start when building a database, which could entail, for example, a main table of identifiers that is then associated with tables holding research data.

* See section C (1) of the Policies and Procedures Relating to Research Privacy for a listing of common identifiers.

3.2.3 Data Stewardship Responsibilities

There are four basic roles for proper data stewardship at Brown: data owner, manager of policies and procedures for access to that data, manager of the infrastructure and account access, and data user.

All Brown Sensitive Information should have an identified owner, and anyone who has been entrusted with sensitive information has a responsibility to the data's owner for its proper use and protection.

These data stewardship responsibilities are detailed in the Data Protection: Roles and Responsibilities chart.

3.3 Non-Disclosure and Non-Use

Sharing Brown sensitive information directly with other colleges and universities may violate anti-trust laws.  Particular care should be shown in disclosure of financial aid data, faculty salaries and tuition and fees that are not yet final. Violations of antitrust laws may have serious consequences for Brown University and individuals. Certain general information may be shared in surveys conducted by other colleges and universities. Individuals who work in areas that deal with matters which may be subject to antitrust laws, or who have questions regarding the disclosure of information to competitors, should contact the Office of the Vice President and General Counsel at 401-863-9900 to clarify their responsibilities relative to these issues.

Individuals should not disclose any Brown sensitive information that they obtain as a result of their employment at Brown to unauthorized persons, nor should they use it for their own personal benefit, or for the profit of others. This obligation continues after an individual's association with Brown University ends.

3.4 Public Disclosures

Individuals may be asked for information about Brown University by the media, outside groups, consultants and others collecting information for various purposes. No one should make public statements on behalf of Brown or provide Brown sensitive information in response to external inquiries unless he/she has been authorized to do so.

  • Refer all employment verification and reference requests to the HR Information Services section of the Human Resources Department at 863-3175.

Anyone attempting to serve the University with a legal summons, subpoena, or court order of any type should be directed to the Office of General Counsel, which will accept service of the document for the University and will coordinate all responses to such requests. When legal requests are made concerning wages, wage garnishments, and employee records Payroll and/or Human Resources should also be notified so they may coordinate with the Office of General Counsel.

3.5 Release of Information

Confidential information concerning individual students or employees may be released only if the release of such information has been properly authorized. [Examples of information release forms are Brown's Medical Record Release form and the Disability Support Services Registration and Release Form.] Information that is found in the Course Announcement Bulletin and within the Brown University web site is considered in the public domain and individuals do not need to seek authorization to release this information.

3.6 Proper Disclosure

Some individuals must disclose Brown sensitive information as a part of their job responsibilities. These guidelines are not intended to prohibit such authorized disclosures.

A few examples of situations in which such information might properly be disclosed are:

  • Disclosure of operational data to vendors or consultants in connection with their formal engagement to provide services to Brown University; a Non-Disclosure Agreement must also be signed by vendors who have access to sensitive information. Vendors must also comply with all applicable Federal, state, and local laws/regulations in the production of goods or performance of services as delineated in section 6 of the University's Purchasing Procedures.
    Note: When such information is subject to regulatory restrictions, vendor contracts should include a clause referencing those restrictions. Managers should contact the Office of the General Counsel for appropriate Gramm-Leach-Bliley language.
  • Participation in legitimate and authorized surveys;
  • Providing data to government agencies as part of required filings; or
  • An authorized individual responding to media or financial analyst inquiries.

Individuals should be certain that they understand what they have been authorized to disclose, and to whom, prior to disclosing any Brown sensitive information. Questions regarding the appropriateness of requests for information from internal or external parties should be directed to a supervisor, chair, dean, the Department of Human Resources, the Controller's Office, or the Office of General Counsel.

3.7 Computing Requirements

3.7.1 Data Storage and Transmission

Strict control must also be maintained over Brown sensitive information that is stored on personal computers, external media (such as CDs, tapes, or memory sticks) or centrally on servers, as well as transmitted across Brown's network. The following guidelines have been developed for the storage and transmission of Brown sensitive information data:

  • Storage
    • Brown sensitive information must be stored on a centrally managed server and not on a workstation or locally managed server. Exceptions must be reviewed and approved by IT Security.
    • A local machine approved by IT Security for storage of Brown sensitive information must be in a physically secure location and require a unique logon with a strong password for each individual authorized to use it (i.e. shared accounts and passwords are not permitted). Security logs must be enabled and periodically reviewed.
    • Whether the Brown sensitive information is housed on a server or workstation, the machine must meet current operating system, hardware and software support levels.
  • Transmission
    • Brown sensitive information should never be transmitted over the Internet “in the clear.” It should always be transmitted using an IT Security-approved encryption mechanism (as listed in section 3.7.2 below).
    • Brown sensitive information should not be transmitted via email.
  • Backups
    • It is the responsibility of everyone entrusted with Brown data to back it up and store in a secure location.
    • Backup of Brown sensitive information should be encrypted, whenever technically feasible.
    • Unencrypted backups should be physically secured and not subject to unauthorized personnel at any time.
  • Access
    • Access controls to all Brown sensitive information must be documented.

3.7.2 Encryption and Certification

The transmission of Brown sensitive information over the network should be protected by an approved encryption mechanism to ensure its proper protection. Any method of encryption or transmission system other than those listed below should be reviewed and approved by IT Security before utilized.

Transport Encryption

File/Email Encryption
  • HTTPS
  • Secure Shell (scp/sftp)
  • SSL/TLS
  • FTPS (TLS wrapped FTP)
  • IPSec
  • S/MIME signed and encrypted email
  • PGP/GnuPG encrypted email and files
  • Password-protected zipfiles
  • Password-protected Microsoft Office documents

3.8 Access

Brown University should maintain strict control over access to work locations, records, computer information, cash and other items of value. Individuals who are assigned keys, given special access or assigned job responsibilities in connection with the safety, security or confidentiality of such records, materials, equipment, or items of monetary value should use sound judgment and discretion in carrying out their duties and will be held accountable for any wrongdoing or acts of indiscretion. Furthermore, information may not be divulged, copied, released, sold, loaned, reviewed, altered or destroyed except as properly authorized within the scope of applicable federal or state laws.

Unauthorized access to any Brown sensitive information by students, faculty or staff will be cause for disciplinary and possible legal action. Unauthorized access by others in situations, which indicate that privacy, copyright, anti-trust, or other laws may have been broken, may be referred to legal authorities.

3.9 Respect for the Confidential Information of Others

Anyone who may become familiar with another university's or person's confidential information should take care to respect the proprietary nature of this information and not use it or reveal it without authorization.

3.10 Summary of Guidelines

Access to Brown sensitive information should be limited to those who need the information in order to fulfill professional responsibilities. Data owners who authorize access to Brown sensitive information should ensure that employees sign a Confidentiality Agreement at least once per year, or as the data owners deem appropriate. New employees (including students and volunteers) should sign the agreement prior to access.

At the conclusion of their employment or affiliation with Brown, individuals should relinquish ownership of all University documents and records. They should also maintain the confidentiality of University information even after they leave Brown. Questions regarding Brown-owned information should be directed to the employee’s supervisor, Department Chair, Human Resources Representative, General Counsel or the Human Resources Department.

4.0 Related Policies and Documents

Other applicable policies are found at the following links:

See also:

5.0 Other Related Documents

Acceptable Use
Administrative Information Systems Confidentiality Agreement
Confidentiality Agreement Template
Data Classification Chart
Data Protection Roles
Disposition of Surplus Property policy (Word document)
Data Removal Recommendations
Brown University Checklist for Protecting Information

Questions or comments to: ITPolicy@brown.edu

Effective Date: January 18, 2007

computing guidelines, standards & policies

» Acceptable Use
» Alumni Email Account Mgmt
» Attribute Release Policy
» Brown Restricted Information Policy
» Bulk Email Guidelines
» CIRT Authority
» Computing Account Management
» Computing Passwords
» Copyright Infringement Policy
» Copyright & Fair Use Resources
» Copyright & the Higher Education Opportunity Act (HEOA)
» Electronic Equipment Disposition
» Electronic Mail
» Google Apps for Education
» Multi-Function Network Devices
» Network Connection
» Telecomunication Services
» Web Publishing
» Wiki Usage
» Policy Home Page
» Policy Enforcement