Policy on the Handling of Brown Restricted Information

1.0 Purpose
2.0 Scope
3.0 Policy
3.1 Access, Storage, Transmission and Back-Up of Restricted Information
3.2 Release of Information
3.3 Confidentiality Agreement
4.0 Special Statement on the Collection, Storage, and Use of Social Security Numbers
5.0 Special Statement on the Research Data
6.0 Special Statement on Protected Health Information (PHI)
7.0 Policy Enforcement
8.0 Related Policies and Documents

1.0 Purpose

Brown University is dedicated to ensuring the privacy and proper handling of private and restricted information of its students, employees, and individuals associated with the University. The primary purpose of this policy is to ensure that the necessary policy and awareness exist so that University employees and students comply with all applicable laws and regulations. This document establishes minimum requirements for the proper handling and protection of Brown Restricted Information. All departments shall limit access to Brown Restricted Information to those individuals with a university and/or business need to the information in order to do their job.

2.0 Scope

This policy applies to all Brown Restricted Information, which includes but is not limited to: social security numbers, credit card numbers, medical records, dates of birth, driver's license numbers, addresses1, and passport information.

For the purposes of this policy, restricted information is covered in any tangible format, including but are not limited to, paper, photographs, film, audio and videotapes, microforms, drawings, databases, email, and any other electronic records.

All members of the Brown community, including staff, faculty, students, affiliates, volunteers, and third party vendors or contractors shall comply with this policy. Vendor contracts should include a clause referencing this policy.

3.0 Policy

The following minimum requirements have been developed to ensure that adequate controls are in place.

3.1 Access, Storage, Transmission and Back-up of Restricted Information Access

  • Access controls to all Brown Restricted Information must be documented.
  • Brown Restricted Information must have a designated Data Owner who authorizes such access.
Storage
  • Brown Restricted Information in electronic format must be stored on a server centrally managed by Computing and Information Services (CIS) or in an environment that is under strict legal contracts with the university that meet this policy, and not on a workstation, laptop, portable storage device, or locally managed server. Exceptions must be reviewed and approved in writing by the University's Chief Information Security officer.
  • An approved local machine must be in a physically secure location and require a unique logon with a strong password for each individual with authorized access (i.e. shared accounts and passwords are prohibited). Security logs must be enabled and periodically reviewed by the locally approved department.
  • Brown Restricted Information must be housed on a server or approved workstation that meets current operating system, hardware and software support levels.
  • Brown Restricted Information in any hard copy format must be stored in locked cabinets or offices, and not be able to be accessed by unauthorized persons.
Transmission
  • Brown Restricted Information should never be transmitted over the network "in the clear." It should always be transmitted using an Information Security Group-approved encryption mechanism.
  • Brown Restricted Information should never be transmitted via unencrypted email. Password-protected documents or spreadsheets can be used as attachments in certain cases, with approval of the Chief Information Security Officer.
Backups
  • It is the responsibility of everyone entrusted with Brown Restricted Information to back it up and store it in a secure and controlled location. The use of the CIS centrally-managed data center is the recommended solution.
  • Backup of Brown Restricted Information should be encrypted if technically feasible.

3.2 Release of Information

Restricted information concerning individual students or employees may be released only if the release of such information has been authorized by the Data Owner (the University employee identified as being responsible for the classification and data oversight for a functional area, or certain type of protected information). The Data Owner is responsible for the protection, confidentiality, and release of the information assigned to them, in accordance with University Policy, regulatory mandates, and legal obligations to release.

Additional information on the roles of the Data Owner can be found in the Data Protection Roles and Responsibilities document.

3.3 Confidentiality Agreement

Data Owners who authorize access to Brown Restricted Information should ensure that those with access sign a Confidentiality Agreement. All authorized users of Brown Restricted Information are also required to successfully complete the "Protecting Brown Information" class (contact Computing Accounts and Passwords for details).

4.0 Special Statement on the Collection, Storage, and Use of Social Security Numbers

While it is recognized that a small number of areas, departments, and processes have a need to utilize social security numbers, any use of this identifier puts members of the Brown community at a greater risk of identity theft. As a result, any Brown department that currently uses, or wishes to collect, store, or use social security numbers in any format must:

  • Show institutional need,
  • Receive approval from the Data, Privacy, and Records Management Steering Committee, and
  • Permit audits (including server and application security) at least annually to ensure safe SSN handling

Additional information specific to social security numbers can be found in the Social Security Number – Usage and Protection Requirements.

5.0 Special Statement on Research Data

As a research institution, Brown collects, stores and utilizes large amounts of research data which may be restricted, confidential and protected information. In addition to the stipulations on handling such information as outlined in this policy, guidance and oversight is provided by the Office of the Vice President of Research. The OVPR assists faculty in ensuring that research complies with institutional and federal standards, beginning with proposal preparation and review, and extending throughout the performance of the research and into evaluation and reporting of research project results.

Additional guidance and support can be found on the Research Administration, Policies, Procedures & Forms page.

6.0 Special Statement on Protected Health Information (PHI)

Although Brown University is not a Covered Entity as defined in the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations, the University's policies and procedures, which govern the privacy rights of its research participants, students, faculty and staff, are compatible with those required by HIPAA for Covered Entities. Further guidance on PHI in research can be found in the Policies and Procedures for Research Privacy on the Office of the Provost's website.

PHI that is collected for normal business use (such as employee health benefit information, and PHI collected in the University Health Services Department), must be reviewed regularly for cataloging, review, protection and approvals. Further guidance and information can be directed to the University's Chief Information Security Officer.

7.0 Policy Enforcement

Violation of this policy may result in disciplinary action, up to and including termination of employment.

8.0 Related Policies and Documents

Policies and Procedures:

Acceptable Use Policy
Checklist for Protecting Information
Computing Passwords Policy
Data Protection Roles and Responsibilities
Information to Comply with the Policy on the Handling Brown Restricted Information
Social Security Number – Usage and Protection Requirements

Forms:

Brown's Medical Release Form
Confidentiality Agreement Template
SSN Policy Exception Form

Questions or comments to: ITPolicy@brown.edu

Effective Date: April 2, 2012
Last Reviewed: May, 2014
Next Scheduled Review: May, 2015

1 It should be noted that, under FERPA, Brown has designated student university addresses as directory information.