View: Text-Only | Mobile

 

Data security & classification:
information for employees

All employees of the University are responsible for safeguarding the privacy and security of data stored on their individual computers and on any shared or removable media. They are also responsible for safeguarding all information to which they have been given access via applications, systems, reports, etc.

Every University employee has an obligation to abide by the standards of acceptable and ethical use included in the University's data and computing standards and guidelines.

  • Use only those information technology and computing resources for which you are authorized.
  • Implement security in your daily interactions with people, data, systems, and facilities.
  • Be conscious of the environment around you and notify the appropriate security/system administrators if you notice any security vulnerability.
  • Use computing and information technology resources only for their intended purposes.
  • Safeguard the integrity of University data by taking all reasonable steps to protect University data from theft; destruction; unauthorized access; or any form of compromise resulting from negligent acts, or omissions.
  • Properly create, access, use and dispose of University data based on the data's classification.
  • Appropriately back up data and computer system and applications software to allow for recovery if there is a disruption.
  • Use antivirus software on any computer system you use which accesses University data or computing systems/resources.
  • Obtain authorization for the processing of University data or conducting University business on home computer systems from the appropriate Data Custodian.
  • Only perform remote/distributed access to administrative or research computer systems via a virtual private network (i.e., VPN).
  • Notify the appropriate system, network and/or security administrator(s) of any suspected or actual security violations/incidents.
  • Be aware that the University disclaims any loss or damage to software or data that results from its efforts to enforce its data computing standards.

--Adapted from the University of Massachusetts Data and Computing Policies, Standards and Procedures Summary
University Employees – Faculty and Staff

Violation of University data and computing standards/guidelines may result in the loss of your computer account; disconnection from networks; your being denied or given limited access to University data, applications and/or computer systems. Individuals may be subject to reprimand, suspension, dismissal/termination, or other disciplinary action based on the offence and may be charged with criminal offenses or have civil action taken for computer abuses or violation of law within the confines of law.

Data classification

There are three classifications for University data:

  • Confidential

    Data whose loss, corruption or unauthorized disclosure would be a violation of federal or state laws/regulations or University contracts (i.e., protected data); personally identifiable data; data that involves issues of personal privacy; or data whose loss, corruption or unauthorized disclosure may impair the academic, research or business functions of the University, or result in any business, financial, or legal loss.

  • Operational Use Only

    Data whose loss, corruption or unauthorized disclosure would not necessarily result in any business, financial or legal loss BUT which the University had determined is critical to its business and requires a higher degree of handling than unclassified data. Access to Operational Use Only data is available to data custodian approved users only.

  • Unclassified

    Data that does not fall into any of the other data classifications noted below, and may be made generally available without specific data custodian approval.

Definitions

  • What is a data custodian?

    Essentially, all employees are the data custodian(s) of data stored on their individual computer or any shared or removable media.

    More specifically, Data Custodian(s) are the individual(s) responsible for making decisions about the sensitivity and criticality of specific University systems and data stored in these systems; determining the classification of data under their control; documenting the use of the specific system(s); and determining which University staff requires access to that system and its data. University policy may restrict or dictate the Data Custodian's role regarding data design and control (e.g., a policy indicating how access to Institutional Data should be handled would take precedent over individual Data Custodian decisions/ determinations). Examples of Data Custodians are: the Directors of Human Resources would have Data Custodian responsibility over payroll and personnel information and a Principal Investigator is the Data Custodian for research data related to their grant. All employees are the data custodian(s) of data stored on their individual computer or any shared or removable media.

  • What is Personally Identifiable Information (PII)?

    • An individual's first name and last name or first initial and last name in combination with one or more of the following data elements: social security number, driver's license number or state-identification card number, or financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account. (Massachusetts Law Chapter 93H)
    • Individually identifiable health information (i.e., information relating to past, present or future physical or mental health or condition of an individual; provision of healthcare to an individual or payment for the provision of healthcare to an individual; Individually identifiable health information may include, but is not limited to: name, telephone/fax number, email address, social security number, driver's license number, internet address or any other unique identifying number, characteristic or code). Some, but not all, health information is protected under the Health Insurance Portability and Accountability Act of 1996 (i.e., HIPAA)
    • Student education records not defined as student "directory information" (e.g., student number, grades, courses taken, etc.) by the University and its Campuses are protected under the Family Educational Rights and Privacy Act (i.e., FERPA).
    • "Customer" records such as names, addresses, phone numbers, bank and credit card account numbers, credit histories, or social security numbers as they related to student financial aid information are protected under the Graham Leach Bliley Act of 1999 (i.e., GLB).

  • What is protected information?

    Protected Information is assigned a security classification of confidential and includes University data whose disclosure would not result in any business, financial or legal loss but involves issues of personal credibility, reputation, or other issues of personal privacy. The security and protection of this data is dictated by a desire to maintain staff and student privacy. Protected data includes an individual's first name or initial and last name in combination with one or more of the following data elements: their birth date, mother's maiden name, state employee salary, employee identification number, electronic signature, fingerprint, photograph or computerized image, physical characteristics or description, or passport number.

  • What is FERPA?

    FERPA, the Family Educational Rights and Privacy Act of 1974, was passed in order to protect student records from being shared with those who do not have a legitimate reason to access them. The Act provides students specific rights and applies to all institutions that are the recipients of federal funding. More information is in the Student Handbook

More information

Employees should be aware of the University's policies, guidelines and requirements regarding data security:

UMass Security Awareness

Related information is available on these government sites:

Contact Info:

This page's location: http://www.umassd.edu/cits/security/data.cfm

An Official UMass Dartmouth Web Page/Publication. © 2009 Board of Trustees of the University of Massachusetts.
University of Massachusetts Dartmouth • 285 Old Westport Road • North Dartmouth, MA 02747-2300
Phone: 508 999-8000 • TDD: 508 999-9250 (for the hearing impaired) • Contact the university

Turn Styles On   Font: -A +A