Brown University is dedicated to ensuring the privacy and proper handling of private and restricted information of its students, employees, and individuals associated with the University. The primary purpose of this policy is to ensure that the necessary policy and awareness exist so that University employees and students comply with all applicable laws and regulations. This document establishes minimum requirements for the proper handling and protection of Brown Restricted Information. All departments shall limit access to Brown Restricted Information to those individuals with a university and/or business need to the information in order to do their job.

This policy applies to all Brown Restricted Information, which includes but is not limited to: social security numbers, credit card numbers, medical records, dates of birth, driver's license numbers, addresses, and passport information. It should be noted that, under FERPA, Brown has designated student university addresses as directory information.

For the purposes of this policy, restricted information is covered in any tangible format, including but are not limited to, paper, photographs, film, audio and videotapes, microforms, drawings, databases, email, and any other electronic records.

All members of the Brown community, including staff, faculty, students, affiliates, volunteers, and third party vendors or contractors shall comply with this policy. Vendor contracts should include a clause referencing this policy.

Brown has classified its information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access. These three categories are Levels 1, 2 and 3. For definitions and examples, see the document Data Risk Classifications.

The following minimum requirements have been developed to ensure that adequate controls are in place.

4.1 Access, Storage, Transmission and Back-up of Restricted Information

• Access controls to all Brown Restricted Information must be documented.
• Brown Restricted Information must have a designated Data Owner who authorizes such access.

Storage

• Brown Restricted Information in electronic format must be stored on a server centrally managed by the Office of Information Technology (OIT) or in an environment that is under strict legal contracts with the university that meet this policy, and not on a workstation, laptop, portable storage device, or locally managed server. Exceptions must be reviewed and approved in writing by the University's Chief Information Security Officer.
• An approved local machine must be in a physically secure location and require a unique logon with a strong password for each individual with authorized access (i.e. shared accounts and passwords are prohibited). Security logs must be enabled and periodically reviewed by the locally approved department.
• Brown Restricted Information must be housed on a server or approved workstation that meets current operating system, hardware and software support levels.
• Brown Restricted Information in any hard copy format must be stored in locked cabinets or offices, and not be able to be accessed by unauthorized persons.

Transmission

• Brown Restricted Information should never be transmitted over the network "in the clear." It should always be transmitted using an Information Security Group-approved encryption mechanism.
• When transmitting Brown Restricted Information via email, use the email encryption solution, Virtru. It allows you to send encrypted email from your Brown email address. It also provides the ability to prevent a forwarded email from being read, set a read expiration, and revoke the ability to read an email after it is sent.

Backups

• It is the responsibility of everyone entrusted with Brown Restricted Information to back it up and store it in a secure and controlled location. The use of the OIT centrally-managed data center is the recommended solution.
• Backup of Brown Restricted Information should be encrypted if technically feasible.

4.2 Release of Information

Restricted information concerning individual students or employees may be released only if the release of such information has been authorized by the Data Steward (a staff member with oversight responsibility for an operational area who is deemed an expert regarding data managed by that area). Additional information on the responsibilities of the Data Steward can be found in the document Data Governance Roles.

4.3 Confidentiality Agreement

Data Owners who authorize access to Brown Restricted Information should ensure that those with access sign a Confidentiality Agreement. All authorized users of Brown Restricted Information are also required to successfully complete the "Protecting Brown Information" class (contact Computing Accounts and Passwords at the IT Service Center for details).

While it is recognized that a small number of areas, departments, and processes have a need to utilize social security numbers, any use of this identifier puts members of the Brown community at a greater risk of identity theft. As a result, any Brown department that currently uses, or wishes to collect, store, or use social security numbers in any format must:

• Show institutional need,
• Receive approval from the Data, Privacy, and Records Management Steering Committee, and
• Permit audits (including server and application security) at least annually to ensure safe SSN handling

As a research institution, Brown collects, stores and utilizes large amounts of research data which may be restricted, confidential and protected information. In addition to the stipulations on handling such information as outlined in this policy, guidance and oversight is provided by the Office of the Vice President of Research. The OVPR assists faculty in ensuring that research complies with institutional and federal standards, beginning with proposal preparation and review, and extending throughout the performance of the research and into evaluation and reporting of research project results.

Additional guidance and support can be found on the Research Administration, Policies, Procedures & Forms page.

Although Brown University is not a Covered Entity as defined in the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations, the University's policies and procedures, which govern the privacy rights of its research participants, students, faculty and staff, are compatible with those required by HIPAA for Covered Entities. Further guidance on PHI in research can be found on the HIPAA Privacy Rule Guidance page, part of the Research at Brown website.

PHI that is collected for normal business use (such as employee health benefit information, and PHI collected in the University Health Services Department), must be reviewed regularly for cataloging, review, protection and approvals. Further guidance and information can be directed to the University's Chief Information Security Officer.

Violation of this policy may result in disciplinary action, up to and including termination of employment.

Policies and Procedures:

• Acceptable Use of Information Technology Resources Policy
• Computing Passwords Policy
• Data Risk Classifications
• Electronic Information Access Policy
• Security of Desktop, Laptop, Mobile and Other Endpoint Devices Policy

Form:

• Brown's Medical Release Form