Purpose / University Position
Introduction
Handling Restricted Information
1. Recommended Best Practices
2. Disclosure
3. Computing Recommendations
4. Transmission
5. Data Ownership Responsibilities
6. Managing Access to Restricted Information
7. Disposal of Restricted Information
8. Consequences for Unauthorized Access
Related Policies and Documents
Whom to Contact
Other Related Brown Policies and Guidelines
Purpose / University Position
This information is in support of the Policy on the Handling Brown Restricted Information. While these guidelines are in place to ensure the protection of restricted and regulated information, it is the position of the University to minimize the use of such information, and only those departments, processes, and personnel with approval to utilize restricted information are authorized to do so. The Data, Privacy, Compliance and Record Management (DPCRM) Steering Committee is the sole approving board for the University.
Introduction
Information is one of Brown University's most valuable resources and as such requires responsible management by all members of the Brown community. This document establishes guidelines for the proper protection of these valuable resources and promotes Brown's maintenance of strict confidentiality in compliance with applicable policies as well as state and federal regulations.
These guidelines address the handling of Brown data – whether communicated orally, in hard copy or electronic format; stored on desktop machines or mobile devices; or moved to media such as CD, tape, flash memory, or paper – for all members of the Brown community, including staff, faculty, students, affiliates, volunteers, and vendors.
Particular emphasis is placed on Brown Restricted Information, defined as information that should not be made public and which should only be disclosed under limited circumstances.
Handling Restricted Information
1. Recommended Best Practices
Access to Brown Restricted Information should be limited to those who need the information in order to fulfill professional responsibilities. All members of the Brown community who have been granted such access should exercise care and judgment to ensure adequate protection of Brown Restricted Information by following the practices delineated in the document Brown University Checklist for Protecting Information.
2. Disclosure
Individuals should not disclose any Brown Restricted Information that they obtain as a result of their employment at Brown to unauthorized persons. Full employee obligations are outlined in the "Confidentiality" section of the document Employee Responsibilities and Rights.
3. Computing Requirements
Brown Restricted Information should be protected whether it is being stored (on various media), transmitted (via network or email) or archived. The list of computing requirements is found in section 3.0 in the Policy on Handling Brown Restricted Information.
4. Transmission
Brown Restricted Information should never be transmitted over the network "in the clear." It should always be transmitted using an Information Security Group-approved encryption mechanism. While the University does not currently have an enterprise encryption solution, CIS can supply solutions for secure transmission on a case-by-case basis. These solutions include VPN transmission, secure FTP, and file encryption. Please contact the IT Service Center for assistance and guidance.
As a onetime alternative for transmitting some forms of restricted information via email, attachments of password-protected documents or spreadsheets can be used in certain cases. Approval must be received in advance from the Director of Information Technology Security, who can provide the standards and requirements necessary.
5. Data Ownership Responsibilities
All Brown Restricted Information should have identified Data/Records Owners, who are responsible for implementing the following good managerial controls:
- Creating and reviewing audit trails of access to restricted data
- Regularly reviewing who has access to what data
- Monitoring preventive controls for compliance in their departments
- Educating end users regarding protection standards – set expectations
- Ensuring that there is appropriate training of staff on proper handling of restricted information
Data/Records Owners who authorize access to Brown Restricted Information should ensure that employees sign a Confidentiality Agreement at least once per year, or as the Data/Records Owners deem appropriate. New employees (including students and volunteers) should sign the agreement prior to access. Anyone who has been entrusted with restricted information has a responsibility to the Data/Records Owners for its proper use and protection.
6. Managing Access to Restricted Information
Strict control should be maintained over access to work locations, records, computer information, cash and other items of value. Individuals who are assigned keys, given special access or assigned job responsibilities in connection with the safety, security or confidentiality of such records, materials, equipment, or items of monetary value should use sound judgment and discretion in carrying out their duties and will be held accountable for any wrongdoing or acts of indiscretion. Furthermore, information may not be divulged, copied, released, sold, loaned, reviewed, altered or destroyed except as properly authorized within the scope of applicable federal or state laws.
At the conclusion of their employment or affiliation with Brown, individuals shall relinquish ownership of all University documents and records. They shall also maintain the confidentiality of University information even after they leave Brown. Questions regarding Brown-owned information should be directed to the employee's supervisor, Department Chair, Department's Human Resources Representative, General Counsel, Director of Information Technology Security, or the Human Resources Department.
7. Disposal of Restricted Information
All restricted information should be disposed of in a confidential manner. To dispose of such records departments and offices must:
- Take extra measures to wipe clean the hard drive of any machine or device that may contain restricted information before discarding, sending to surplus, or transferring it to another individual or department. (see Electronic Equipment Disposition Policy)
- Shred restricted paper documents that are no longer needed and secure such documents until shredding occurs. If a shredding service is employed, ensure that the service provider has clearly defined procedures in the contractual agreement that protect discarded information and that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
- A hard drive crusher is available for crushing no-longer needed drives containing data covered under the Brown Restricted Information Policy. Contact the IT Service Center to arrange an appointment.
8. Consequences for Unauthorized Access
Unauthorized access to any Brown Restricted Information by the Brown community will be cause for disciplinary and possible legal action. Unauthorized access indicating that privacy, copyright, anti-trust, or other laws may have been broken by an individual unaffiliated with Brown, may be referred to legal authorities.
Related Policies and Documents
Computing | Employees | Students | Faculty | Researchers | Health | General Safety | Federal Regulations
Other applicable policies are found at the following links:
- Employees
- Human Resources: Employee Responsibilities and Rights
» Employee Responsibilities and Rights - Internal Audit: Records Retention Guidelines
» www.brown.edu/Administration/Internal_Audit/guidance/records - Internal Audit: Brown University's Department Risk-Control Self-Assessment Tool
» www.brown.edu/Administration/Internal_Audit/guidance/risk.html
- Human Resources: Employee Responsibilities and Rights
- Students
- Principles of the Brown University Community: The Academic Code and Non-Academic Conduct
» www.brown.edu/academics/college/degree/policies/academic-code
- Principles of the Brown University Community: The Academic Code and Non-Academic Conduct
- Faculty
- Faculty Rules & Regulations
» www.brown.edu/Faculty/Faculty_Governance/rules.html
- Faculty Rules & Regulations
- Researchers
- Office of Sponsored Projects: Policies and Procedures
» http://research.brown.edu/rschadmin/osp_policies.php - Brown University Policy for Responding to Allegations of Research Misconduct
» www.brown.edu/research/about-brown-research/policies/policy-responding-allegations-research-misconduct - Brown University Policies and Procedures for the Protection of Human Participants in Research
» www.brown.edu/research/brown-university-policies-and-procedures-protection-human-participants-research - Office of the Provost: Policies and Procedures Relating to Research Privacy
» www.brown.edu/Administration/Provost/policies/rpp.html
- Office of Sponsored Projects: Policies and Procedures
- Health
- Brown University Health Services: The Patient Bill of Rights and Responsibilities
» www.brown.edu/Student_Services/Health_Services/start/rights.html - Brown University Psychological Services: Statement of Confidentiality
» www.brown.edu/campus-life/support/psychological-services/confidentiality-2
- Brown University Health Services: The Patient Bill of Rights and Responsibilities
- General Safety
Department of Public Safety:
» www.brown.edu/Administration/Public_Safety/
Federal Regulations:
- Gramm-Leach-Bliley Act (GLBA)
US Senate Banking Committee, Financial Services Modernization Act, Summary of Provisions
» http://banking.senate.gov/conf/grmleach.htm - Family Educational Rights and Privacy Act (FERPA)
Office of Student Life policy summary:
» www.brown.edu/Student_Services/Office_of_Student_Life/randr/federal/ferpa.html - Student Employment FERPA Non-Disclosure / Confidentiality Agreement
» http://financialaid.brown.edu/Content/Files/FERPAConfdAgre.pdf - US Department of Education, Final regulations (4/16/2004)
» www.ed.gov/legislation/FedRegister/finrule/2004-2/042104a.pdf - US Federal Trade Commission Red Flag Rules
» www.ftc.gov/bcp/edu/microsites/redflagsrule/more-about-red-flags.shtm
Whom to Contact
For more information about the management of the certain restricted records, please contact the University office indicated:
- Administrative Records (Departments; University Archives)
- Alumni Records (Alumni Relations; University Archives)
- Corporation Records (Secretary of the University; University Archives)
- Electronic Records Security (Director of Information Technology Security)
- Environmental Health and Safety Records (Environmental Health and Safety)
- Facilities and Grounds Records (Facilities Management)
- Faculty Records (Dean of the Faculty)
- Financial/Budget Records (Office of the Controller)
- Intellectual Property Records (Office of the Vice President for Research)
- Legal and Regulatory Compliance Records (General Counsel; Office of the Vice President for Research)
- Personnel Records (Human Resources; Division of Biology and Medicine; Dean of the Faculty)
- Research Records (Office of the Vice President for Research; Office of Sponsored Projects)
- Student Academic Records (Office of the Registrar; Dean of the College; Dean of the Graduate School; Medical School)
- Student Life Records – including medical (Office of Student Life)
- Student Statistics (Office of Institutional Research; Medical School; Graduate School)
- University Archives – historical records (University Archives)
- University Research Data and Compliance (Office of the Vice President for Research)
Other Related Brown Policies and Guidelines
Acceptable Use Policy
Checklist for Protecting Information
Confidentiality Agreement Template
Data Removal Recommendations
Electronic Equipment Disposition Policy
Electronic Mail Policy
Guidelines for Transfer of Records to the Archives
Intellectual Property Policies
Policy on the Handling of Brown Restricted Information
Records Management at Brown
Responsible Conduct of Research
Social Security Number – Usage and Protection Requirements
SSN / Data Classification Questionnaire (document in process)
SSN Policy Exception Form
Questions or comments to: ITPolicy@brown.edu
Effective Date: April 2, 2012
Last Reviewed: February, 2016
Next Scheduled Review: February, 2017