Policies
Policies
Brown University is dedicated to ensuring the privacy and proper handling of private and restricted information of its students, employees, and individuals associated with the University. The primary purpose of this policy is to ensure that the necessary policy and awareness exist so that University employees and students comply with all applicable laws and regulations. This document establishes minimum requirements for the proper handling and protection of Brown Restricted Information. All departments shall limit access to Brown Restricted Information to those individuals with a university and/or business need to the information in order to do their job.
This policy applies to all Brown Restricted Information, which includes but is not limited to: social security numbers, credit card numbers, medical records, dates of birth, driver's license numbers, addresses, and passport information. It should be noted that, under FERPA, Brown has designated student university addresses as directory information.
For the purposes of this policy, restricted information is covered in any tangible format, including but are not limited to, paper, photographs, film, audio and videotapes, microforms, drawings, databases, email, and any other electronic records.
All members of the Brown community, including staff, faculty, students, affiliates, volunteers, and third party vendors or contractors shall comply with this policy. Vendor contracts should include a clause referencing this policy.
Brown has classified its information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access. These three categories are Levels 1, 2 and 3. For definitions and examples, see the document Data Risk Classifications.
The following minimum requirements have been developed to ensure that adequate controls are in place.
Restricted information concerning individual students or employees may be released only if the release of such information has been authorized by the Data Steward (a staff member with oversight responsibility for an operational area who is deemed an expert regarding data managed by that area). Additional information on the responsibilities of the Data Steward can be found in the document Data Governance Roles.
Data Owners who authorize access to Brown Restricted Information should ensure that those with access sign a Confidentiality Agreement. All authorized users of Brown Restricted Information are also required to successfully complete the "Protecting Brown Information" class (contact Computing Accounts and Passwords at the IT Service Center for details).
While it is recognized that a small number of areas, departments, and processes have a need to utilize social security numbers, any use of this identifier puts members of the Brown community at a greater risk of identity theft. As a result, any Brown department that currently uses, or wishes to collect, store, or use social security numbers in any format must:
As a research institution, Brown collects, stores and utilizes large amounts of research data which may be restricted, confidential and protected information. In addition to the stipulations on handling such information as outlined in this policy, guidance and oversight is provided by the Division of Research. The DoR assists faculty in ensuring that research complies with institutional and federal standards, beginning with proposal preparation and review, and extending throughout the performance of the research and into evaluation and reporting of research project results.
Additional guidance and support can be found on the Research Administration, Policies, Procedures & Forms page.
Although Brown University is not a Covered Entity as defined in the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations, the University's policies and procedures, which govern the privacy rights of its research participants, students, faculty and staff, are compatible with those required by HIPAA for Covered Entities. Further guidance on PHI in research can be found on the HIPAA Privacy Rule Guidance page, part of the Research at Brown website.
PHI that is collected for normal business use (such as employee health benefit information, and PHI collected in the University Health Services Department), must be reviewed regularly for cataloging, review, protection and approvals. Further guidance and information can be directed to the University's Chief Information Security Officer.
Violation of this policy may result in disciplinary action, up to and including termination of employment.
Questions or comments to: ITPolicy@brown.edu
Last Reviewed: November, 2017 (addition of new section "Risk Classifications")