|by Jodi Ito
To better protect confidential and personal information, UH is adopting a new policy focused specifically on protecting sensitive data. This new policy is designed to provide the framework and guidelines to be used when handling sensitive, personal and confidential information in accordance with the new State laws passed during the 2006 legislative session.
The three laws of interest to UH are:
- Social Security Number Protection: Restricts businesses and government agencies' usage of Social Security numbers
- Notice of Security Breach: Requires businesses and government agencies to notify consumers if their personal information has been compromised by an unauthorized disclosure.
- Destruction or Personal Information Records: Requires businesses and government agencies to take reasonable measures when storing and disposing of personal information.
Specifics of the UH Information Security policy include:
- Categorization of data
- Definition of sensitive information
- Use of Social Security Numbers
- Definitions of roles and responsibilities
- Collection of sensitive information
- Access to sensitive information
- Transmission of sensitive information
- Use, storage, and disposal of sensitive information
- Disclosure of any breach of sensitive information
The policy defines sensitive information as: "information that is subject to privacy considerations or that has been classified as confidential and subject to protection from public access or inappropriate disclosure."
Examples of sensitive information include (but are not limited to):
- Student records (especially anything protected by the Family Educational Rights and Privacy Act )
- Health information (especially anything covered by the Health Insurance Portability and Accountability Act )
- Personal financial information such as credit card numbers, bank account information, debit cards numbers, etc.
- Social Security Numbers
- Dates of birth
- Private home addresses and phone numbers
- Drivers license numbers and State ID Card numbers
- Access codes, passwords and PINs for online information systems
- Answers to "security questions" such as "what is the name of your favorite pet?"
- Confidential information subject to attorney-client privilege
- Detailed information about security systems (physical and/or network)
- Confidential salary information
Any individual who uses, manages, maintains, and/or owns any of these types of information will need to be familiar with and comply with this new policy.
The policy is promulgated as a new UH Executive Policy. If you have any questions or comments about the policy, please contact Jodi Ito, Information Security Officer by email: firstname.lastname@example.org or by phone: (808) 956-2400.