Access to Protected Information

Granting Access

Individuals may only be granted access to protected information by an information resource steward or their designee in support of necessary functions or operations. Access to protected information is granted by stewards on a “need-to-know” basis to as limited a portion of protected information as is feasible to allow individuals to be effective and efficient in their activities.

Access Procedures

For multi-user systems, access procedures must be implemented by information resource stewards and data custodians before access is granted to others. Access procedures must address:

  1. How access is requested by a prospective user or their supervisor;
  2. Types of access available including read, write, copy and extend access to third parties;
  3. How access requests are reviewed and approved;
  4. How those who are granted access are advised of their responsibilities and agree to accept them (Attachment I, UH General Confidentiality Notice [UH Parties (PDF)/Non-UH Parties (PDF)], may be used for this purpose);
  5. How mandatory information security training will be provided to all users, minimally, at the time they are granted access to protected information;
  6. How the system will ensure the use of “strong” passwords, idle-time logout, and other best practices ensuring security;
  7. Whether or how access is limited only to the portions of protected information required by the individual;
  8. How access is revoked in a timely manner when no longer required;
  9. How access is reviewed on a regular basis, and
  10. Availability of audit trails for when, how and to whom access was granted.

Access by third parties to protected information may only be granted by the information resource steward, not by other users. Access by third parties must be granted through contracts or memoranda of agreement that include appropriate language to ensure protection of UH protected information by the third party. The third parties shall agree to comply with all applicable federal, state and local laws, regulations and ordinances, and University policies pertaining to information designated as restricted, sensitive, or regulated by law or by the University, including, but not limited to, E2.210 (Use and Management of Information Technology Resources) , E2.214 (Institutional Data Classification Categories and Technical Guidelines), A7.022 (Procedures Relating to Protection of the Educational Rights and Privacy of Students), Hawaiʻi Revised Statutes (HRS) §487J (Social Security Number Protection), HRS §487N (Security Breach of Personal Information), HRS §487R (Destruction of Personal Information Records), and Act 10, Part V, 2008 Special Session, Session Laws of Hawaiʻi.