Protection of University Data Policy

The University at Buffalo (UB, university) is committed to collecting, handling, storing, and using university data properly and securely. This policy establishes a framework of safeguards to:

• Protect university data from accidental or intentional alteration, theft, or other risks
• Comply with applicable laws and contractual requirements
• Increase awareness of the need to protect university data

Access, collection, storage, or transmission of university data must be approved by a data trustee. Approval to use university data is contingent upon the unit’s demonstrated operating needs, as well as the risk mitigation measures in place to protect the data. Risk mitigation measures include, but are not limited to the collection, storage, and transmission of these data by third-party service providers (e.g., cloud services).

A suspected or confirmed exposure of university data, or security breach of a system containing university data, must be reported immediately to the Information Security Officer (ISO).

An employee or student who breaches the confidentiality of Category 1 – Restricted Data or Category 2 – Private Data may be subject to disciplinary action in accordance with university policy and procedures.

University information is a valuable asset that requires appropriate protection. University policies and procedures must include controls to protect the confidentiality, integrity, and availability of data and comply with laws and contractual obligations.

This policy applies to all university employees, students, and third-party vendors who access, manage, store, or in other capacities use university data.

For data regulated by the Health Insurance Portability and Act (HIPAA), refer to the applicable HIPAA policies or Director of UB HIPAA Compliance.

Category 1 – Restricted Data

Protection of the data is required by law or regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Restricted data includes the definition of private information in the New York State (NYS) Security and Breach Notification Act as a foundation: bank account, credit card, and debit card numbers; social security numbers; state-issued driver license numbers; and state-issued non-driver identification numbers. To this list, university policy adds protected health information (PHI), computer passwords, other computer access protection data, and passport numbers.

Category 1 – Restricted Data are exempt from disclosure or release under the NYS Freedom of Information Law (FOIL). The NYS Information Security Breach and Notification Act requires the university to disclose any breach of the data to New York residents. (State entities must also notify non-residents; see the NYS Information Security Policy.)

Individuals who access, process, store, or in any other way handle Category 1 – Restricted Data must implement controls and security measures as required by relevant laws, regulations, and university policy. In instances where laws and/or regulations conflict with university policy, the more restrictive policy, law, or regulation governs.

Category 2 – Private Data

Includes university data not identified as Category 1 – Restricted Data, and data protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA)-protected student records and electronic records that are specifically exempt from disclosure by the NYS FOIL.

Category 2 – Private Data must be protected to ensure that they are not disclosed in a FOIL request. Private data must be protected in order to ensure that they are only disclosed as required by law, including FOIL. Decisions about disclosure must be made by the Records Management Officer.

The National Institute Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations maps to the Category 2 – Private Data risk classification.

Data Trustee

Senior leader of the university (i.e., vice president, vice provost, dean) who has responsibility for areas that have systems of record.

Data User

Individual who needs and uses university data as part of their assigned duties or to fulfill their role in the university community.

• Ensure that data stewards in their area are compliant with data governance principles.

• Follow appropriate safeguards to protect data based on its classification.

• Review and approve departmental collection, storage, and transmission of data when necessary according to its classification.
• Serve on the Cloud Services Review Committee.
• Conduct periodic security reviews of systems approved for storing and handling protected data.

• Make decisions about records disclosure of information.

• Complete the Vendor Questionnaire (obtained from Purchasing).

• Oversee all components of UB information technology.