Using UBbox and complying with restricted data requirements is a shared responsibility. Through a combination of training, adherence to guidelines and procedures, and proper Box folder configurations, UBbox can be used for restricted data.
The data steward is responsible for:
- Obtaining approval for storing restricted data in UBbox.
- Ensuring proper technical configuration of UBbox folder.
- Ensuring any required data sharing agreements and business associate agreements (BAA) are in place.
- Ensuring restricted data is only accessible by authorized individuals.
- Ensuring restricted data is only used for a specifically stated intended purpose.
- Auditing and monitoring of restricted data access.
- Immediately reporting any suspected data breach involving restricted data.
- Reconfirming the need for sensitive data in UBbox on an annual basis.
- Ensuring that PII or other sensitive data is not used to name UBbox files or folders.
All people granted access to restricted data stored in UBbox are responsible for:
- Taking appropriate restricted data handling training courses (see training links).
*Note: If you are working with regulated data such as HIPAA or PCI, please contact the Information Security Office for more information on training. - Adhering to all established guidelines and procedures for accessing restricted data in UBbox.
- Immediately reporting to the appropriate security/privacy officials any suspected data breach involving restricted data.
- Note that UBIT Box Administrators will need to be included as part of all covered functions that use Box for HIPAA data.