DATA SECURITY COMPLIANCE

Storage of University data on computers and its transfer across networks makes it easier to use and expands functionality. However it is also essential that all University data be protected. It is important to know what kind of data is protected and what security measures the data requires. This webpage describes the University's protected data, provides examples to help classify the data and the retention schedule for the data. It is critical that each individual accept responsibility for safeguarding the confidentiality, integrity, and accuracy of data as (dictated or required) by state and federal law, and University policies and procedures. Although the HIPAA Security Awareness Training Module was developed specifically for HIPAA Protected Data, the information provided is appropriate for protecting ALL types of University data.

Specific Examples of Protected Data

Classification of Data

Legal Data Checklist

Guidelines

Protected Data Technical Regulations

Desktop Protected Data Protection Guidelines

Data Encryption

How Do I Protect Sensitive Information?

Specific Examples of Protected Data

Health Insurance Portability and Accountability Act (HIPAA)
Protected Health Information

Wright State University HIPAA Policy

HIPAA Security Awareness Training Module

In response to growing concerns about keeping health information private, Congress passed the Health Information Portability and Accountability Act of 1996. HIPAA requires agencies that maintain medical records to protect privacy and create standards for the transfer of health data. Agencies are required to follow certain rules to protect the privacy of medical records. Employees are not allowed to access health information unless they need the information to perform their jobs. The only accepted uses of health information are for treatment purposes, payment purposes, or for use for health care operations (e.g. quality assessment, licensing and credentialing, etc.). Any other disclosure of health information must be done with the patient’s written consent. It is required that employees receive training on how to protect health information, whether that information is spoken, on paper, or on a computer.

Examples:

Retention: While it is recommended that all medical records be kept forever, HIPAA does not impose a retention requirement. In circumstances where permanent retention is impractical, it is recommended that all medical records be retained for a minimum of 10 years after the last date of treatment, or 10 years after the patient reaches age of majority, whichever occurs later. When records are destroyed, it should be done in a manner that maintains confidentiality.  

Return to Top

Family Educational Rights and Privacy Act (FERPA)
Student Records

Wright State University FERPA Policy - 4010

In order to protect the privacy of student educational records and to allow students and parents greater access to education records, The Family Education Rights and Privacy Act was enacted in 1974. FERPA accomplishes this by requiring that schools keep education records confidential by preventing disclosure to third parties, and by requiring that schools have a policy in place for allowing access to parents and to students over the age of 18. For clarification purposes, educational records are defined as “those records, files, documents, or other materials which contain information directly related to a student, and are maintained by an educational agency or institution or by a person acting for such agency or institution”. In addition to educational records, FERPA forbids disclosure of “personally identifiable information”, such as a student’s social security number, or any other information that may reveal a student’s identity.

Examples:

Retention:

  Return to Top

Other Data:

The following data are protected by other legislation (PCI, GLBA, Ohio HB 104, Identity) Any combination is protected. (For example: name and credit card number) and in all instances Social Security Numbers are protected.

Advancement Information

Research Information

Employee Information

Business Data (Gramm, Leach, Bliley Act - GLBA)

The Gramm-Leach-Bliley Act of 1999 relates to the protection of personal financial information held by financial institutions. The GLB Act broadly defines “financial institution” as any institution engaged in financial activities on behalf of consumers, and since higher education institutions engage in student loan processing, they are considered financial institutions under the Act. Protected information, however, goes beyond financial aid records. It includes all varieties of personal financial information collected by the university on faculty, students, staff, and others. Examples of protected financial information include financial aid records, credit card and personal check information, salary information and tax records. University offices that maintain protected financial information are required to identify themselves to the Information Security Officer at Computing and Telecommunications Services.  

Examples:

Retention: GLB does not impose a specific retention requirement for protected financial records, as retentions vary depending on type of record. For specific retention requirements, refer to departmental records retention schedules or the University General Schedule. Some examples are listed below. 

Management Data

Use the following criteria to determine which data classification is appropriate for a particular information or infrastructure system.

 

Classification

of Data

Protected Data

(Highest, most protected)

Protected Data

(Moderate level of

protection)

Protected Data

(low level of protection)

Legal

Requirements

Protection of data is required by law. See listing below WSU has contractual obligation to protect the data Protection of the data is at the discretion of the owner or custodian
Reputation Risk
High
Medium
Low
Other Institutional Risks Information which provides access to resources, physical or virtual Smaller subsets of protected data from a school or department General university information
Access Only those individuals designated with approved access and signed non-disclosure agreements WSU employees and non-employees who have a business need to know WSU affiliates and general public with a need to know
Examples Medical, Students, Prospective Students, Personnel, Employee, Donor or Prospect, Financial, Contracts, Physical Plant Detail, Credit Card Numbers, Certain Management Information. See more detailed listing below. Information resources with access to restricted data, Research detail or results that are not restricted data, Library transactions (e.g., catalog, circulation, acquisitions), Financial transactions which do not include restricted data (e.g., telephone billing), Information covered by non-disclosure agreements, Very limited subsets of restricted data. Campus maps, personal directory (e.g., contact information), E-mail

 

Legal Data Checklist


Type of Data

Privacy Statement

Notification upon Breach
Legislative Private Right of Action

Government Enforcement

Statutory Damages

Ohio HB 104

Personally Identifiable

O
X
O
X
X

FERPA

Education Record

X
O
O
X
O

HIPAA

Medical Record

X
O
X
X
X

Financial GLBA

Banking Record

X
O
O
X
X

X - Applicable to Data Type   O - Non-Applicable to Data Type

Return to Top

 

 

3640 Colonel Glenn Highway - Dayton, Ohio - 45435