Policy No: 2009 Responsible Office: Compliance Last Review Date: 11/15/2022 Next Required Review: 11/15/2027
Confidential Data Protection
1.1 This policy sets forth minimum requirements for the collection, use, maintenance, storage, sharing, and destruction of Confidential Data, in order to protect it from misuse or breach. While certain policies already exist which address protection of patient and student information, respectively, this policy addresses protections of the personal information of any person, including but not limited to employees, contractors, and visitors.
1.2 Specifically, this policy outlines essential roles and responsibilities for members of the University of South Alabama (USA) community to assure we maintain an environment that safeguards Confidential Data from breaches or other unauthorized access or use, and establishes a comprehensive data protection program consistent with applicable state, federal and international acts, standards, regulations and laws.
1.3 Protection and management of other forms of sensitive institutional information such as Controlled Unclassified Information (CUI), Intellectual Property, and/or other forms of sensitive or proprietary University information, while handled similarly to Confidential Data, will be covered in separate policies.
This policy applies to all members of the USA community (both the University General Division, and USA Health), full and part-time, paid and unpaid, temporary and permanent; also includes students, contractors, agents, vendors, trustees, and all other members of the University community who have access to Confidential Data of any person, either via electronic systems, or paper filing systems.
Confidential Data: for purposes of this policy, means any information relating to an identified or identifiable person that is protected by state or federal privacy regulations, not subject to the Open Records Act, and which one would reasonably expect to be kept confidential, whereby unauthorized disclosure, alteration or destruction could cause a significant level of risk to the University, its affiliates, or individual members of the University community. Confidential Data may be stored in electronic or paper form. The following types of Confidential Data are defined by various associated laws, regulations, acts, and standards (some of which are referenced in section 6, “Related Documents”):
Protected Health Information (PHI): (as defined by the HIPAA Privacy and Security Rules) means any and all “individually identifiable health information” (IIHI) held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. IIHI is information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or, the past, present or future payment for the provision of health care to the individual. IIHI is information that identifies the individual, or provides a reasonable basis to believe it can be used to identify the individual. IIHI includes many common identifiers (e.g., name, address, birth date, (SSN), etc.).
Sensitive Personally Identifying Information: (as defined by the Alabama Data Breach Notification Act of 2018) consists of an Alabama resident’s first name (or initial) and last name, in combination with one or more of the following of the same Alabama resident: SSN (full or portions of), tax ID number, Driver’s License or state-issued ID number, passport number, military ID number, or any other unique ID number issued on a government document used to verify an individual's identity; financial account numbers, in combination with any security or access code, password, expiration date or PIN necessary to access the financial account; any PHI/IIHI (as described above); electronic account access information such as username or e-mail address in combination with a password or security question and answer that would permit access to an online account affiliated with USA; that is reasonably likely to contain or is used to obtain sensitive personally identifying information.
Personally Identifiable Information for Education Records: is a Family Educational Rights and Privacy Act (FERPA) term referring to identifiable information that is maintained in education records and includes direct identifiers, such as a student’s name or identification number, indirect identifiers, such as a student’s date of birth, or other information which can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information.
Personal Data: (As defined by the European Union’s Global Data Protection Regulation – ((GDPR)) means any information relating to an identified or identifiable natural person . An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Payment Card Data: includes the credit card number, expiration date, and Card Verification Value (CVV)/ Card Verification Code (CVC) 3-or 4-digit numerical code, associated with the cardholder’s name as it appears on the card, and billing address.
A Breach: of Confidential Data occurs if the data has been inappropriately accessed or received by an unauthorized person or group, whether intentionally or inadvertently, such that the acquisition could present a financial or reputational risk to the Data Subjects.
Data Subjects: include, but are not limited to, any person (USA employee, employee dependent, student, parent of student, patient, trustee, contractor, vendor, volunteer, agent, customer, visitor, alumni, donor, etc.) whose personal information has been collected and retained by or on behalf of USA.
Data Owners: have administrative control and have been officially designated as accountable for a specific information asset dataset. Some examples of Data Owners include the Registrar for student data; the Controller for financial accounting data; the Assistant of Vice President of Human Resources for employee data. This role may have some similarities to USA record Custodians as defined in The Records Disposition Authority Policy of the University of South Alabama – Jan 2004.
Data Custodians: have technical control over an information asset dataset. Usually, this person has the administrator/admin, sysadmin/sysadm, sa, or root account or equivalent level of access. This is a critical role and it must be executed in accordance with the access guidelines developed by the Data Owner.
Users: include all members of the USA community who have authorized access to Confidential Data, including employees, students, consultants, temporary employees, etc.
Data Protection Committee: is appointed by the University President, and includes representation from the University General Division and USA Health. The primary role of the Data Protection Committee is to assure this policy remains current with regulatory requirements, that the procedures are appropriate and reasonable, and that all members of the USA community are familiar with and adhere to the guidelines set forth herein.
4. Policy Guidelines
4.1 “Minimum Necessary” Concept
USA-wide implementation of a “Minimum Necessary” concept will obligate department leaders and Data Owners to review who has access to various types of Confidential Data and assure such access is reasonable and necessary for one to do his or her job. Department leaders and Data Owners will identify certain types of information that should be withheld from Users due to lack of a legitimate “need to know” reason. Data Owners will evaluate a User’s request for access to Confidential Data based on a “need to know;” standard and may approve access request forms on behalf of the User’s unit or department director.
All Users with job duties that require them to handle Confidential Data should seek access to only that which is necessary to complete their job assignment. Data Owners must periodically review the various levels of access to Confidential Data held by their direct reports and adjust as necessary. Data Owners should assure their Users:
4.1.1 Don’t access Confidential Data not directly relevant to their specifically assigned tasks;
4.1.2 Don’t disclose, discuss or provide Confidential Data to any individual not authorized to view or access that data, including but not limited to third parties, volunteers, vendors and other University employees; and
4.1.3 Don’t access any Confidential Data from electronic systems without advanced approval based on the User's role-based need. Any User’s access to Confidential Data should result from role-based determinations made by supervisors on a case by case basis.
4.2 User responsibility for protection of Confidential Data
This section sets forth guidelines for Users to assure their access, use, sharing, or deleting of Confidential Data is appropriate, and minimizes the risk of a Breach.
Users are required to safeguard the Confidential Data under their charge and only use or disclose it as expressly authorized or when specifically required in the course of performing their job duties. Users who have been assigned personal access codes to work with systems that generate, store, manage, share or destroy Confidential Data bear the responsibility for preserving the complete confidentiality of such codes, to ensure against unauthorized use by any other person. Misuse of Confidential Data can be intentional (acts and/or omissions), or a product of negligence or inadvertence. Misuse includes but is not limited to:
4.2.1 Intentional reckless, careless, negligent, or improper handling, storage or disposal of Confidential Data, including electronically stored and/or transmitted data, printed documents and reports containing Confidential Data;
4.2.2 Deleting or altering Confidential Data without authorization;
4.2.3 Using Confidential Data viewed or retrieved from the systems for personal or any other unauthorized or unlawful use;
4.2.4 Sharing Confidential Data with others who don’t have a legitimate need to know; and
4.2.5 Logging-in to USA data bases and administrative systems with one’s personal access codes and then permitting another person to access Confidential Data in those data bases and/or systems.
Users who have any reason to believe or suspect that someone else is using their personal access codes must immediately notify their supervisor. Users who have access to Confidential Data are expected to know and understand associated security requirements, and to take measures to protect the information, regardless of the data storage medium being used, e.g., printed media (forms, work papers, reports, microfilm, microfiche, books), computers, data/voice networks, physical storage environments (offices, filing cabinets, drawers), and magnetic and optical storage media (hard drives, diskettes, tapes, CDs, flash drives). Computer display screens should be positioned so that only authorized Users can view Confidential Data, and Confidential Data should be discarded in a way that will preserve confidentiality (e.g., in a shred box, not in a trash can or recycling bin).
4.3 Contracts with vendors who have access to or store Confidential Data of USA individuals
USA vendors whose services are secured via written contract, purchase order, or otherwise who will require the use of Confidential Data of members of the USA community, must be made aware by USA of their obligation to render the same protections of the Confidential Data as are required by Users, under applicable laws and regulations. Any such legal obligations should be set forth in writing, and acknowledged and agreed upon by both parties via signature.
All new or revised contracts (including purchase orders) must be submitted to the Office of General Counsel for review and approval. The individual submitting the contract should note whether the vendor’s service to USA will involve the vendor needing access to Confidential Data of members of the USA community, and if so, should briefly describe the type of Confidential Data involved and its contemplated use. If a vendor requires access to such Confidential Data (and in the opinion of the Office of General Counsel such access rises above mere incidental access), the contract must contain specific language that obligates vendor to (1) abide by the applicable laws and regulations governing use and access to the type of Confidential Data to which it will have access; (2) report Breaches timely; and (3) coordinate/collaborate with USA on Breach responses.
If a vendor is not in agreement with contract language which complies with this policy, General Counsel's office will discuss with the contract's host department the risk of proceeding without specific language, and options for how to proceed.
4.4 Adherence to document retention policy
Data Owners will review the required retention time periods for data/documents per the "Public Universities of Alabama Functional Analysis & Records Disposition Authority" (April 2022) and the Records Disposition Authority Policy of the University of South Alabama, and determine if current retention schedules are on target for the various types of Confidential Data collected and maintained under their purview. Data Owners will identify the need to destroy certain subsets of Confidential Data that is kept beyond the legally or policy-prescribed time periods, unless there are recognized operational needs to retain the information longer than what is stated by the State and USA RDAs.
At the department level, supervisors will also review Confidential Data retained in their areas to determine if actual retention is in accordance with what is prescribed by the State and USA RDAs. When Confidential Data has been determined by the Data Owner and supervisors to have reached its minimum required retention period with no operational need to retain it, the Confidential Data should be appropriately destroyed. For destruction of any Confidential Data – with the exception of PHI - a Records Destruction Notice may need to be prepared and submitted through the appropriate channels (Records Management eForms) for approval by the Executive Director of University Libraries. The USA RDA specifies exceptions in section 7, for “copies of transitory and duplicate records.” PHI destruction should come with the approval of USA Health's Health Information Management Director, Chief Compliance Officer, or Chief Information Officer. Permanent records should be moved to the USA archive when there is no further immediate need for the information. Upon approval, the supervisor shall supervise and witness the destruction of the information (electronic or hardcopy); and document the destruction.
4.5 Maintain reasonable security measures to protect Confidential Data
Protection of Confidential Data is of utmost importance, and USA’s Computer Services Center (CSC) and Health System Information Systems (HSIS) will spearhead the employment of reasonable security measures to assist in protecting the confidentiality, integrity, and accessibility of Confidential Data. Their goal is to safeguard Confidential Data, regularly review the security measures in place, and continue to expand the USA security strategy as new vulnerabilities, threats, and countermeasures arise. Reasonable security measures employed by the CSC and HSIS include but are not limited to:
4.5.1 Installing and updating antivirus software on USA computers;
4.5.2 Installing the latest operating system (as budget allows) and application patches on USA computers;
4.5.3 Assuring Users complete Information Security Training when assigned;
4.5.4 Configuring email accounts for multi factor authentication if available, particularly for those with higher-risk job roles.
4.6 Confidential Data Protection Guidelines for Users. The risk of Breaches of Confidential Data will be kept significantly lower if all users adhere to the following guidelines:
4.6.1 Log out of computers and/or information systems upon leaving their workstations, particularly if located in an open area;
4.6.2 Don’t leave Confidential Data unattended at their desks or anywhere else, unless it is secure in an area where only those with a “need to know” will see it;
4.6.3 Dispose of paperwork or other physical material containing Confidential Data no longer needed into a shred bin (not in a normal trash can or dumpster), after rendering it indecipherable with the use of a black marker or other means;
4.6.4 Delete electronic Confidential Data no longer needed from databases, and virtual files or folders where such electronic Confidential Data may also reside (see section 4.4, Adherence to document retention policy);
4.6.5 Assure correct email addresses for intended recipients of Confidential Data are entered (review addresses to assure “auto-complete” function does not inadvertently select another person);
4.6.6 Carefully examine any e-mail you receive from new sources, including those that may appear like routine notices from Human Resources, Payroll or Computer Services Center, especially if the e-mail (with attachments and links) asks you to enter any personal data (e.g. name, Jag number, username, password, or other Confidential Data). Before interacting with any unsolicited/unexpected email correspondence, Users should identify the sender, and communicate with them via means other than email to ensure they intended to send the suspect link(s) or attachment(s). To report any suspicious e-mails, contact the Computer Service Center Help Desk on campus at Helpdesk@southalabama.edu or HSIS security personnel for USA Health by forwarding the email to email@example.com; these offices will help determine if the e-mail is malicious and take appropriate steps to mitigate/remove the risk;
4.6.7 Users should never, under any circumstance, share their usernames and passwords to systems containing Confidential Data; with a co-worker or other person;
4.6.8 Users are encouraged to store Confidential Data on USA servers/sharepoint folders rather than on their desktop computer hard drives (check with CSC on campus, or HSIS for USA Health for more support);
4.6.9 Do not store or keep copies of Confidential Data on personal or freely available cloud solutions such as DropBox, OneDrive, personal Google Drive accounts, etc. Such practices put USA at risk in the event of a Breach. The storage of Confidential Data on the USA G-Suite platform, which is associated with an employee's USA email account, is allowed but not encouraged. The storage of Confidential Data should be on USA managed servers whenever possible.
NOTE: Comprehensive guidelines for the protection of all forms of PHI can be found in USA Health’s “Safeguarding Protected Health Information” policy.
4.7 Breach Response
Breaches of Confidential Data should be reported immediately, so that the risk of financial or reputational harm to the Data Subject(s) and/or to USA can be promptly mitigated. A Breach should be reported as follows:
4.7.1 PHI USA Health Office of HIPAA Compliance
4.7.2 Student Data Registrar
4.7.3 Any other Confidential Data, if at USA Health USA Health HSIS (or HR)
4.7.4 Any other Confidential Data, if on USA campus USA CSC
Upon learning of a Breach, the recipient of the report should assemble a committee consisting of the recipient, a representative of the Office of General Counsel, and administrators from the location of the Breach. This committee, with assistance from the USA Cyber Risk Team (CRT), when applicable, will initiate an investigation to determine how the Breach occurred, who was involved, and the identity of the affected Data Subjects, attempt to retrieve the breached Confidential Data, and notify the Data Subjects. The committee will meet and work to mitigate the Breach, conduct a risk assessment, and determine USA’s legal obligations (notification to the Data Subjects, etc.). Depending on the size and scope of the Breach, a third party firm may be contracted to notify the Data Subjects. Lastly, the committee will formulate and implement a corrective action plan, to be based on investigative findings, for the purpose of avoidance of future incidents. Please see USA Health’s Security Breach Notification and University of South Alabama Incident Response policies for more details.
Suspected violations of this policy should be reported to one’s immediate supervisor, department head, USA’s Data Protection Officer (at firstname.lastname@example.org), USA Health HSIS security personnel (at email@example.com ), or to the Ethics and Compliance Hotline (SouthAlabama.edu/Hotline, or by phone at 844-666-3599). Failure to adhere to the requirements of this policy, and especially, intentional employee misuse of Confidential Data and/or the systems in which Confidential Data is stored, is a serious breach of job responsibilities and may result in discipline up to and including termination of employment or dismissal from USA. [See Staff Employee Handbook, Section 6.2, page 58, Progressive Discipline, or the Faculty Handbook, Section 3.15.4, Termination/Dismissal, for further details].
7. Related Documents
7.3 Information Systems Security (policy)
7.8 Cardholder Data Environment (policy)
7.9 Payment Card Industry (PCI) General Merchant (policy)
7.10 Controlled Unclassified Information (CUI) Research (policy)
Summary of Applicable Laws, Regulations, Acts, and Standards.
In effect since August 21, 1974, the Family Educational Rights and Privacy Act (FERPA) protects the confidentiality of student educational records. The Act gives students the right to inspect and review their own education records, request corrections, control the release of personally identifiable information, and obtain a copy of their institution's policy concerning access to educational records. It also prohibits educational institutions from disclosing "personally identifiable information in education records" without the written consent of the student, with certain exceptions. Schools that fail to comply with FERPA risk losing federal funding. Exceptions may apply; consult with the USA Registrar.
In effect since August 21, 1996, the Health Insurance Portability and Accountability Act (HIPAA) and the changes since (2003 adoption of the HIPAA Privacy, Security and Enforcement Rules; 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act; 2013 the HIPAA Omnibus (Final) Rule) protect the confidentiality and privacy of all information related to an individual’s past, present and future physical and mental health condition(s).
USA is a “hybrid entity” that performs both covered and non-covered functions under HIPAA. The healthcare components and components acting as business associates within USA are required to comply with HIPAA. For purposes of compliance with HIPAA, USA has been designated as an Organized Health Care Arrangement (OHCA), which includes USA Health (Hospitals, Physicians Group, Mitchell Cancer Institute and University of South Alabama Health Care Authority (HCA)), USA Allied Health Speech and Hearing Center, USA Allied Health Physical Therapy, USA Radiological Sciences, USA Psychology Clinic, USA College of Nursing, and USA College of Medicine. These entities participate in a clinically and operationally integrated care setting in which it is necessary to share PHI for joint management and operations. Patients who obtain services within this OHCA have an expectation that they are integrated and jointly managed.
In effect since May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) may have extraterritorial reach to any business or entity which collects information from European Union citizens and residents when the citizens or residents are on European Union soil. The regulation requires that any Confidential Data collected from those individuals is (a) processed fairly, lawfully, and in a transparent manner, (b) kept for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes, (c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimization), (d) accurate and, where necessary, kept up to date, (e) retained for no longer than is necessary to meet the purposes for which the Confidential Data are processed, (f) in accordance with Data Subjects’ rights, (g) processed in a way that ensures appropriate security of the Personal Data, and (h) not transferred to a third country or to an international organization if the provisions of GDPR are not complied with.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit payment card information maintain a secure environment. The Payment Card Industry Security Standards Council (PCI SSC) was created in September 2006 by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB) to manage the evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered by the PCI SSC.
USA adheres to the highest standards related to the security of Payment Card Data and must follow the guidelines set by the PCI SSC. The USA PCI Policy applies to any USA-related unit, department, or entity that accepts payment cards to conduct business.
Alabama Data Breach Notification Act
In effect since June 1, 2018, the Alabama Data Breach Notification Act of 2018 obligates each person, sole partnership, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive Personally Identifying Information to (a) implement and maintain reasonable security measures to protect Sensitive Personally Identifying Information against a breach of security, (b) conduct a good faith and prompt investigation into a breach of security that has or may have occurred in relation to Sensitive Personally Identifying Information of any individual, (c) notify each affected Alabama resident of a determined breach within forty-five days of discovery, (d) assure third-party agents notify the covered entity of a breach of security involving Sensitive Personally Identifying Information within ten days of discovery, and (e) notify the Alabama Attorney General and credit reporting agencies of a breach involving more than 1,000 Alabama residents.
The Gramm-Leach-Bliley Act (GLBA)
Also known as the Financial Modernization Act of 1999, the GLBA is a federal law that requires financial institutions to take steps to ensure the privacy, security, and confidentiality of customer records. Because higher education institutions engage in financial activities, such as making Federal Perkins Loans, Federal Trade Commission regulations consider them financial institutions for GLBA purposes.
Colleges and universities are deemed to be in compliance with the privacy provision of the GLBA if they are in compliance with FERPA. However, institutions of higher education remains subject to the Safeguards Rule of the GLBA related to the administrative, technical, and physical safeguarding of customer information. The Safeguards Rule of the GLBA requires financial institutions to develop and maintain a security plan to protect the confidentiality and integrity of personal information.
The California Consumer Privacy Act
The California Consumer Privacy Act (CCPA), which became effective January 1, 2020, gives California consumers personal data protections. The CCPA grants the following consumer rights: (1) to know what personal data is being collected; (2) to know what personal data is being sold and/or shared with third parties; (3) to opt-out of the sale of his/her personal data; (4) to access his/her personal data; (5) to request the deletion of his/her personal data. If a consumer exercises one of the aforementioned rights, a business must respond within forty-five days of the request.
In addition to these consumer rights, the CCPA also requires businesses to provide notice as to whether personal data is sold and instructions on how to opt-out of the selling or sharing of the personal data. Organizations must also allow consumers to exercise their right to opt-out through at a minimum, two methods, including a toll-free number and a URL.
Finally, the CCPA provides consumers with a “private right to action,” allowing them to seek damages in the event of a breach where a business has failed to implement reasonable security procedures and practices appropriate to the nature of the information. Damages resulting from a breach are limited to a maximum of $750 per incident.