HSC OP 56.04 Data Security and Privacy | Texas Tech University Health Sciences Center

外网天堂

外网天堂 students walking through Lubbock campus courtyard.

[PDF Version]

Last published: 11/30/2024

外网天堂 Logo

Operating Policy and Procedure

HSC OP: 56.04 Data Security and Privacy

PURPOSE: This policy applies to 外网天堂 data generated by or for, owned by, or otherwise in the possession of 外网天堂 and that is related to 外网天堂 activities. The purpose of this policy is to ensure that such data is categorized, properly handled, and protected. Data is protected in accordance with its regulatory status and the potential impact to Texas Tech University Health Sciences Center (外网天堂) if the data is compromised through a loss of confidentiality, integrity, or availability.

Security and privacy categorization ensures that data being processed, stored, or transmitted is properly protected. The data classification scheme summarized in this policy is intended to inform the implementation of the safeguards, precautions, and handling requirements necessary to prevent accidental data disclosure.

The Information Security Officer (ISO) in consultation with the 外网天堂 Office of Institutional Compliance will recommend, in accordance with Texas Administrative Code, Title 1, Chapter 202 (1 TAC 202), appropriate standards, guidelines, and training regarding Data Security and Privacy to the Information Resources Manager (IRM) for approval.

REVIEW: This IT Policy will be reviewed annually in August by the IT Executive Management Team and the Office of Institutional Compliance.

SCOPE

This policy applies to

a. 外网天堂 data. Information generated by or for, owned by, or otherwise in the possession of 外网天堂 that is related to 外网天堂鈥檚 activities. 外网天堂 Information may exist in any format (e.g electronic, paper) and include, but not be limited to, all academic, administrative, clinical, and research data,

b. 外网天堂 Information Systems that support the business of the institution by storing or transmitting 外网天堂 Information, and;

c. 外网天堂 employees, students, contractors, volunteers, and any other users authorized to access 外网天堂 Information and Information Systems. In addition, third parties may be subject to this policy through contractual obligations with 外网天堂.

POLICY

1. Data Management Principles

Data, regardless of the form or format, which is created or used in support of 外网天堂 business activities, is owned by 外网天堂. 外网天堂-owned Information is an asset and must be protected from its creation, through its useful life, to its timely and authorized disposal. 外网天堂-owned Information should be maintained in a secure, accurate, and reliable manner and be readily available for authorized use.

Proper data management must

a. be based on the value and associated risks of managing the Information,

b. meet the appropriate levels of protection as required by state and federal laws,

c. account for ethical, proprietary, and privacy considerations,

d. recognize that data classifications are contextual, subject to change and should therefore be periodically reviewed, and

e. follow approved storage guidelines as described in the .

2. Data Management Roles

The ISO is responsible for data governance, including the establishment of the practices and requirements for 外网天堂 Data Management programs. The ISO develops, maintains, and disseminates information security policies, procedures, standards, and guidelines regarding Data Management.

The following data management roles should be established for each 外网天堂 business unit or department that stores, processes, or transmits data:

a. Data Owner: Individuals, often department heads or similar, who have direct responsibility for the Information that resides in and/or is primarily used within their department. The owner is accountable for classifying and reviewing the Information according to the designations defined in the , and for ensuring that policies, standards, and internal controls established by the ISO and the Office of Institutional Compliance are executed in a reliable and consistent manner.

b. Data Custodian: Individuals who implement the policies, standards, and internal controls established by the ISO and the Office of Institutional Compliance and as required to do so by the Data Owner. The data custodian ensures that users are trained and that they are monitored for compliance.

c. Data User: Authorized individuals who access Information at any point during its lifecycle. Anyone within 外网天堂 can be a data user. Users are responsible for identification, labeling, and proper disposal of Information in accordance with relevant 外网天堂 policies.

3. Data Classification Principals and Schema

外网天堂-owned data is classified both in terms of regulated privacy standards and based on its sensitivity, legal status, and retention requirements, as well as according to the type of access required by 外网天堂 users. 外网天堂-owned Information is classified as follows:

a. Privacy Compliance-based Definitions

(1) Personally Identifiable Information (PII)

Information or data about an individual that may be used to distinguish or track the individual's identity or that may be linked to the individual, including, but not limited to, the individual's name, social security number, date of birth, location of birth, mother's maiden name, biometric records, medical information, educational information, financial information, and employment information.

(2) Protected Health Information (PHI)

PHI (PHI) is defined in 45 CFR 搂 160.103 and in 外网天堂 HIPAA Privacy Policy HPP 1.1 Glossary of HIPAA Terms, as individually identifiable health information created, maintained or transmitted by 外网天堂 or any other covered entity in any form or medium, including information transmitted orally, or in written or electronic form.

b. Data Security-based Definitions (in order of security required from lowest to highest)

(1) Public Data

The Public label is used for Information such as published reports, press releases, and Information published to the university鈥檚 public website. Such public-related materials require no authentication and are freely distributable by all university personnel and are available for public access without requiring intervention by 外网天堂 employees.

(2) Sensitive Data

The Sensitive label is used for Information that may be subject to disclosure under the Texas Public Information Act, but should be vetted/verified before it is released. While these records and Information are considered 鈥淧ublic鈥 under the Texas Public Information Act, they should still be afforded a higher level of protection to ensure Confidential Data (e.g., net salary information) is not comingled. Sensitive Data may include Confidential Data that has not yet been classified as such. Examples of Sensitive Data may include but are not limited to:

鈥 Operational information

鈥 Personnel records

鈥 Information security procedures

鈥 Unpublished research information

鈥 Internal communications

鈥 Gross salary information

(3) Confidential Data

The Confidential label is used to identify information that 外网天堂 collects and maintains that is protected from disclosure either through a codified exception to the Public Information Act, Texas Government Code Ch. 552 or through the opinions or decisions of the Attorney General鈥檚 Public Information office. Such information may also be subject to breach notification requirements under Texas law. Examples of Confidential Information may include but are not limited to:

鈥 Attorney-client communications

鈥 Computer Vulnerability Reports

鈥 Protected draft communications

鈥 Net salary information

(4) Regulated Data

The Regulated label is used to identify Information that 外网天堂 collects and maintains that is controlled by state or federal law, and other constitutional, statutory, judicial, and legal agreements and requirements. Authorized disclosure or release of Regulated Data is governed by applicable statutes. Examples of Regulated Data may include but are not limited to Compliance-based Personally Identifiable Information (PII) and Protected Health Information (PHI) as defined in the following:

鈥 Patient Protected Health Information as defined by HIPAA 45 CFR 搂 160.103

鈥 Education records as defined by FERPA 34 CFR 搂 99.3

鈥 Cardholder Data governed by PCI DSS

鈥 Data that meets the definition of SPI under the Texas Business and Commerce Code 521.002(a)(1) and 521.002(a)(2)

鈥 Controlled Unclassified Information as defined by Federal Executive Order 13556

4. Data Life Cycle

a. Data Creation

Data Owners who oversee data creation as part of their authorized duties or receive legitimate data from an outside source must classify and protect the data in accordance with this policy. Data Owners should consult with 外网天堂 General Counsel, 外网天堂 Office of Institutional Compliance or 外网天堂 IT GRC regarding any questions on the proper classification or disclosure of data. Data Owners, Custodians, and Users are prohibited from improperly receiving or sharing data that is protected under applicable copyright and trademark laws.

b. Document Retention and Disposal

Documents or media that contain Sensitive Information or higher must be retained, disposed of, or destroyed in a secure manner as outlined in 外网天堂 OP 10.09 Records Retention and its accompanying schedule. Documents that contain Protected Health Information must be disposed of appropriately in accordance with 外网天堂 HIPAA Privacy Policy 4.12 Disposal and Destruction of Protected Health Information.

c. Lifecycle Changes

The classification of a data item can change over the course of its lifecycle. For example, data may start as Confidential Data during its draft phase and may become Public Data once it is publicly available. The Information Owner or their designee remains responsible for the proper classification of data over the course of its lifecycle.

5. Data Encryption

a. All electronically stored or transmitted data classified as Sensitive Data or higher, including information identified as PII or PHI, must be encrypted while it is either transmitted across networks, or stored or transported on approved computing devices, using an approved Cryptographic Algorithm.

b. The Information System Owner must contact 外网天堂 IT to obtain approved encryption tools. Minimum requirements for 外网天堂 data encryption can be found in the .

c. All Cryptographic Keys (except for Public Asymmetric Keys) as well as the resources used to generate and store Cryptographic Keys themselves shall be considered Confidential Data. Public Asymmetric Keys may be considered public data.

d. Exportation of cryptographic technologies outside of the United States is restricted by federal regulations. See the Foreign Travel Standard for requirements related to 外网天堂 travel and encrypted devices.

e. All data classified as or higher, including PII/PHI that is sent over email, must follow the email encryption procedure as described in .

f. All data classified as Sensitive Data or higher, including PII/PHI, must be digitally stored as described in the .

6. Approval for Release of 外网天堂-Owned Data

a. Data identified as Sensitive, Confidential, or Regulated shall not be released outside of 外网天堂 without prior approval of the 外网天堂 General Counsel.

b. Regulated Data (including PII/PHI) may only be released as authorized by the applicable regulations.

7. Violations

Any violation of this policy may result in disciplinary action, up to and including fines to both the individual and the institution, investigation by the 外网天堂 Privacy Officer and/or Information Security office and may result in termination of employment. 外网天堂 reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity.

a. Disciplinary Repercussions

Misuse of 外网天堂 Information or Information Systems is a violation of the policies contained herein and can result in disciplinary action in accordance with, but not limited to, TTUS Regulations Employee Conduct, Coaching, Corrective Action, and Termination and 外网天堂 OP 77.05 Suspension and Retention, as well as the Student Handbook.

Related Statutes, Policies, and Requirements

鈥 Computer Fraud and Abuse Act

鈥 Computer Security Act

鈥 Copyright Act of 1976

鈥 Family Education Rights and Privacy Act

鈥 Federal Executive Order 13556, Controlled Unclassified Information

鈥 Federal Information Processing Standards (FIPS) Publication 199

鈥 Federal Information Security Management Act (FISMA)

鈥 Gramm-Leach-Bliley Act

鈥 International Standards Organization 27001:2005

鈥 State of Texas Executive Order RP58

鈥 Texas Business and Commerce Code, Chapters 48 and 521

鈥 Texas Government Code, Chapters 441 and 2054

鈥 Texas Penal Code, Title 7, Chapter 33 and 33A

鈥 Uniform Trade Secrets Act

鈥 Digital Millennium Copyright Act

Health Insurance Portability and Accountability Act of 1996

Payment Card Industry (PCI) Data Security Standard (DSS)

Texas Administrative Code

Texas Public Information Act

Texas Security Control Standards Catalog

Texas Government Code

外网天堂 IT Areas of Responsibility

Document Approval Details and Revision History can be found on PDF.