Contents


Background and Purpose

The University of Rhode Island, herein URI, uses and creates data that demands protection, and conforms to federal and state law, as well as university policies. This policy is meant to guide all of the University’s members to use adequate data protection procedures.


Definitions


Data Protection

Every member of URI should ensure the security and confidentiality of their sensitive data such as name, date of birth, social security numbers, credit card numbers, driver’s license numbers, proprietary research data, privileged legal information, and data protected by law per se student records. When this data is stored electronically the person responsible for the data should take extra precautions to provide confidentiality and security.


Data Authority

Information Technology Services are responsible for ensuring that people protect all of their sensitive information maintained on the universities information system. Any department or entity that stores information on mobile devices will be responsible for protecting and securing that information. If the data is stored on an in department system the department head is responsible for the protection of that data.


System Administrators

System Administrators are individual who are responsible for the daily maintenance of the information systems. They follow data security and protection procedures and report any security breaches to their supervisors. They also perform risk assessment and data backups as well as secure storage for the backups. System administrators also execute disaster recovery plans, and provide system documentation. They complete other IT training as required.


Users

Users are people who access to the information systems at URI. Users are responsible for following all policies for the systems that they are using. Users should not download or transfer sensitive data without permission and the proper security in place. Users are also responsible for reporting activities that may compromise URI’s data to their supervisors.


Student Information


Private Information

The following data may not be revealed by the University without student consent.

  • Grades
  • Student financial information
  • Credit card numbers
  • Bank accounts
  • Wire transfers
  • Payment history
  • Financial aid, or grants
  • Student bills


Public Information

The following data may ordinarily be revealed by the University without student consent unless the student designates otherwise.

  • Name
  • Date of birth
  • Place of birth
  • Phone number
  • Electronic mail address
  • Mailing address
  • Campus office address (graduate students)
  • Secondary mailing, or permanent address
  • Residence assignment and room, or apartment number
  • Specific quarters, or semesters of registration at URI
  • Major(s)
  • Minor(s)
  • Field(s)
  • Degree(s) awarded and date(s)
  • University degree honors
  • Institution attended immediately prior to URI
  • Identification card photographs for University classroom use


Employee Information

The following data may not be revealed by the University without employee consent.

  • Social security number (includes partials such as last four digits)

  • Salary
  • Date of birth
  • Home address or personal contact information
  • Performance reviews


Donor Information

The following data may not be revealed by the University without donor consent.

  • Name
  • Graduating class & degree(s)
  • Credit card numbers
  • Bank account numbers
  • Social security numbers
  • Giving history
  • Addresses
  • Telephone / fax numbers
  • Email addresses URLs
  • Employment information
  • Family information (spouse(s) / children / grandchildren)


Scope

  • Every individual within the community of URI
  • Every system and all data including systems created or operated by third party vendors under the direction of URI, and data within said systems.


General Provisions

These guidelines address the handling of data, whether communicated orally, in hard copy, or electronic format, for all members of URI, including staff, faculty, students, affiliates, volunteers or others. This document applies to information stored on mobile and cellular devices or moved to media such as CD, tape, flash memory, or paper.

Particular emphasis is placed on University sensitive information, defined as information which should not be made public and which should only be disclosed under limited circumstances, and includes but is not limited to:

All information identifiable to an individual (including students, staff, faculty, trustees, donors, and alumni) including but not limited to social security numbers, dates of birth, student education records, medical information, benefits information, compensation, loans, financial aid data, alumni information, donor information, and faculty and staff evaluations.
The University’s proprietary information including but not limited to intellectual research findings, intellectual property, financial data, and donor and funding sources.
Information, the disclosure of which is regulated by federal, state, and/or local government (e.g., FERPA, GLBA and data collected from human subjects). 1gec 080707)


Specific Provisions

Handling Information
Faculty, staff and students should exercise care and judgment to ensure adequate protection of sensitive information. It is therefore recommended that they:

  • Adopt clean desk practices. That is, do not leave paper documents containing sensitive information unattended; protect them from the view of passers-by or office visitors. It is recommended that confidential documents contain a cover sheet. [Sample cover sheet, sample confidentiality statements ]
  • Close office doors when away from your office.
  • Add a “Confidential” watermark to a Word document. (Steps vary by operating system and version. Consult the directions found in the Help menu.).
  • Store paper documents containing sensitive information in locked files with a controlled key system (a list of individuals who have access should be documented) or an appropriately secured area.
  • Lock file cabinets containing sensitive information before leaving the office each day.
  • Do not leave the keys to file drawers containing sensitive information in unlocked desk drawers or other areas accessible to unauthorized staff.
  • Store paper documents that contain information that is critical to the conduct of University business in secure file cabinets. Keep copies in an alternate location.
  • Shred paper documents containing sensitive information when they are no longer needed, making sure that such documents are secured until shredding occurs. If a shredding service is employed, the service provider should have clearly defined procedures in the contractual agreement that protect discarded information, and ensure that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
  • Immediately retrieve or secure documents containing sensitive information as they are printed on copy machines, fax machines or printers. Double-check fax messages containing confidential information:
  • Recheck the recipient’s number before you hit ‘Start.’
  • Verify the security arrangements for a fax’s receipt prior to sending.
  • Verify that you are the intended recipient of faxes received on your machine. If you are not, contact the intended recipient and make arrangements for the proper dispatch of the fax.
  • Do not discuss sensitive information outside of the workplace or with anyone who does not have a specific “need to know.” Be aware of the potential for others to overhear communications containing sensitive information in offices, on telephones, and in public places like elevators, restaurants, and sidewalks.
  • Ensure that electronic equipment containing sensitive information is securely transferred or disposed of in a secure manner, per Brown’s Electronic Equipment Disposition Policy.
  • Immediately report the theft of Brown electronic computing equipment to the Department of Public Safety. Loss or suspected compromise of data containing sensitive information should be immediately reported to IT Security 1gec080707)


Policy Violations

Violation of this policy by any employee or any student will result in disciplinary action, according to established procedures.


Impact on Other Policies

Takes precedence over Acceptable Usage.


Effective Date: Interim or Permanent

June 2007 [Permanent]


Supersedes

None.


Next Review Date

As necessary, should new developments require a change in policy.


Policy Contact

Information Security Office
401-874-4787


Authority

Vice Provost of Information Technology Services