UNIVERSITY OF WISCONSIN - SUPERIOR
Policy Subject: Data Security Policy
Date Revised: 15 October 2003
I. Background and Purpose
A federal law enacted in 1999, the Gramm-Leach-Bliley Act (GLB Act), requires colleges and universities to implement policies for protecting student financial information. The law primarily targets banks and other financial institutions, but colleges and universities are covered to the extent they provide "financial products or services" such as processing student loans. Financial data, such as parental income, and other personal data, such as social security numbers, obtained in connection with such transactions must be protected against computer hackers and other security risks.
The GLB Act charged the Federal Trade Commission with issuing regulations regarding the accuracy and security of financial information. The FTC issued two sets of implementing rules, known as the Privacy Rule and the Safeguards Rule. Colleges and universities that comply with the Family Educational Rights and Privacy Act (FERPA), are deemed in compliance with the Privacy Rule, There is, however, no corresponding FERPA safe harbor for the Safeguards Rules. Colleges and universities there must implement data security policies to comply with the rule.
The Safeguards Rule requires covered institutions to implement a data security policy with five elements:
- Designation of an employee to coordinate information security
- Identification of "reasonably foreseeable" security risks, both internal and external
- Teaching employees how to maintain data security
- Requiring service providers to maintain adequate data safeguards through appropriate contractual provisions, and
- Monitoring network security, including the effectiveness of established security procedures.
- Applicable UW System Administration Policy Documents
- Applicable UW-Superior Policy Documents
- State Statutes
IV. Policy Statements
Data contained in the University's systems are the property of the University of Wisconsin-Superior and represent official University records. Exceptions to this policy are: faculty developed curricular material, student developed curricular material, or certain licensed information such as electronic journal subscriptions. Questions regarding exemptions should be discussed with the University Legal Counsel.
Users who accept access to University data, regardless of the medium, also accept responsibility for adhering to certain principles in the use and protection of that data. These principles are:
- Information systems within the University shall be used only for and contain only data necessary for fulfillment of the University's mission.
- University data shall be used solely for the legitimate business of the University.
- Due care shall be exercised to protect University data and information systems from unauthorized use, disclosure, alteration or destruction.
- University data regardless of who collects or maintain it, shall be shared among only those faculty or staff whose responsibilities require knowledge of such data.
- University policies and procedures are being developed to address federal and state laws concerning storage, retention, use, release, transportation and destruction of data and/or all information systems.
- University computerized information systems shall be constructed in such a manner to assure that:
- Accuracy and completeness of all system contents are maintained during storage and processing;
- Data, text and software stored and processed can be traced forward and backward for audit ability;
- Information systems capabilities can be reestablished within an acceptable time due to loss or damage by accident, malfunction, breach of security or act of God; and
- Actual or attempted breaches of security can be detected promptly.
- Appropriate university procedures shall be developed for reporting any breach of security or compromise of safeguards
- Any faculty or staff member engaging in unauthorized use, disclosure, alteration or destruction of information systems or data in violation of this policy shall be subject to appropriate disciplinary action, including possible dismissal. The disciplinary actions are defined in the "appropriate use" and the "Faculty/Staff " handbook. UW System policies www.uwsa.edu/spp.htm
- Any student engaging in unauthorized use, disclosure, alteration or destruction of information systems or data in violation of this policy shall be subject to appropriate disciplinary action, including possible expulsion. The disciplinary actions are defined in the "appropriate use" and the "student" handbook. System policies.
- Users may not use, query, release or print data in any application which they have not been given deliberate access to, which can include but is not limited to:
- Transcripts, grade reports, enrollment reports;
- Financial Aid information;
- Personnel or leave reports;
- Reports for government or funding agencies;
- Fund-raising activities;
- Mailing lists and labels (University relations); and
- Private or public release of data to outside parties such as student, parents, and the news media.
- All requests for information under the Freedom of Information Act, the Wisconsin Public Records Law, law enforcement agencies, subpoenas, etc. must be referred to the Provost (Policy on Response to Subpoenas) before releasing any records.
V. Policy Procedures
Safeguarding of University information systems and data shall be the responsibility of each faculty, staff or student with knowledge of the system or data. Specific responsibilities are as follows:
- Management - All levels of management are responsible for ensuring that system users within their area of accountability are aware of their responsibilities as defined in this policy. Specifically, managers are responsible for validating the access requirements of their staff according to their job functions prior to submitting requests for access, and for ensuring a secure office environment with regard to University information systems. Managers of major University offices should appoint an individual within their staff to ensure these responsibilities are observed. Managers are also responsible for ensuring that their staff attend appropriate training sessions offered by the University to ensure compliance with laws, regulations and local policies.
- Employees - Faculty, staff, and student employees, are responsible for the protection, privacy, and control of all University data they access or create, regardless of the data storage medium. All employees must ensure that the data and data media are maintained and disposed of in a secure manner. All employees are responsible for understanding the meaning and purpose of the data to which they have access, and may use this data only to support the normal functions of the employees' administrative and academic duties. All employees are responsible for all transactions occurring under his/her userID and/or password. Passwords and userIDs may not be shared with anyone under any circumstances.
- Students - Students are responsible for protecting their userIDs and passwords so that no unauthorized persons would have access to their University records.
- Any user with access to University data should participate in University sponsored training sessions to improve their understanding of how to safeguard their own privacy and should be familiar with all IT Policies including but not limited to:
The Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security and confidentiality of personal information that is collected from customers, such as their names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) has issued the Safeguards Rule. This Rule requires financial institutions under FTC jurisdiction to secure customer records and information. The FTC has ruled that colleges and universities are financial institutions for the purposes of this Rule, and must be in compliance.