Introduction
This protocol, its accompanying standards and procedures, and a glossary of technical and legal terms, are designed to offer a set of principles for evaluating the relative sensitivity of personal identifiers, rules and practices designed to minimize and mitigate the threats of exposure or loss of business records containing identifying information, and support for the campus Internal Controls initiative.
Faculty and staff at the University at Albany are required to collect and use a wide variety of information, in both paper as well as electronic formats. Grades, research data, application submissions, health records, and financial transactions are just some of the types of business records we utilize in the course of performing our work.
As criminal fraud incidents involving stolen or lost information have proliferated, states and the federal government have imposed increasingly stringent requirements on businesses and government entities to ensure that adequate protections are applied to collections of business records containing sensitive, personal information.
The Family Education Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) are two examples of federal legislation that require specific levels of protection and authorize penalties for failure to comply with those requirements.
Two statutes in New York State, the Information Security Breach and Notification law and the Social Security Protection law, impose severe penalties for the mishandling and misuse of social security numbers. Recently, new provisions in the state’s Labor Law and Public Officers Law imposed additional restrictions on the use of social security account numbers by state entities.
Because of the possible sanctions the University could suffer resulting from the loss or exposure of regulated information, and the increasing threats to that information posed by cyber crime and emerging technologies (e.g., cloud services, social networking sites), it is vitally important that University faculty and staff understand what business records they need to protect, and how best to protect them.
ITS Protocol
Pursuant to the University at Albany Information Security Policy, this protocol is established as part of the Identity Management Security Domain*. [An asterisk indicates that the term is defined in the attached glossary.]
Security Domain
Identity Management---A comprehensive and unified approach to managing the identities of persons and processes issued by the University for the purpose of granting and controlling access to campus information resources. This includes exercising due care in the areas of identity assurance, issuance, authentication, authorization, revocation, and recovery of identity elements (NetIDs, tokens, etc.).
Objective
1. Broaden awareness about the need to maintain confidentiality and privacy of unique identifiers used at the University.
2. Reduce reliance on and use of SSNs for identification purposes.
3. Establish consistent University-wide and divisional protection and use policies and practices for institutional identifiers.
4. Increase student and employee confidence surrounding handling of their personal identifiers, including SSNs.
Background
Given the increasing trend of data breaches and the legal and financial penalties facing those organizations that suffer the exposure of personal, private, and sensitive information, as well as the serious reputational damage that can result from such incidents, it is in the University's best interest to formulate standards and procedures for handling and safeguarding personal identifiers.
The University at Albany is committed to ensuring the privacy and proper handling of confidential information it collects and maintains on faculty, staff and students, including the Social Security Number (SSN) which is required for state and federal government reporting purposes. It is the policy of the University at Albany to protect the privacy of SSNs and to place appropriate limitations on its use throughout the admission, financial aid, billing, registration, and HR processes. These limitations apply equally to University information systems and the information systems of contracted third parties.
Likewise, the University creates, assigns, and uses unique identifiers to accurately distinguish and track faculty, students, and staff through a myriad of business, research, academic, and health care processes. Changes in FERPA rules (Dec 08) require institutions to maintain appropriate levels of privacy protection for these institutional forms of identification due to their close association with educational records. Sensitive information related to employment and health records are linked to them, as well.
This protocol outlines the acceptable use of SSNs and all other institutional identifiers, limiting their use to business purposes only and establishing procedures to assure that University employees are aware of and comply with all applicable laws and regulations.
Policy Statement
The University at Albany is committed to ensuring the privacy and proper handling of confidential information it collects and maintains on faculty, staff and students, including the Social Security Number (SSN) which is required for state and federal government reporting purposes. It is the policy of the University at Albany to protect the privacy of SSNs and to place appropriate limitations on its use throughout the admission, financial aid, billing, registration, and HR processes. These limitations apply equally to University information systems and the information systems of contracted third parties.
Likewise, the University creates, assigns, and uses unique identifiers to accurately distinguish and track faculty, students, and staff through a myriad of business, research, academic, and health care processes. Changes in FERPA rules (Dec 08) require institutions to maintain appropriate levels of privacy protection for these institutional forms of identification due to their close association with educational records. Sensitive information related to employment and health records are linked to them, as well.
This protocol outlines the acceptable use of SSNs and all other institutional identifiers, limiting their use to business purposes only and establishing procedures to assure that University employees are aware of and comply with all applicable laws and regulations.
Scope
This is a University-wide protocol affecting all business and academic units and affiliate entities that rely on University institutional identifiers for their operations.
Guiding Principles
1. Use of unique identifiers should progress from the least confidential required to the most confidential. For example, if a NetID or AlbanyID is sufficient to uniquely establish an identity, these identifiers should be used instead of SSNs. Generally speaking, the least confidential identifier is a name; the most confidential identifier is the SSN with the name.
2. The number of unique identifiers required should be determined by the minimum needed to effect the transaction. If the Albany ID is sufficient to positively identify someone, there is no need to add additional identifiers to the record set unless they are essential to the transaction.
3. Excluding systems of record, identifiers should not be retained beyond the period defined by document retention requirements, or if otherwise unspecified, the time needed to complete the transaction requiring their use.
Roles and Responsibilities
1. Regulatory Compliance. All staff are expected to know, understand, and comply with the regulations governing the collection, distribution, storage, and disposal or destruction of information they work with in the course of performing their duties.
2. Supervisory Personnel. In addition to the above general compliance requirement, supervisory personnel have the following responsibilities:
- Ensure that their staff understand and adhere to the statutory or University regulations that govern the use of the unit’s or department’s information.
- Ensure compliance and adherence on the part of employees to the protocol’s Standards and Procedures document (See Related Documents for link).
- Periodically review and update data access permissions and privileges to ensure that staff have appropriate access levels to records. Terminations, transfers, and changes in employee work assignments require a review and adjustment of employee access privileges.
- Report incidents of abuse of privileges, or unauthorized access to information, to the appropriate authorities upon discovery of such abuse or unauthorized access.
Compliance
Compliance with this protocol and its related standards and procedures will be in accordance with the Compliance section of the University's Information Security Policy as well as any and all applicable laws.
Review
This protocol and all related published documents will be reviewed no less than once every three years.
Related Documents
• Protection_of_Identifiers_Standards_Procedures
Internal Control Vulnerability Assessment (See Factor 10)
• <http://www.albany.edu/internalcontrol/links.shtml>
SUNY Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality, #6608
NYS Labor Law
Office of the Chief Information Officer
University Hall, Room 208
1400 Washington Avenue, Albany, NY 12222
PH: 518-956-8080 FX: 518-956-8085
www.albany.edu
NYS Public Officers Law
NYS Social Security Number Protection Law
Federal Educational Rights and Privacy Act
Federal Trade Commission Identify Theft Red Flag Rules
Health Insurance Portability and Accountability Act
Gramm Leach Bliley Act
Freedom of Information Law
NYS Information Security Breach & Notification Law
NYS Business Law and Technology Law
NYS Information Security Policy P03-003
SUNY Policies of the Board of Trustees