This document provides the policy for acceptable use of Research Foundation (RF) data outside of the RF business system and for maintaining integrity of data uploaded into RF systems. It also establishes standards and responsibilities for the use of specific types of RF data, including data requiring an elevated degree of security. The objectives of the policy are to:
- Protect, segregate and safeguard RF data;
- Prevent improper or unwarranted disclosure of RF data; and
- Provide reasonable assurance that data entered into RF systems are complete and accurate.
The RF understands that campuses have business and operational needs that may be facilitated by including RF data in non-RF systems. Campuses and the RF must protect the integrity and confidentiality of RF data.
Additionally, the RF understands that automated entry of data (uploading) into the RF business system may provide efficiencies to campuses. Campuses and the RF must protect the integrity and identity of data uploaded to the RF business system.
Corporate, agency and sponsored program data that is classified into two types: non-proprietary and proprietary.
High-level data that is not considered private and confidential. Examples of non-proprietary data include but are not limited to financial sponsored program data at the aggregate level (no detail) and personnel data limited to the following:
- Employee identification number - as long as this number or its placement in a sequence of numbers does not identify the person's employer
as the RF;
- Work phone number; and
- Department or location.
RF data that is considered to be private and confidential. Examples of proprietary data include but are not limited to, the following:
- Financial sponsored program data at the detail level;
- Biographical data (e.g., age, sex, marital status);
- Fair Labor Standards Act (FLSA) designation (exempt or non-exempt);
- Job title;
- Social security number;
- Elected benefits;
- Health Insurance Portability and Accountability Act (HIPAA) related data;
- Home phone; and
- Home address.
Data originally input to a system outside of the RF business system and subsequently uploaded to the RF business system through an automated or manual process.
All RF data extracted from the RF business system must be protected from unauthorized access. Data entered (by manual or automated methods) into the RF business system must adhere to business rules to protect the integrity and identity of the data for the organization (e.g., RF, or a third party such as SUNY).
Non-proprietary data may be stored outside of an RF business system.
Except as otherwise set forth in this policy, proprietary data will not be stored with non-RF data outside of an RF business system due to privacy and confidentiality requirements.
Proprietary data may be combined in a non-RF business system if a campus provides (1) a secure environment with proper controls that ensure privacy, integrity, and confidentiality and (2) appropriate policy on access and use consistent with a business need to know.
Access to RF data must be authorized by the campus operations manager (OM). A list by name or job position of people authorized to access the extracted proprietary data will be submitted by the OM to the RF central office on at least an annual basis. Refer to the Authorization for Use of Research Foundation Data Outside of RF Business System for more information.
Before a campus combines RF proprietary data into a non-RF business system, the campus must share with RF central office its applicable data protection policies and procedures.
Data entered into the RF business system by manual or automated methods must follow RF business rules. Controls such as system edits, approvals, or any other existing controls designed to enforce RF business rules are mandatory and cannot be bypassed for any reason.
The OM is responsible for certifying that an environment with appropriate policies, procedures, and controls is in place at their campus to protect all RF data. Each campus must have written policies governing the appropriate access and use of RF data outside the RF business system consistent with RF policies and procedures.
The RF is responsible for ensuring the integrity of all data in the RF business system. The RF central office will provide an appropriate system of internal controls for the process of uploading data from non-RF systems.
To address compliance with this policy, steps will be taken to ensure the protection of RF proprietary data. Periodic audits may be performed by RF central office Internal Audit and Management Advisory Services.
These audits will determine whether (1) proper documentation exists for the OM authorization of access to proprietary RF data; (2) annual OM recertification of those authorized to access RF data is occurring; (3) procedures are in place to protect all RF data; and (4) people who have been granted access are aware of and understand RF and applicable campus policies for the acceptable use of RF data. The periodic audits may also include reviewing the types of RF proprietary data being used.
Providing RF Data
Pursuant to this policy, the RF central office will make data reasonably available and/or provide an automated means to upload data to those campuses that require these services. The RF will develop a centralized solution for uploading data to ensure system checks and balances are in place. The solutions will be consistent for all requests and in accordance with this policy.
In the event of a security breach or suspected breach, involving RF data, the OM or designee must immediately contact RF central office information security. See Notification Procedure for Electronic Breach of Information Security and follow the notification process.
Gerard Drahos, Vice President for Information Services and Chief Information Officer
Was this document clear and easy to follow?
Please send your feedback to firstname.lastname@example.org.
Copyright © 2009 The Research Foundation of State University of New York