Rice University complies with all relevant laws and regulations related to the protection of confidential and sensitive data, including personally identifiable information, in conducting university business.
This policy applies to all faculty, staff, students, and other individuals working on behalf of Rice University, and covers all confidential or sensitive information related to students, employees, donors, alumni, prospects, applicants, research subjects, and others on whom the university may have such information. The policy applies regardless of how the information is stored (e.g., paper, electronic, cloud, other media) or transmitted.
University data must be appropriately protected at all times, as defined within this policy.
All faculty, staff and students who gather, store, transmit, or have access to university data including personally identifiable information are required to treat such information appropriately, and in accordance with this policy and the law. At a minimum this means taking appropriate measures to protect such data, including encryption and password protection, and immediately reporting any loss or unauthorized access of university data to the Information Security Office.
The Information Security Office provides tools, services, and guidance related to the security of the university’s information technology assets. Questions related to these services, as well as questions related to the theft or potential theft of any personally identifiable information (including paper formats), should be directed to the Information Security Office at firstname.lastname@example.org. Further, the Chief Information Security Officer has been designated as the HIPAA Security Officer, and the GDPR Data Protection Officer (see Appendix for more information on these regulations).
The Office of General Counsel and the Compliance Office provide guidance for questions related to the treatment of confidential or sensitive information, including: educational records under FERPA; medical or health-related information under HIPAA, the ADA or FMLA; financial information of customers of the university under the GLBA; research related data under relevant laws and agreements; and credit card information obtained and/or maintained under the PCI- DSS.
Confidential Information is information or data that is deemed confidential by law, regulation or University policy or which contains information that is highly private or personal or could lead to identity theft if mishandled. Examples of these types of information include, but are not limited to: social security numbers; credit card numbers; driver’s license or other government-issued identification numbers; bank account information; protected health information; and student education records (including grades and disciplinary records).
Confidential information can also include information or data that was created by other Rice University researchers or provide to Rice by third parties, provided that those researchers or third parties have made it clear that such information is confidential (by marking it as such).
Sensitive Information is information or data that is related to Rice’s business and academic activities, although not cloaked with the same level of concern or legal protection as confidential information, is still considered by Rice to be “sensitive information”. Examples of these types of information include, but are not limited to: birth dates; home addresses; emergency contact information; employee ID numbers; employee disciplinary records; legal documents (unless publicly disclosed by the University); financial records (unless publicly disclosed by the University); infrastructure information (e.g., IT, physical plant) (unless publicly disclosed by the University).
Personally Identifiable Information is data which is tied to, or otherwise enables identification of, a specific person and makes personal information about them known.
Encryption means any method that will encode data so that it cannot be easily read or understood by unauthorized individuals.
A. Confidential Information
University personnel should treat as “Confidential Information” personally identifiable information deemed confidential by law, regulation or University policy or which contains information that is highly private or personal or could lead to identity theft if mishandled. Examples of where this confidential information is located include:
Use and release of any such confidential information shall be consistent with law and University policy.
B. Sensitive Information
Some information related to Rice’s business and academic activities, although not cloaked with the same level of concern or legal protection as confidential information, is still considered by Rice to be “sensitive information”.
Organizational units must be mindful that while some information may be directory information that would not ordinarily be confidential or sensitive, there may be other reasons for not disclosing the information (e.g., if a student has requested the Registrar not release directory information about that student).
C. Collection, Storage, Transmission and Disposal of Confidential or Sensitive Data
Each organizational unit of the university is responsible for ensuring that all confidential or sensitive information that is collected, stored, and transmitted is handled in accordance with the following:
Confidential and sensitive information should be shared only on a need-to- know basis and externally only consistent with law. This includes written confidentiality agreements, as appropriate.
If shared internally, colleagues should be informed of the confidential or sensitive nature of the information and the need to safeguard it. If there is any doubt about the appropriateness or prudence of disclosing personally identifiable information, the unit should confer with the Office of General Counsel, Office of Human Resources (for employees), Sponsored Programs and Research Compliance (for research), or the Office of the Registrar (for students).
D. Required Protection of Confidential and Sensitive Information
Any Confidential and Sensitive Information obtained or used by Rice University employees in the performance of their duties, or that is stored on Rice University equipment, computers, or devices, stored in the cloud, or that is stored on a personal device of any type must be appropriately protected at all times. At a minimum, this means that access to the data must require a password or PIN, and that data is properly encrypted while at rest and in transit.
Confidential and Sensitive Information that is kept in a printed format must be adequately secured from authorized access. At a minimum this means that it is stored in a locked office or file cabinet.
Exceptions to this requirement must be approved by the Vice President of Information Technology or Chief Information Security Officer.
E. Disposal of Confidential and Sensitive Information
Confidential and Sensitive Information must be disposed of through secure means such as shredding and thoroughly erasing or destroying hard drives. Employees should be aware that some items such as copiers, faxes and scanners may store protected information which must be erased or destroyed prior to disposal. The Information Security Office is available to assist with appropriate disposal.
F. Traveling with Confidential or Sensitive Information
Employees should exercise caution when traveling with confidential or sensitive data, and only travel with such information when it is necessary to do so. Further, employees should be advised that when traveling to foreign countries certain export control restrictions may apply to certain encryption software (if the software is modified or not commercially available).
The Office of Sponsored Programs and Research Compliance is available to assist you with questions related to export controls.
G. Lost, Exposed or Misplaced Confidential or Sensitive Information
Anyone who becomes aware that a computer, laptop, mobile device or other equipment containing Confidential or Sensitive information has been breached, lost, stolen, or misplaced must immediately contact the Information Security Office or the Rice University Police Department and report the matter.
Additionally, anyone who becomes aware or suspects that Confidential or Sensitive information may have been accessed by or disclosed to unauthorized individuals must immediately contact the Information Security Office.
The Information Security Office will take steps to prevent access, to recover and protect the data, and to assess the extent that data may have been improperly accessed. The Information Security Office will also coordinate the reporting of the matter to any relevant parties (including individual’s whose data may have been compromised, and the appropriate governmental authorities, as may be required).
Rice University maintains a Privacy Notice that outlines our practices related to certain personal data (it may be accessed at privacy.rice.edu). Individuals in the European Economic Area should consult our EEA Privacy Notice, for additional information related to the General Data Protection Regulation (which may be accessed at privacy.rice.edu/gdpr).
Policy 832. Appropriate Use of Information Technology
SPARC information page on Controlled Unclassified Technical Data
Responsible Official: VP Information Technology
Other Key Offices: Office of General Counsel; Information Security Office; Sponsored Programs and Research Compliance
David W. Leebron, President
May 21, 2019; October 31, 2017
February 17, 2011