Rice University complies with Federal, State and local laws and regulations related to the protection of confidential and sensitive data, including personally identifiable information, in conducting university business.
This policy applies to all faculty, staff, students, and other individuals working on behalf of Rice University, and covers all confidential or sensitive information related to students, employees, donors, alumni, prospects, applicants, research subjects, and others on whom the university may have such information. The policy applies regardless of how the information is stored (e.g., paper, electronic, cloud, other media) or transmitted.
University data must be appropriately protected at all times, as defined within this policy.
All faculty, staff and students who gather, store, transmit, or have access to university data including personally identifiable information are required to treat such information appropriately, and in accordance with this policy and the law. At a minimum this means taking appropriate measures to protect such data, including encryption and password protection.
The Information Technology Security Office provides tools, services, and guidance related to the security of the university’s information technology assets. Questions related to these services, as well as questions related to the theft or potential theft of any personally identifiable information (including paper formats), should be directed to the Information Technology Security Office at firstname.lastname@example.org.
The Office of General Counsel and the Compliance Office provide guidance for questions related to the treatment of confidential or sensitive information, including: educational records under FERPA; medical or health-related information under HIPAA, the ADA or FMLA; financial information of customers of the university under the GLBA; research related data under relevant laws and agreements; and credit card information obtained and/or maintained under the PCI- DSS.
Confidential Information is information or data that is deemed confidential by law, regulation or University policy or which contains information that is highly private or personal or could lead to identity theft if mishandled. Examples of these types of information include, but are not limited to: social security numbers; credit card numbers; driver’s license or other government-issued identification numbers; bank account information; protected health information; and student education records (including grades and disciplinary records).
Sensitive Information is information or data that is related to Rice’s business and academic activities, although not cloaked with the same level of concern or legal protection as confidential information, is still considered by Rice to be “sensitive information”. Examples of these types of information include, but are not limited to: birth dates; home addresses; emergency contact information; employee ID numbers; employee disciplinary records; legal documents (unless publicly disclosed by the University); financial records (unless publicly disclosed by the University); infrastructure information (e.g., IT, physical plant) (unless publicly disclosed by the University).
Personally Identifiable Information is data which is tied to, or otherwise enables identification of, a specific person and makes personal information about them known.
Encryption means any method that will encode data so that it cannot be easily read or understood by unauthorized individuals.
A. Confidential Information
University personnel should treat as “Confidential Information” personally identifiable information deemed confidential by law, regulation or University policy or which contains information that is highly private or personal or could lead to identity theft if mishandled. Examples of where this confidential information is located include:
1. Financial Records (e.g., employee loans; donor financial information; student and family financial information including tax returns; payroll records).
2. Health Records (e.g., employee benefit plan information; workers compensation claim information; student medical records; student counseling center information; information regarding disabilities).
Use and release of any such confidential information shall be consistent with law and University policy.
B. Sensitive Information
Some information related to Rice’s business and academic activities, although not cloaked with the same level of concern or legal protection as confidential information, is still considered by Rice to be “sensitive information”.
Organizational units must be mindful that while some information may be directory information that would not ordinarily be confidential or sensitive, there may be other reasons for not disclosing the information (e.g., if a student has requested the Registrar not release directory information about that student).
C. Collection, Storage, Transmission and Disposal of Confidential or Sensitive Data
Each organizational unit of the university is responsible for ensuring that all confidential or sensitive information that is collected, stored, and transmitted is handled in accordance with the following:
1. Collected only as necessary in conjunction with academic and business needs.
2. Restricted in its distribution and accessibility (in some cases approved by a supervisor) as is consistent with good internal control practices, with employees with access to such information being informed of applicable restrictions.
3. Properly secured by the use of such safeguards as secured file storage and rooms, encryption, and other technology tools (see Section IV.D below).
4. Disposed of through secure means such as shredding and thoroughly erasing hard drives (see Section IV.E below).
Confidential and sensitive information should be shared only on a need-to- know basis and externally only consistent with law. This includes written confidentiality agreements, as appropriate.
If shared internally, colleagues should be informed of the confidential or sensitive nature of the information and the need to safeguard it. If there is any doubt about the appropriateness or prudence of disclosing personally identifiable information, the unit should confer with the Office of General Counsel, Office of Human Resources (for employees), Sponsored Programs and Research Compliance (for research), or the Office of the Registrar (for students).
D. Required Protection of Confidential and Sensitive Information
Any Confidential and Sensitive Information obtained or used by Rice University employees in the performance of their duties, or that is stored on Rice University equipment, computers, or devices, stored in the cloud, or that is stored on a personal device of any type must be appropriately protected at all times. At a minimum, this means that access to the data must require a password or PIN, and that data is properly encrypted while at rest and in transit.
Confidential and Sensitive Information that is kept in a printed format must be adequately secured from authorized access. At a minimum this means that it is stored in a locked office or file cabinet.
Exceptions to this requirement must be approved by the Vice President of Information Technology or Chief Information Security Officer.
E. Disposal of Confidential and Sensitive Information
Confidential and Sensitive Information must be disposed of through secure means such as shredding and thoroughly erasing or destroying hard drives. Employees should be aware that some items such as copiers, faxes and scanners may store protected information which must be erased or destroyed prior to disposal. The Information Technology Security Office is available to assist with appropriate disposal.
F. Traveling with Confidential or Sensitive Information
Employees should exercise caution when traveling with confidential or sensitive data, and only travel with such information when it is necessary to do so. Further, employees should be advised that when traveling to foreign countries certain export control restrictions may apply to certain encryption software (if the software is modified or not commercially available).
The Office of Sponsored Programs and Research Compliance is available to assist you with questions related to export controls.
G. Lost or Misplaced Confidential or Sensitive Information
Anyone who becomes aware that a computer, laptop, mobile device or other equipment containing Confidential or Sensitive information has been lost, stolen, or misplaced must immediately contact the Information Technology Security Office or the Rice University Police Department and report the matter. The Information Technology Security Office will take steps to prevent access, to recover and protect the data, and to assess the extent that data may have been improperly accessed.
Policy 832. Appropriate Use of Information Technology
Responsible Official: VP Information Technology
Other Key Offices: Office of General Counsel; Sponsored Programs and Research Compliance
David W. Leebron, President
October 31, 2017
February 17, 2011