||Policy Owner and Source of Approval:|
|Policy applicable for:
||HIPAA, FERPA, GLB, PCI, Mass General Law|
Purpose & Overview
A Note about Research
Information covered by the Family Educational Rights and Privacy Act (FERPA), which requires protection of records for current and former students. This includes pictures of students kept for official purposes.
- Personally identifiable information entrusted to our care that is not Restricted Use data, such as information regarding applicants, alumni, donors, potential donors, or parents of current or former students.
- Information covered by the Gramm-Leach-Bliley Act (GLB), which requires protection of certain financial records.
- Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
- Legally privileged information.
- Information that is the subject of a confidentiality agreement.
- Protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), which sets standards for protection of medical records and patient data.
- Certain types of personal information, including an individual’s name plus the individual’s Social Security Number, driver’s license number, or financial account number, covered under Massachusetts General Laws chapter 93H and Massachusetts regulation 201 CMR 17.
Financial account numbers covered by the Payment Card Industry Data Security Standard (PCI-DSS), which controls how credit card information is accepted, used, and stored. PCI DSS also protects technical configuration information for systems on which such information is stored, such as IP addresses and routing information. Data controlled by U.S. Export Control Law such as the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). ITAR and EAR have additional requirements. See theExport Controls site for details. U.S. Government Classified Data (these may be subject to additional controls, contactBU Information Security to discuss. )
- Data used to authenticate or authorize individuals to use electronic resources, such as passwords, keys, and other electronic tokens.
- “Criminal Background Data” that might be collected as part of an application form or a background check.
Resolving Conflicts between this Guideline and Other Regulations
The Boston University Data Protection Standards:
- 1.2.A – Data Classification Guide
- 1.2.B – Data Management Guide
- 1.2.C – Access Management and Authentication Requirements
- 1.2.D – Data Protection Requirements
&1.2.D.1 – Media Destruction One-Sheets
- 1.2.E – Minimum Security Standards
- 1.2.F – Education, Compliance and Remediation
References & Related Documents:
HIPAABU Health Insurance Portability and Accountability Act Policy –Text of Law FERPABU Family Educational Rights and Privacy Act Policy –Text of Law GLBABU Gramm-Leach-Bliley Act Safeguarding Program –Text of Law ISO 27001International Standards Organization for Information Security COBIT 4.0ISACA Audit Controls Objective for IT MassachusettsGeneral Law Chapter 93H (the Massachusetts Identity Theft Law) and MassachusettsRegulation 201 CMR 17 (Standards for the Protection of Personal Information of Residents of the Commonwealth)
- BU Information Security Policy
- BU Personal Information Protection Guidelines
- Office of Research Compliance
- Risk Acceptance Policy and Risk Acceptance Form (Contact BU Information Security)
- BU Information Security – Incident Response Team email@example.com (617) 358-1100
- Executive Director & Information Security Officer Quinn Shamblin (617) 358-6310
- VP of Information Services and Technology Tracy Schroeder (617) 353-1155
- Information Security Program Director John Imbergamo (617) 353-2290
|12/10/2010||Original Draft||BU Information Security||–Original–|
|12/16/2010||Approved||BU Information Security Governance Committee||–Original–|