REVISED: NOVEMBER 2020 (BY CSIS GOVERNANCE)
This policy supersedes the previous versions entitled “Data Protection Requirements”
Purpose and Overview
The data lifecycle is the progression of stages in which a piece of information may exist between its original creation and final destruction. Boston University defines these phases as: Collecting, Storing, Accessing and Sharing, Transmitting, and Destroying.
This policy defines or references the requirements for protecting data at each stage of the lifecycle.
The data handling protections outlined in this document apply to all Sensitive Information, both physical and electronic, throughout all of Boston University.
Sensitive Information is University Data that is classified as Internal, Confidential, or Restricted Use. See the Data Classification Policy for definitions and examples of each of these classifications.
Public (non-Sensitive) Information does not require any level of protection from disclosure but appropriate precautions should be taken to protect original (source) documents from unauthorized modification.
IS&T is responsible for providing consulting and training concerning security, maintaining the security of the network and centrally provided services, and providing guidance about the approved data classifications for each service offered.
Schools, Colleges, Units, and Departments
The head of each of the university’s schools, colleges, units, and departments (“Data Executive”) is accountable for working with their designated Data Security Administrator(s) to ensure that their data is managed in compliance with this policy. Units are encouraged to take advantage of enterprise services available to support the requirements of this policy.
All BU faculty and staff are expected to be familiar with and follow the Data Protection Standards to ensure proper understanding of how to handle Sensitive Information properly.
If you have questions, ask your supervisor, Departmental Security Administrator, or Information Security.
Data Lifecycle Phases and Requirements
Collection of data should be minimized to the amount necessary to support the teaching, research, or administrative function the collection supports. As the sensitivity of the data element increases, the need to collect the element requires more scrutiny. The collection of Restricted Use data must be avoided whenever possible and attention must be paid to the significant security and privacy protection requirements. Contact Information Security before engaging in any new collection of Restricted Use data.
- Store information in repositories that cannot be accessed by unauthorized individuals.
- Physical media should be stored in locked drawers and cabinets when not in use.
- Encryption of digital information is encouraged.
- Limit the number of copies of data the minimum possible and do not retain longer than needed.
- Restricted Use data has specific requirements:
- Data must be encrypted with the decryption key stored separately
- An inventory of all physical media containing Restricted Use information must be maintained by the department including the current location of the media.
Accessing and Sharing
Apply the Principle of Least Privilege to all data: Grant access and share data only as needed for an individual or system to perform a required function. Increase scrutiny of these controls as the sensitive of the data increases. Doing so helps reduce the risk of compromised accounts to data sets that the individual did not require. Ensure processes are in place to immediately remove access upon change in affiliation of any individual.
- Access to some Confidential data and all Restricted Use data requires approval of a Data Trustee in accordance with the Data Access Management Policy.
- Non-disclosure and other types of agreements (business associate agreements, e.g.) may be necessary for types of Restricted Use data.
- Information may be shared with the subject of the record or with another party with the subject’s approval, as appropriate.
- If you are uncertain if access should be granted to information should be shared, escalate the request to an appropriate supervisor or Data Trustee.
Transmission of Physical Media
- Avoid printing Restricted Use data unless absolutely necessary.
- Use care when printing to ensure the paper copies are not left unattended on printers.
- Requirements for the creation of digital media are described in the Storing section of this document.
- Ensure mailings are addressed carefully and sent in sealed envelopes.
Electronic Transmission (Email, Fax, websites, cloud storage, etc.):
- Encryption should be used during transmission whenever possible.
- Restricted Use data must be encrypted during transmission.
- Use the secure e-mail service available from IS&T to e-mail Restricted Use data.
- Avoid faxing Restricted Use data unless necessary.
- Use care to ensure the paper copies are not left unattended when using fax machines.
Compensating controls must be formally documented and an exception approved by Information Security.
Destroy paper media using a cross-cut shredder or similar appropriate technology and then recycle or discard.
Printers, Computers and Mobile Devices may contain hard drives which must be properly erased prior to leaving BU control (returned to the vendor, sent to surplus, donated, disposed of, etc.). Dispose of drives using IS&T’s Media Destruction service.
- Review the university’s Record Retention Policy and the information in this destruction section before disposing of records.
- Do not destroy records that are the subject of a litigation hold.
- Destruction of Paper Records and Non-Erasable Media (CD-ROMs, DVDs)
- Destruction of Individual Files on Reusable Media
- Securely Erasing Entire Reusable Storage Devices
- Physically Destroying Reusable Storage Devices
Information Security is authorized to grant exceptions to the requirements set forth in this document. Any exception granted will require a thorough review of the situation and the implementation of appropriate compensating controls.
Failure to comply with the Data Protection Standards may result in harm to individuals, organizations or Boston University. The unauthorized or unacceptable use of University Data, including the failure to comply with these standards, constitutes a violation of University policy and may subject the User to revocation of the privilege to use University Data or Information Technology or disciplinary action, up to and including termination of employment.
Additional Resources Regarding This Policy
Related BU Policies, Procedures, and Guidelines
- Data Protection Standards
- Data Classification Policy
- Data Access Management Policy (This policy supersedes the previous versions entitled "Data Management Guide")
- Identity and Access Management
- Data Lifecycle Management Policy [current webpage]
- Minimum Security Standards
- Cybersecurity Training, Compliance, and Remediation Policy (This policy supersedes the previous versions entitled "Education, Compliance, and Remediation")
- Additional Guidance on Data Protection Standards
- 1.2.D.1 – Destruction of Paper Records and Non-Erasable Media -CD-ROMs, DVDs (Data Protection Standards Guidance)
- 1.2.D.2 – Destruction of Individual Files on Reusable Media (Data Protection Standards Guidance)
- 1.2.D.3 – Securely Erasing Entire Reusable Storage Devices (Data Protection Standards Guidance)
- 1.2.D.4 – Physically Destroying Reusable Storage Devices (Data Protection Standards Guidance)