Data/Information Protection and Confidentiality.
The School of Public Health (SPH) maintains information in school databases that is sensitive and valuable, and is often protected by federal and state laws which prohibit unauthorized use or disclosure. Employees with access to sensitive University and SPH data/information must comply with federal and state laws, in addition to BU and SPH policies that govern such data/information. Hence, the ensuing information applies to each employee performing a service on behalf of BUSPH. The following information serves as a reminder to each of us of our obligations and responsibilities in the use of any BUSPH data and information.
Information falling under the obligation to protect and keep confidential includes, but is not limited to:
- Personally identifiable information (PII) about faculty, staff, students, parents, alumni or donors (i.e., social security numbers, dates and places of birth, mother’s maiden names, credit card numbers, bank account numbers, income tax records, drivers’ license numbers, etc.).
- Student education records as governed by the Family Educational Rights and Privacy Act (FERPA) and student and staff medical records as governed by the Health Insurance and Portability and Accountability Act (HIPAA).
- University business information (e.g., financial reports, human resource records, internal reports and memos, contracts, strategic reports, surveys, etc.).
- Information about or provided by third parties (e.g., information covered by non-disclosure agreements, contracts, business plans, non-public financial data, computer programs, etc.).
Multiple University and SPH policies pertain to the appropriate management of institutional information and technology. All employees, as custodians of such information, must fully comply with these policies. A list of University and IS&T policies are available at bu.edu/tech/about/policies/.
Among other things, data/information protection and confidentiality require that:
- Employees may only access information needed to perform work-related duties. Unless expressly authorized in writing by one’s supervisor, an employee may not look up, review, analyze, disclose or disseminate restricted or confidential institutional information outside the scope of their University and School service, even if they have access to such information. Further, all employees are prohibited from making unauthorized changes to institutional data/information.
- Employees must protect University and SPH data/information confidentiality, integrity and availability of information from any unauthorized disclosures and dissemination. Employees may not share University or SPH information, or access, with any unauthorized individual, whether internal or external to SPH and Boston University at large. Employees may not ask for personally identifiable information (PII) except for where there is a legitimate business need.
- Employees must safeguard any physical key, ID card or computer, network account, username and password that enables access to University and SPH information. Employees may not facilitate anyone’s illegal or unauthorized access to BU SPH’s administrative, financial and any other type of systems, or compromise the integrity of the systems’ information by sharing passwords, or other access information or devices.
All employees are bound by the aforementioned guidelines and must take all reasonable, necessary, and appropriate steps to safeguard private data from disclosure or dissemination to anyone except as permitted by policy. Violation of such policies may subject an employee to possible disciplinary action up to and including termination of employment with Boston University.