Information to Comply with the Policy on the Handling of BRI

Purpose / University Position
Introduction
Handling Restricted Information
1. Recommended Best Practices
2. Disclosure
3. Computing Recommendations
4. Transmission
5. Data Ownership Responsibilities
6. Managing Access to Restricted Information
7. Disposal of Restricted Information
8. Consequences for Unauthorized Access
Related Policies and Documents
Whom to Contact
Other Related Brown Policies and Guidelines

Purpose / University Position

This information is in support of the Policy on the Handling Brown Restricted Information. While these guidelines are in place to ensure the protection of restricted and regulated information, it is the position of the University to minimize the use of such information, and only those departments, processes, and personnel with approval to utilize restricted information are authorized to do so. The Data, Privacy, Compliance and Record Management (DPCRM) Steering Committee is the sole approving board for the University.

Introduction

Information is one of Brown University's most valuable resources and as such requires responsible management by all members of the Brown community. This document establishes guidelines for the proper protection of these valuable resources and promotes Brown's maintenance of strict confidentiality in compliance with applicable policies as well as state and federal regulations.

These guidelines address the handling of Brown data – whether communicated orally, in hard copy or electronic format; stored on desktop machines or mobile devices; or moved to media such as CD, tape, flash memory, or paper – for all members of the Brown community, including staff, faculty, students, affiliates, volunteers, and vendors.

Particular emphasis is placed on Brown Restricted Information, defined as information that should not be made public and which should only be disclosed under limited circumstances.

Handling Restricted Information

1. Recommended Best Practices

Access to Brown Restricted Information should be limited to those who need the information in order to fulfill professional responsibilities. All members of the Brown community who have been granted such access should exercise care and judgment to ensure adequate protection of Brown Restricted Information by following the practices delineated in the document Brown University Checklist for Protecting Information.

2. Disclosure

Individuals should not disclose any Brown Restricted Information that they obtain as a result of their employment at Brown to unauthorized persons. Full employee obligations are outlined in the "Confidentiality" section of the document Employee Responsibilities and Rights.

3. Computing Requirements

Brown Restricted Information should be protected whether it is being stored (on various media), transmitted (via network or email) or archived. The list of computing requirements is found in section 3.0 in the Policy on Handling Brown Restricted Information.

4. Transmission

Brown Restricted Information should never be transmitted over the network "in the clear." It should always be transmitted using an Information Security Group-approved encryption mechanism. While the University does not currently have an enterprise encryption solution, CIS can supply solutions for secure transmission on a case-by-case basis. These solutions include VPN transmission, secure FTP, and file encryption. Please contact the IT Service Center for assistance and guidance.

As a onetime alternative for transmitting some forms of restricted information via email, attachments of password-protected documents or spreadsheets can be used in certain cases. Approval must be received in advance from the Chief Information Security Officer, who can provide the standards and requirements necessary.

5. Data Ownership Responsibilities

All Brown Restricted Information should have identified Data/Records Owners, who are responsible for implementing the following good managerial controls:

  • Creating and reviewing audit trails of access to restricted data
  • Regularly reviewing who has access to what data
  • Monitoring preventive controls for compliance in their departments
  • Educating end users regarding protection standards – set expectations
  • Ensuring that there is appropriate training of staff on proper handling of restricted information

Data/Records Owners who authorize access to Brown Restricted Information should ensure that employees sign a Confidentiality Agreement at least once per year, or as the Data/Records Owners deem appropriate. New employees (including students and volunteers) should sign the agreement prior to access. Anyone who has been entrusted with restricted information has a responsibility to the Data/Records Owners for its proper use and protection.

6. Managing Access to Restricted Information

Strict control should be maintained over access to work locations, records, computer information, cash and other items of value. Individuals who are assigned keys, given special access or assigned job responsibilities in connection with the safety, security or confidentiality of such records, materials, equipment, or items of monetary value should use sound judgment and discretion in carrying out their duties and will be held accountable for any wrongdoing or acts of indiscretion. Furthermore, information may not be divulged, copied, released, sold, loaned, reviewed, altered or destroyed except as properly authorized within the scope of applicable federal or state laws.

At the conclusion of their employment or affiliation with Brown, individuals shall relinquish ownership of all University documents and records. They shall also maintain the confidentiality of University information even after they leave Brown. Questions regarding Brown-owned information should be directed to the employee's supervisor, Department Chair, Department's Human Resources Representative, General Counsel, Chief Information Security Officer, or the Human Resources Department.

7. Disposal of Restricted Information

All restricted information should be disposed of in a confidential manner. To dispose of such records departments and offices must:

  • Take extra measures to wipe clean the hard drive of any machine or device that may contain restricted information before discarding, sending to surplus, or transferring it to another individual or department. (see Electronic Equipment Disposition Policy)
  • Shred restricted paper documents that are no longer needed and secure such documents until shredding occurs. If a shredding service is employed, ensure that the service provider has clearly defined procedures in the contractual agreement that protect discarded information and that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
  • A hard drive crusher is available for crushing no-longer needed drives containing data covered under the Brown Restricted Information Policy. Contact ISG@brown.edu to arrange an appointment.

8. Consequences for Unauthorized Access

Unauthorized access to any Brown Restricted Information by the Brown community will be cause for disciplinary and possible legal action. Unauthorized access indicating that privacy, copyright, anti-trust, or other laws may have been broken by an individual unaffiliated with Brown, may be referred to legal authorities.

Related Policies and Documents

Computing | Employees | Students | Faculty | Researchers | Health | General Safety | Federal Regulations

Other applicable policies are found at the following links:

Federal Regulations:

Whom to Contact

For more information about the management of the certain restricted records, please contact the University office indicated:

Other Related Brown Policies and Guidelines

Acceptable Use Policy
Checklist for Protecting Information
Confidentiality Agreement Template
Confidential Information and Software Piracy (HR Policy 20.063)
Data Removal Recommendations
Electronic Equipment Disposition Policy
Electronic Mail Policy
Guidelines for Transfer of Records to the Archives
Intellectual Property Policies
Policy on the Handling of Brown Restricted Information
Records Retention Guidelines
Responsible Conduct of Research
Social Security Number – Usage and Protection Requirements
SSN / Data Classification Questionnaire (document in process)
SSN Policy Exception Form

Questions or comments to: ITPolicy@brown.edu

Effective Date: April 2, 2012
Last Reviewed: May, 2014
Next Scheduled Review: May, 2015