Site Menu
- Policy
- University
- State & Federal
- Institutional Data
- Tools & Templates
- Standards & Frameworks
- FAQ
- Links
- Contact Us
- Site Map
What's New?
Gramm-Leach-Bliley Training New training created for those with access to customer information at the university.
Units Can Access Information Security Monthly Status Reports via Web Form Colleges and administrative units can submit their monthly information security status reports online using a web form. Use the links below to access the form and download instructions.
Hot Topics
- Institutional Data Policy Training
- Data Classification
- Implementation Plan
- University Security Standards (UCSS)
- Relevant Federal Laws & Regulations
Incident Response
Institutional Data Policy FAQ
Below are commonly asked questions about the Institutional Data Policy.
- Who does the Institutional Data policy apply to?
- What other policies should I know about?
- My department is covered by the HIPAA policy and laws. How do these new University policies affect my department?
- What could happen if an individual in my department violates the Institutional Data policy?
- How are historical records that contain restricted data affected by the Institutional Data policy?
Download a PDF copy of these FAQ
Further Questions?
If you have a question that is not listed above, please contact us.
Who does the Institutional Data policy apply to?
This policy applies to all university community members, whether students, faculty, staff, or agents, who have access to university institutional data. It also applies to all university units and their agents and contractors. In addition, to the extent possible, it applies to any person or organization, whether affiliated with the university or not, in possession of university institutional data.
What other policies should I know about?
The Disclosure or Exposure of Personal Information policy primarily focuses on compliance with Ohio Revised Code Section 1347 (formerly House Bill 104). This section of the Ohio Revised Code requires notification to affected individuals if certain pieces of personal information pertaining to those individuals are exposed to unauthorized recipients.
As a result, the Disclosure or Exposure of Personal Information policy mainly requires protection of personal information because application of appropriate protection technology (such as encryption) can exempt the University from the notification requirement during a security breach. This policy uses the ORC Section 1347 definition of personal information: an individual’s name in combination with the individual’s Social Security Number; driver’s license number or state identification card number; or account number or credit or debit card number with security codes or passwords.
My department is covered by the HIPAA policy and laws. How do these new University policies affect my department?
Ohio Senate Bill 126 went into effective March 30, 2007. This legislation exempts persons, entities, state agencies and agencies of political subdivisions that are “covered entities” under the federal Health Insurance Portability and Accountability Act (HIPAA) from the disclosure requirement related to unauthorized access to personal information as required by Ohio Revised Code Section 1347.
However, the Institutional Data policy does apply to departments covered under HIPAA. These departments should understand the requirements under the Institutional Data policy, especially those regarding the use of restricted data.
What could happen if an individual in my department violates the Institutional Data policy?
Individual university community members who violate this policy may be denied access to institutional data resources and may be subject to other penalties and disciplinary action, both within and outside of the university. Alleged violations will normally be handled through the university disciplinary procedures applicable to the alleged violator. Violations of this policy by university units will be reported to unit management with recommendations for corrective measures. Uncorrected or repeated violations and recommendations for corrective action will be reported to the unit’s higher management and may result in temporary or permanent denial of access to defined segments of institutional data.
How are historical records that contain restricted data affected by the Institutional Data policy?
Historical records (both paper and electronic) containing restricted data must be secured. Where feasible, it is ideal to redact the restricted data.
Further Questions?
If your question is not listed in the above FAQ, please use the form below to contact the Office of the CIO IT Policy & Services. We will respond to your inquiry as soon as possible.
