. .

Site Menu


What's New?

Hot Topics

2008-2009 IT Security Implementation Plan update!

The dates for the quarterly implementation plan submissions have been updated to reflect the 2008-2009 schedule.

Incident Response

Institutional Data Policy FAQ

Below are commonly asked questions about the Institutional Data Policy.

  1. Who does the Institutional Data policy apply to?
  2. What other policies should I know about?
  3. My department is covered by the HIPAA policy and laws. How do these new University policies affect my department?
  4. What could happen if an individual in my department violates the Institutional Data policy?
  5. How are historical records that contain restricted data affected by the Institutional Data policy?
  6. I know that it is inappropriate to communicate restricted data (grades, enrollment information, etc.) generated from or sent to external email systems. Does this include Buckeye Mail?

Download a PDF copy of these FAQ

Further Questions?

If you have a question that is not listed above, please contact us.

Who does the Institutional Data policy apply to?

This policy applies to all university community members, whether students, faculty, staff, or agents, who have access to university institutional data. It also applies to all university units and their agents and contractors. In addition, to the extent possible, it applies to any person or organization, whether affiliated with the university or not, in possession of university institutional data.

What other policies should I know about?

The Disclosure or Exposure of Personal Information policy primarily focuses on compliance with Ohio Revised Code Section 1347 (formerly House Bill 104). This section of the Ohio Revised Code requires notification to affected individuals if certain pieces of personal information pertaining to those individuals are exposed to unauthorized recipients.
As a result, the Disclosure or Exposure of Personal Information policy mainly requires protection of personal information because application of appropriate protection technology (such as encryption) can exempt the University from the notification requirement during a security breach. This policy uses the ORC Section 1347 definition of personal information: an individual’s name in combination with the individual’s Social Security Number; driver’s license number or state identification card number; or account number or credit or debit card number with security codes or passwords.

Return to Top

My department is covered by the HIPAA policy and laws. How do these new University policies affect my department?

Ohio Senate Bill 126 went into effective March 30, 2007. This legislation exempts persons, entities, state agencies and agencies of political subdivisions that are “covered entities” under the federal Health Insurance Portability and Accountability Act (HIPAA) from the disclosure requirement related to unauthorized access to personal information as required by Ohio Revised Code Section 1347.
However, the Institutional Data policy does apply to departments covered under HIPAA. These departments should understand the requirements under the Institutional Data policy, especially those regarding the use of restricted data.

What could happen if an individual in my department violates the Institutional Data policy?

Individual university community members who violate this policy may be denied access to institutional data resources and may be subject to other penalties and disciplinary action, both within and outside of the university. Alleged violations will normally be handled through the university disciplinary procedures applicable to the alleged violator. Violations of this policy by university units will be reported to unit management with recommendations for corrective measures. Uncorrected or repeated violations and recommendations for corrective action will be reported to the unit’s higher management and may result in temporary or permanent denial of access to defined segments of institutional data.

How are historical records that contain restricted data affected by the Institutional Data policy?

Historical records (both paper and electronic) containing restricted data must be secured. Where feasible, it is ideal to redact the restricted data.

Return to Top

I know that it is inappropriate to communicate restricted data (grades, enrollment information, etc.) generated from or sent to external email systems. Does this include Buckeye Mail?

The Buckeye Mail e-mail system is considered one component of the OSU e-mail system, and while it is hosted by MicroSoft, the university continues to maintain control over the access, data and information contained in the system. Therefore, instructors and other University administrators may correspond with students through either the Buckeye Mail or OSU central e-mail systems and still be compliant with FERPA and other university policies.
Note that it has and continues to be inappropriate to communicate restricted data (grades, enrollment information, etc.) generated from or sent to external email systems such as yahoo, google mail, hotmail, etc.

Return to Top

Further Questions?

If your question is not listed in the above FAQ, please use the form below to contact the Office of the CIO IT Policy & Services. We will respond to your inquiry as soon as possible.

Your Name:

Your e-mail address:

If phone contact is preferred, the phone number where you can be reached:

What is your primary role at the university? (e.g. Faculty, Staff, GA, Student)

Message:

Please enter the word(s) shown below in the "Captcha" box. This helps prevent spam from filling our email so we can focus on legitimate questions like yours.