. .

What's New?

Gramm-Leach-Bliley Training New training created for those with access to customer information at the university.

Units Can Access Information Security Monthly Status Reports via Web Form Colleges and administrative units can submit their monthly information security status reports online using a web form. Use the links below to access the form and download instructions.

Hot Topics

Incident Response

Restricted Data FAQ

Below are commonly asked questions regarding restricted data. Additional quetions on data classification are available in the Data Classification and Access Control FAQ.

  1. What data elements have been identified as Restricted Data?
  2. What constitutes appropriate use of Restricted Data?
  3. What requirements are there on Restricted Data?
  4. Who is responsible for classifying a data element as Restricted Data?
  5. Who are the Data Stewards?
  6. When will it be necessary to classify and inventory data?
  7. Faculty and staff in my department primarily have access to Social Security Number information via reports generated from the student system. What actions are being taken to protect the Social Security Number information on these reports?
  8. We currently incorporate a portion of the Social Security Number (or other restricted data element) in new user passwords as a default. What other options are available?
  9. Can you provide examples of what other areas have done to protect restricted data?
  10. How are historical records that contain restricted data affected by the Institutional Data policy?
  11. What other requirements should be considered?
  12. Is it appropriate to include Restricted Data while responding to an Ohio Public Records Request?
  13. Who can I contact for additional information on responding to Public Records Requests?

Download a PDF copy of these FAQ

Further Questions?

If you have additional questions, please use the email form at the bottom of this page to contact us.

What data elements have been identified as Restricted Data?

Restricted data includes:
  • Social Security Numbers and other personally identifiable information such as driver’s license, state identification card, etc.
  • Bank account information
  • Credit card information
  • Student record information that is linked to an individual student by name such as grades/transcripts, class enrollment information, student financial aid, grants and loans, etc.
  • Patient health information
Over time, there will be additions to this list as the data stewards begin the data classification process. Refer to the (link to Restricted Data site).

What constitutes appropriate use of Restricted Data?

Restricted Data may only be used for legitimate business purposes. Typically this would involve fulfilling mandatory external reporting requirements, especially to the federal or state governments. Other uses may be considered legitimate as well.
Specific questions should be directed to submitted using the email form at the bottom of this page.

What requirements are there on Restricted Data?

Requirements include:
  • Restricted Data must be encrypted if stored or used on portable devices, if removed from a secure university location, or if electronically transmitted.
  • Restricted Data must never be stored on a personally-owned computer or storage device.
  • Restricted Data must not be stored or used by an external service provider or agent without a contractual agreement to provide appropriate protection to the same standards as applied at the university.

Return to Top

Who is responsible for classifying a data element as Restricted Data?

Data stewards are responsible for determining the appropriate classification for a data element. Once a data element is classified, the corresponding protection must be consistently applied to that element.

Who are the Data Stewards?

Refer to the Institutional Data Procedure: Roles and Responsibilities. Over time, there will be additions to this list.

When will it be necessary to classify and inventory data?

The initial focus will be to identify the data elements that will be classified as restricted data. Once that determination is made, the inventory of the restricted data use can begin. The restricted data classification process is being piloted with several areas during Autumn Quarter, 2007. It is anticipated that the data classification and inventory process will be extended to other areas during Winter Quarter, 2008.

Return to Top

Faculty and staff in my department primarily have access to Social Security Number information via reports generated from the student system. What actions are being taken to protect the Social Security Number information on these reports?

The Social Security Number was removed from most of the student reports prior to September 1, 2007. However, faculty and staff will continue to have access to Social Security Numbers on reports generated prior to this date. Following the University’s record retention schedule, these reports should be shredded when no longer needed.

We currently incorporate a portion of the Social Security Number (or other restricted data element) in new user passwords as a default. What other options are available?

There are software packages such as Password Manager (just one of many available) that provides a template that randomly generates a password. The template, of course, would not require the users’ Social Security Number. Other defaults could include combination of department name and building, street address, user’s campus phone number, room number, start date, employee ID number, etc.
Other password management considerations:
  • The longer the password, the more secure it is. Most areas are encouraging at least ten digits with a combination of alphabetic (both lower and upper case), numeric and special characters.
  • New users should always be forced to the default password at the first login
  • Users should be forced to periodically change passwords, preferably every 90 to 120 calendar days

Can you provide examples of what other areas have done to protect restricted data?

Some departments have already implemented remediation strategies. Examples include:
  • Utilize shredding for document destruction. This has included installing an office shredder or contracting with a shredding service.
  • Modified forms to eliminate the restricted data field or moved the restricted data field to the bottom so it can be torn off and destroyed
  • Requested that third party vendors/agencies implement protection of restricted data that is being used/provided on behalf of the University
  • Obtain restricted data directly from employees or students so the University can stop sending it through files and spreadsheets
  • Installed a central secure server where customers can access data and files
  • Implemented encryption software on desktops, laptops and other portable devices to protect the data should the equipment be stolen or lost

Return to Top

How are historical records that contain restricted data affected by the Institutional Data policy?

Historical records (both paper and electronic) containing restricted data must be secured. Where feasible, it is ideal to redact the restricted data.

What other requirements should be considered?

  • Anyone with access to Restricted or Limited Access Institutional Data shall have unique and individual user credentials such as a user id and password.
  • Access shall be deactivated after a period of inactivity not to exceed twelve months.
  • Terminated employees shall lose access as of their termination date.
  • The data access request process shall be formalized and auditable. The request process must include appropriate approvals, a description of the specific data requested, the level of access requested (read, write), and the purpose for accessing the data. Data access requests should be maintained in order to support the need to audit data access permissions throughout the complete data access lifecycle (creation through termination).
  • Once data access is approved for a data user or data custodian, data stewards are responsible for providing access to the Institutional Data Policy and the following information specific to the data being requested: 1) data documentation and usage guidelines, 2) the data classification policy including information on associated state and federal regulations, and 3) required minimum safeguards for protected data.
  • A robust authentication process in compliance with university computer security standards and consistent with the level of risk associated with unauthorized access is required for access to all limited Access and Restricted data.
  • Maintain and monitor user access and login information.
  • Data access processes, procedures and authorizations must be reviewed on an annual basis by each data steward to ensure that access remains appropriate.

Is it appropriate to include Restricted Data while responding to an Ohio Public Records Request?

The university’s institutional data is a component of the public information held, maintained and used in trust by the State of Ohio for its citizens. While the university’s institutional data is generally available to the public under Ohio’s Public Records Laws, Restricted Data is often protected by federal or state law or otherwise exempt from disclosure under Ohio law. As a result, public records requests for institutional data, especially Restricted Data, must be handled with care.

Return to Top

Who can I contact for additional information on responding to Public Records Requests?

First, work with your department to identify the designated individual who is responsible for handling these requests. Individuals in a position likely to receive a public records request are strongly encouraged to seek training and to follow any specific unit policies or procedures.
Contact the appropriate data steward and the Office of Legal Affairs for questions or assistance on a public records request. For requests from media outlets also contact the Office of University Relations.

Return to Top

Further Questions?

If your question is not listed in the above FAQ, please use the form below to contact us. We will respond to your inquiry as soon as possible.

Your Name:

Your e-mail address:

If phone contact is preferred, the phone number where you can be reached:

What is your primary role at the university? (e.g. Faculty, Staff, GA, Student)

Message:

Please enter the word(s) shown below in the "Captcha" box. This helps prevent spam from filling our email so we can focus on legitimate questions like yours.