Information Resources Use and Security Policy
11. Management of Sensitive Digital Data
11.1. The Minimum Security Standards for Systems describe and require appropriate steps to protect Category-I Digital Data (for example, social security numbers, protected health information, sensitive research data, digital data associated with an individual and/or digital data protected by law) stored on the university's computing devices.
11.2. The university shall control and monitor access to its Category-I Digital Data based on Data sensitivity and risk (as determined in accordance with Section 9 of this Policy) and by the use of appropriate physical and technical safeguards.
11.2.1. The university shall limit access to records containing Category-I Digital Data to those employees who need access to the Data for the performance of the employee's job responsibilities.
11.2.1.1. Employees may not request disclosure of Category-I Digital Data if it is not necessary and relevant to the purposes of the university and the particular function for which the employee is responsible.
11.2.2. The university shall monitor access to records containing Category-I Digital Data by the use of appropriate measures as it reasonably determines.
11.2.3. Employees may not disclose Category-I Digital Data to unauthorized persons of entities except:
11.2.3.1. As required or permitted by law;
11.2.3.2. With the consent of the individual;
11.2.3.3. Where the unauthorized person is the agent or contractor for the university and the safeguards described in Section 11.2.4 are in place to prevent unauthorized distribution; or
11.2.3.4. As approved by the Office of Legal Affairs or by UT System Office of General Counsel.
11.2.4. If the university intends to provide Category-I Digital Data to a third party acting as an agent of or otherwise on its behalf (such as an application service provider) and if it determines that its provision of Category-I Digital Data to a third party will result in a significant risk to the confidentiality and/or integrity of such Data, a written agreement with the third party is required. The agreement must specify terms and conditions that protect the confidentiality and/or integrity of the Category-I Digital Data as required by this Policy. The written agreement must require the third party to use appropriate administrative, physical, and technical safeguards to protect the confidentiality and/or integrity of all Category-I Digital Data obtained and that the university, as applicable, shall monitor compliance with the provisions of the written agreement.
11.2.4.1. The appropriate university official (for example, the Purchasing Office, Office of Sponsored Projects, or Office of Legal Affairs) must review such written agreements prior to approval.
11.3. The university shall implement security safeguards to protect its Category-I Digital Data. Such safeguards shall be appropriate to the confidentiality and/or integrity needs of the Digital Data to be protected based on the risk, and in the case of Research Data, the research project requirements for that Category-I Digital Data.
11.3.1. Category-I Digital Data shall be secured in accordance with the university's data protection standards and with this Policy.
11.3.2. The university shall protect the security of records containing Category-I Digital Data during storage using physical and technical safeguards (such safeguards may include encrypting electronic records, including backups, and locking physical files.)
11.3.3. Unless otherwise required by federal or state law or regulation, Category-I Digital Data must not be stored on university or non-university owned computers or other electronic devices (for example, laptop, hand-held device, Flash drive, or other portable computing devices) unless:
11.3.3.1. It is secured against unauthorized access in accordance with this Policy;
11.3.3.2. It will not compromise business or Research efforts or privacy interests if lost or destroyed; and
11.3.3.3. The university has specific procedures in place that address this subsection.
11.4. The university shall discard electronic media (for example, disks, tapes, hard drives, etc.) containing Category-I Digital Data as follows:
11.4.1. In a verifiable manner that adequately protects the confidentiality of the Category-I Digital Data and renders it unrecoverable, such as modifying the electronic media to make it unreadable or indecipherable or otherwise physically destroying the electronic media; and
11.5. The university shall, based on risk, implement all appropriate technical safeguards necessary to adequately protect the security of Category-I Digital Data during electronic communications or transmissions.
