IU Data Protection & Privacy Tutorial. 1 Overview As an employee of Indiana University, YOU have a responsibility to protect the data you come in contact.

Slides:



Advertisements
Similar presentations
Protect Our Students Protect Ourselves
Advertisements

FERPA: Family Educational Rights and Privacy Act
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
COMPLYING WITH PRIVACY AND SECURITY REGULATIONS Overview MHC Privacy and Security Committee Revised 1/17/11.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Welcome to the SPH Information Security Learning Module.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Springfield Technical Community College Security Awareness Training.
Critical Data Management Indiana University HR Summit April 24, 2014.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
1 GRAND VALLEY STATE UNIVERSITY FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT (FERPA) TRAINING OFFICES OF THE REGISTRAR AND UNIVERSITY COUNSEL JANUARY 20, 2009.
Information Security Awareness:
Data Classification & Privacy Inventory Workshop
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
New Faculty Orientation to Privacy and Security at UF Susan Blair, Chief Privacy Officer Kathy Bergsma, Information Security.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Protecting Sensitive Information PA Turnpike Commission.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
CPS Acceptable Use Policy Day 2 – Technology Session.
Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,
HIPAA PRIVACY AND SECURITY AWARENESS.
ESCCO Data Security Training David Dixon September 2014.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
Next ETCH Confidentiality and HIPAA Annual Review What you need to know. The Privacy Rule 1.
Compliance Strategies for Records Management
Privacy and Information Management ICT Guidelines.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
What are the rules? Information technology is available to every student, faculty and staff member in support of the essential mission of the University.
Family Educational Rights and Privacy Act (FERPA) UNION COLLEGE.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.
When you request technical support Please remember to request it by ing or calling , Even if you .
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
TASFAA 2016 Legacy of Leadership. TASFAA 2016 Legacy of Leadership Family Educational Rights and Privacy Act (FERPA) An Overview Molly Thompson Associate.
ANNUAL HIPAA AND INFORMATION SECURITY EDUCATION. KEY TERMS  HIPAA - Health Insurance Portability and Accountability Act. The primary goal of the law.
Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
2015Computer Services – Information Security| Information Security Training Budget Officers.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
HIPAA Privacy What Every Staff Member Needs to Know.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Information Security Awareness Training
Protect Our Students Protect Ourselves
HIPAA Privacy and Security
Protecting PHI & PII 12/30/2017 6:45 AM
PCard Sensitive and Protected Information Procedures
HIPAA Privacy & Security
Protection of CONSUMER information
Data Security Policies
Chapter 3: IRS and FTC Data Security Rules
Red Flags Rule An Introduction County College of Morris
Disability Services Agencies Briefing On HIPAA
Welcome to the SPH Information Security Learning Module
HIPAA Privacy & Security
HIPAA Overview.
School of Medicine Orientation Information Security Training
Presentation transcript:

IU Data Protection & Privacy Tutorial

1 Overview As an employee of Indiana University, YOU have a responsibility to protect the data you come in contact with every day. This tutorial is intended to provide you with an understanding of: The types of data IU collects and how it is classified Your data handling responsibilities The basic privacy laws you must comply with as an employee of the university Data Protection & Privacy INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 2 IU Data Here at IU, we collect and store many types of data in the course of our daily business. Some examples are... student information employment records research information personal health information (PHI) vendor information e-commerce Data Protection & Privacy INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 3 IU Data IU’s students, parents, employees, alumni, donors, and other constituents expect that the data provided to IU will be protected and handled appropriately. So, how do I protect IU data??? Data Protection & Privacy INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 4 You can protect IU data by... #1 – Knowing how IU classifies data #2 – Handling Data Appropriately #3 – Adhering to data access principles #4 – Knowing Privacy Laws, Regulations & Policies #5 – Taking Responsibility Data Protection & Privacy INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial #1-Data Classifications INDIANA UNIVERSITY 5 #1 – Know how IU classifies data There are four data classifications to define the access, handling, and proper disposal of data. Public University Internal Restricted Critical

IU Data Protection & Privacy Tutorial 6 Public Data that has few or no restrictions for access, disclosure, and disposal such as: Schedule of classes Course Catalog Employee salary information Employee business phone or office assignment #1-Data Classifications INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 7 University Internal Data that may be accessed by employees & designated appointees of the university in the conduct of university business, such as: University ID Basic building floor plans Tenure recommendations #1-Data Classifications INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 8 Restricted Data that requires specific authorization to access or disclose. Secure disposal is required. Examples include: Student class schedule, advising notes, and grades Full date of birth, ethnicity, citizenship Employee address and home phone #1-Data Classifications INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 9 Critical Data that requires authorization to access and the highest level of protection! Inappropriate handling of this data can result in personal criminal or civil penalties. Secure disposal is required! This would include things like: Social Security number Driver’s license number Banking and credit card account numbers Personal health information (PHI) #1-Data Classifications INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial #2-Appropriate Data Handling INDIANA UNIVERSITY 10 #2 – Handle Data Appropriately In addition to understanding IU data classification, it is important for you to know how to… Access data appropriately Share IU data securely Store IU data securely Transmit IU data securely Dispose of IU data securely

IU Data Protection & Privacy Tutorial 11 Protect your IU Passphrase! Never share it with anyone Never use it for other applications and services not approved by the university Always say “NO” if prompted to save in memory Do change it at least every 2 years If you suspect your passphrase has been compromised, do change it as soon as possible and report it to #2-Data Handling - Access (Passphrase) INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 12 Protect your Accounts! Set your screen to auto lock on all systems and devices Utilize passcodes on all mobile devices (smart phones, tablets, etc.) Encrypt mobile devices that store institutional data and/or critical mission systems Get technical assistance from the Knowledgebase or your Local Service Provider (LSP). #2-Data Handling – Access (Accounts) INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 13 Share Information Securely You may need to transfer or share information externally as part of your job. Three secure methods for sharing restricted data include: 1.Slashtmp.iu.edu for all classifications of data including critical dataSlashtmp.iu.edu 2.Box Entrusted Data Account for restricted dataBox Entrusted Data Account 3.Box Health Data Account for protected health information (PHI) and some restricted dataBox Health Data Account #2-Data Handling – Share Securely INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 14 Use Appropriately Do NOT send restricted and critical data via unless: Your role requires it AND will: a.stay within IU (does not include Imail/Umail) OR b.be encrypted by the Cisco Registered Envelope Service (CRES) Never ask an external party to transfer critical information to you via (ex. social security card, driver’s license, visa, tax returns, banking information, etc.) #2-Data Handling – Sharing with INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 15 Encrypt When you need to encrypt an message using CRES Cisco Registered Envelope Service include the words: Secure Message OR Confidential in the Subject line of the message #2-Data Handling – Sharing with INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 16 Don’t Fall for Phishing Scams IU will never request your passphrase, SSN or confidential information via . Be suspicious of that asks you to enter or verify personal information thru a website or by replying to the message itself. Not sure? Here are some tips to keep you from getting hooked: Are you expecting an of this nature (e.g., password reset, account expiration, wire transfer, travel confirmation, etc.)? Does the ask for personal info (password, credit cards, SSN, etc.)? When hovering over links, do the hover-text link match the actual text? Do the actual links look like sites you do business with? Click “Reply.” Does the address in the "To" field match the sender? If from an IU account, does the header include “external- relay.iu.edu”? If so, it’s likely not coming from a legitimate IU sender. Still not sure? Want to report an attack? Send the message along with full headers to headers #2-Data Handling-Share Info Securely INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 17 Never Store Sensitive Data… In Longer than required On a webserver used to host a web site open to the public On your mobile devices (laptop, USB flash drive, tablet, smartphone) unless the information is properly encrypted and you have written approval from the senior executive of your unit #2-Data Handling – Storing Securely INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 18 Storage Options at IU Intelligent Infrastructure–all data classifications Slashtmp – all data classifications Entrusted Box – restricted data or less (no critical data) Health Data Box – ePHI critical data and some restricted or less Sharepoint – restricted data or less (no critical data) Canvas – restricted data or less (no critical data) OnBase – all data classifications Secure IU file server – to be assessed by Department Ask questions if you are unsure of where to store sensitive information! #2-Data Handling – Storing Securely INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 19 Working Securely from off Campus Virtual Private Network (VPN) connection Many IU resources require a Virtual Private Network (VPN) connection if you're accessing services from off campus. IU offers both SSL and IPsec VPN connections. If you're unable to access a standard resource or tool you use on campus, connect to VPN and try again. For more info see Basics of VPN in the kb article: Safety tip: Do not access sensitive data when utilizing a public network without encryption. #2-Data Handling – Transmitting Data INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 20 Proper Disposal Cross-shred paper containing critical and restricted data when no longer required for business Shred Failed devices and media containing sensitive data including laptops/phones Check with your campus on what shredding services are available locally (such as IU Surplus Stores) #2-Data Handling – Proper Disposal INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial #3-Data Access Principles INDIANA UNIVERSITY 21 Access data only to conduct university business Do not access data for personal profit or curiosity Limit access to the minimum amount of information needed to complete your task Respect the confidentiality and privacy of individuals whose records you access Do not share IU data with third parties unless it is part of your job responsibilities and has been approved by the appropriate data stewards Ask questions when you are unsure about data handling procedures #3 Adhere to Data Access Principles

IU Data Protection & Privacy Tutorial 22 #4 Know Privacy Laws, Regs, Policies Every IU employee should also be aware of the following federal privacy regulations: The Family Educational Rights and Privacy Act (FERPA) generally prohibits the disclosure of student education records without the prior written consent of the student. The Health Insurance Portability and Accountability Act (HIPAA) imposes numerous, strict privacy and security requirements on protected health information. #4-Laws, Regs & Policies INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 23 FERPA Student educational records are protected by FERPA and must be restricted to school officials that have a legitimate educational interest to access the information. IU’s Release of Student Information Policy details the procedures that IU follows to provide appropriate access to student records in compliance with FERPA.Release of Student Information Policy For more information, see USSS Student Data Management- FERPA Information or contact the Student data steward at Student Data Management- FERPA Information #4-Laws, Regs & Policies (FERPA) INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 24 HIPAA The HIPAA Privacy Rules protects all “individually identifiable health information” held or transmitted by a “covered entity,” regardless of medium. The Privacy Rule calls this information “protected health information (PHI).” #4-Laws, Regs & Policies (HIPAA) INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 25 HIPAA The vast majority of IU units should maintain no personal health information (PHI) whatsoever. If you are in a unit other than the HIPAA Affected Areas (e.g., Student Health Centers, Schools of Medicine, Dentistry, Nursing, and Optometry), and you encounter records that constitute PHI, you should contact the University HIPAA Privacy and Security Compliance Office for guidance.University HIPAA Privacy and Security Compliance Office #4-Laws, Regs & Policies (HIPAA) INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 26 Indiana Law Indiana data protection laws also help safeguard data! Indiana law… Makes it a crime to disclose more than the last four digits of someone’s social security number to someone outside of the university (unless specific exceptions apply) Requires IU to notify anyone whose personal information is acquired by an unauthorized person Provides guidance on the proper disposal of sensitive information. #4-Laws, Regs & Policies (State) INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 27 Reporting an Incident All individuals are required to immediately report the following: Suspected or actual security breaches of information Abnormal systematic unsuccessful attempts to compromise information Suspected or actual weaknesses in the safeguards protecting information You should notify UISO by phone (call until you get to a human) AND you should by phone #5-Take Responsibility - Reporting INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 28 Data Protection is a Priority Thanks for taking a moment to review your data responsibilities and please make it a priority to protect the IU data you manage in your daily work! Additional resources on data protection and privacy can be found at: #5-Take Responsibility - Priority INDIANA UNIVERSITY

IU Data Protection & Privacy Tutorial 29 A Final Note To be entrusted with access to Indiana University data and systems, employees must accept responsibility for, and stay informed of, IU policies and standards of acceptable use, as affirmed in the Acceptable Use Agreement, on a biennial basis. If you have not reviewed the agreement or attested to it in the last 24 months, please take a moment to review it. Also, please note that additional system access may have other training requirements, such as FERPA and HIPAA compliance training. This tutorial does not replace these requirements. Acceptable Use AgreementFERPA HIPAA #5-Take Responsibility – Use Agreement INDIANA UNIVERSITY

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.