Learn about your role in protecting UCSF data and pass the quiz at the end of the article. You could win one of six $50 Amazon gift cards!

At UCSF, institutional information - data- has become the beating heart of our institution and is vital to everything we do. As the volume and complexity of data grow rapidly and regulatory demands tighten, effective data management has never been more crucial. Everyone at UCSF has a role to play in protecting our data. UCSF 650-16 Addendum A - UCSF Roles and Responsibilities for Securing Institutional Information and IT Resources describes these roles and key responsibilities. 

All UCSF employees are considered “workforce members” and must adhere to UC Policy BFB-IS-3: Electronic Information Security,  UCSF Policy 650-16: Information Security and Confidentiality, and if health data is involved, Policy 5.01.06 Control of Access to and Release of Information from UCSF Medical Center Information Systems. 

Individuals and Units have additional responsibilities based on their roles within the institution. For example, a unit that manages data such as employee information, financial data, or medical records is considered an “Institutional Information Proprietor” and must assign the related responsibilities to individuals within the unit. Similarly, a department providing a particular IT service would be classified as a ‘Service Provider’ and own the corresponding responsibilities, 

Additional information to help you understand your responsibilities is available in the UCOP Quick Start Guide by Role.

Data Security Lifecycle

Plan and Create

• What is the data classification? UCSF Policy 650-16 Addendum F, UCSF Data Classification Standard describes how to properly classify, work with, and secure your data based on UC policies that require impacts to be measured in the following areas:
  • Loss of critical UCSF operations
  • Negative financial impact (actual money lost, lost opportunities, value of the data itself)
  • Damage to UCSF’s reputation
  • Potential for regulatory or legal action
  • Violation of UCSF’s mission, policies, or principles
  • Requirement for corrective action or repairs
• What regulatory requirements apply to the data?  Regulations that protect the security and privacy of data are on the rise. UCSF is subject to many of these regulations, including the following:
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • General Data Protection Regulation (GDPR)
  • California Security Breach Information Act (SB-1386)
• Is a risk assessment required? UCSF is required by several laws, regulations, and policies to assess the risk of compromise to information systems that create, store, process, or transmit UCSF data. Any new Information Technology (IT) platform that will handle P3 (sensitive) or P4 (restricted) data must undergo a security risk assessment. The UCSF risk assessment process collects information about the security controls and practices implemented on a system or application and uses that information to score its security compliance.
• Based on the data classification, what are the policy, legal, and access requirements? UCSF Policy 650-16 Addendum F, UCSF Data Classification Standard describes the policy, legal, and access requirements for each data type.
• How will the data be kept safe? UCSF Policy 650-16 Addendum B, UCSF Minimum Security Standards for Electronic Information Resources describes the minimum-security safeguards for UCSF data and should be used to create a data management plan that addresses the following: 
  • System Inventory and Protection Level Classification (PLC)
  • Transmission of Restricted Information
  • Email
  • Physical Security
  • System Management Agent
  • Network Access Control (NAC)
  • Anti-Virus
  • Host-Based Firewall
  • Security Endpoint Detection and Response Agent (EDR)
  • Device Encryption
  • Authentication
  • Passwords
  • Software Patch Updates
  • Application and Website Security
  • Enterprise Vulnerability Management

Additionally, if health data is involved, Policy 5.01.06 Control of Access to and Release of Information from UCSF Medical Center Information Systems must also be followed.

 Store

• How will the data be stored? Measures should be taken to ensure continued compliance with UCSF Policy 650-16 Addendum B, UCSF Minimum Security Standards for Electronic Information Resources, and Policy 5.01.06 Control of Access to and Release of Information from UCSF Medical Center Information Systems.
• How is the data backed up? UCSF IT provides Backup Services for servers and CrashPlan for the data that reside on your desktop or laptop.
• How do we ensure the platform where the data is stored continues operations in the event of a disaster or other interruption? As part of the risk assessment process, a business impact analysis is required to determine the impact of the platform being down and the minimum continuity measures.

Use and Share, Including Transmitting Data Electronically

• How will the data be used and shared? Measures should be taken to ensure continued compliance with UCSF Policy 650-16 Addendum B, UCSF Minimum Security Standards for Electronic Information Resources, and Policy 5.01.06 Control of Access to and Release of Information from UCSF Medical Center Information Systems. In addition, UCSF has the IT Governance Committee on Enterprise Information and Analytics (EIA) dedicated to this question as it relates to data sharing with third parties and has a list of recommendations. The UCSF Research Development Office has additional grant guidelines and templates.  Lastly, we have a new Policy at UCSF, 650-20: External Sharing of Personally Identifiable Information (PII) and PII-Derived Data, that must be adhered to when sharing Personally Identifiable Information (PII) and PII-Derived Data outside of UCSF.
• How will data be emailed? Secure email may be used by starting the subject with any of the following keywords (note that they must be the exact spelling and spacing to work correctly):

1. PHI:
2. ePHI:
3. Secure:
4. [encrypt]

• Has consent been granted to share the data? If the research involves human subjects, obtain the proper informed consent documents.
• If you’ll be using or sharing de-identified health information, how is the data de-identified? Options for obtaining certified de-identified data sets include requesting de-identified data through the UCSF Enterprise Data Request Process, utilizing data from UCSF de-identified data applications, or de-identifying your own data set using the data de-identification resources provided by UCSF Enterprise Information and Analytics. While UCSF does not currently offer data de-identification validation services, teams can request a data management consultation if they have questions. 
• What additional guidance exists If you want to use data from Scuba, the enterprise data warehouse ecosystem for UCSF? Guidance is available at Scuba Access and Security.
• Are you following the minimum necessary standard? For example, at UCSF, we must limit the use and disclosure of patient information to the minimum necessary to complete the task. Doing so helps to protect patient privacy and reduces the risk of privacy incidents.
• How is information (data) published and copyrighted? The UCSF library provides guidance on copyright, publishing, and intellectual property.

Destroy

• How long should the data be kept? Data should be stored in accordance with the UC Records Retention Schedule.
• How is paper media destroyed? Secure disposal bins should be used. Your manager can order one from the vendor, Shred-it, by contacting their customer service at 1-800-MYSHRED (1-800-697-4733) or [email protected] and creating a requisition in BearBuy. 
• How is electronic media destroyed? Contact the IT Service Desk or call 415-514-4100. IT will collect and arrange for the destruction of any electronic media (hard drives, tapes, etc.) that contains restricted or sensitive data, including PII (personally identifiable information) and PHI (patient health information), free of charge. 
• Can data be left in the cloud or in the possession of a third party after a project is completed? If your data is stored in a cloud-hosted environment or with a vendor, work with them to retrieve or properly dispose of it. UCSF purchasing agreements have specific requirements for how vendors must handle the disposition of UCSF data at the end of the contract.

Take the quiz on protecting your data. Everyone who passes the quiz is entered to win one of six $50 Amazon Gift Cards.

Additional Information:

• UCSF’s Data Resources
• UCSF’s Privacy and Confidentiality Handbook
• Forbes - Why The Data Security Lifecycle Is Essential For Reducing Cost And Risk