it.ucsf.edu

Protect your data!

Esther Silver's picture

Data is increasingly becoming UCSF’s lifeblood and most critical asset.  Concurrently, it is growing enormously in complexity and volume while regulatory requirements are becoming ever more stringent.  These factors are making managing data progressively more important to ensure data confidentiality, integrity, and availability and to optimize its usefulness.  

One way to conceptualize data protection is to describe it in terms of the data management lifecycle:

 

Data lifecycle

 

Proper oversight of data throughout its life cycle is critical to optimize its utility and minimize the potential for errors and breaches. Below are examples of questions that should be asked and measures taken within each of the four phases pictured above.

Plan and Create

  • What is data classification? The article Know Your Data describes how to properly classify, work with, and secure your data based on UC policies that require impacts to be measured in the following areas:
  • Loss of critical UCSF operations
  • Negative financial impact (actual money lost, lost opportunities, value of the data itself)
  • Damage to UCSF’s reputation
  • Potential for regulatory or legal action
  • Violation of UCSF’s mission, policies, or principles
  • Requirement for corrective action or repairs

 

Store

 

Use and Share including transmitting electronically

  • PHI:
  • ePHI:
  • Secure:
  • [encrypt].

 

Destroy

  • How long should the data be kept? Data should be stored in accordance with the UC Records Retention Schedule.
  • How is paper media destroyed? Secure disposal bins should be used. Your manager can order one from the vendor, Shred-it, by contacting their customer service at 1-800-MYSHRED (1-800-697-4733) or [email protected] and creating a requisition in BearBuy.
  • How is electronic media destroyed? Contact the IT Service Desk at https://ucsf.service-now.com/ess/ or call 415-514-4100. IT will collect and arrange for the destruction of any electronic media (hard drives, tapes, etc.) that contains restricted data, including PII (personally identifiable information) and PHI (patient health information) free of charge. 
  • Can data be left in the cloud or at a 3rd party after a project is completed?  If your data is stored in a cloud-hosted environment or with a vendor, be sure to work with them to retrieve or properly dispose of your data.  UCSF purchasing agreements have specific requirements for how vendors must handle disposition of UCSF data.

Take the quiz on protecting your data. Everyone who passes the quiz wins a prize! This month’s prize is a measuring tape to remind you to take appropriate measures to protect your data.

One person will also be selected for the grand prize: a PacSafe.Com secure backpack.

Additional Information