Protecting Confidential Personal Information

Brandeis University intends to be compliant with applicable laws and regulations and to protect all Confidential Personal Information (CPI) in our custody. This document defines what is expected of each and every member of the Brandeis community in this regard.

What Constitutes Confidential Personal Information?

• Personally Identifiable Information, as defined by Massachusetts General Law 93H
• Customer Financial Information, as defined by the Gramm-Leach-Bliley Act (GLBA)
• Protected Health Information as defined by the Health Insurance Portability and Accountability Act (HIPAA)
• Human Subject Information obtained through research conducted at Brandeis University

Brandeis Information Security Plan

To comply with the new laws and regulations and to enable the University to take appropriate action in case of a security breach, the Brandeis Information Security Advisory Committee is requesting that all departments on campus take the steps described below.

1. Ensure that everyone in your unit in contact with CPI is familiar with the Brandeis Information Security Plan and understands their duties and responsibilities.

   • Keep current with data security policies and procedures implemented on campus. The Brandeis Information Security Plan defines the official University standards on using and storing sensitive data, and the Information Security pages of the LTS website contains the latest security news and updates.

2. Appoint and designate an information security contact for your unit to assist with achieving and maintaining information security compliance.

   • This individual will act as a liaison with LTS, providing us with logistical details about the data stored in your department (as required by law), and helping to keep everyone in your unit informed with information security policies and procedures.

3. Discover and inventory all CPI collected, maintained or used by your unit, including digital storage, paper storage and workflows.

   • For compliance purposes, the University needs an accurate inventory of all CPI stored digitally or in hard copy form.

4. Securely delete or redact all CPI that is not absolutely essential for your unit to collect, maintain or use, including storage and workflows.

   • Carefully review your business requirements for sensitive data and delete any information that you do not need. For data purging guidelines, follow your unit's data retention standards.

5. Follow Brandeis University Best Practices for Securing CPI to protect any CPI that must be collected, maintained or used by your unit.

   • Save any sensitive data that you need on your departmental server(s). Because servers are a more secure storage option, all sensitive data should be transferred from laptops, portable storage media (e.g. USB flash drives, CDs, etc.), and local computers to a secure departmental server.

6. Immediately report all situations where institutional or personal CPI may have been inadvertently released, to the Brandeis Information Security Officer.

Questions? Contact LTS Information Security at security@brandeis.edu.

This page was last modified on: Aug 04, 2009