UC PRIVACY AND INFORMATION SECURITY STEERING COMMITTEE OCTOBER 25, 2010

Similar documents
Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Index All entries in the index reference page numbers.

Impact of Legal and Regulatory Compliance on Higher Education Information Security Management. Dan Han Virginia Commonwealth University

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Compliance in an Outsourced World

Peer to Peer File Sharing and Copyright Infringement Policy

I. U.S. Government Privacy Laws

UNIVERSITY OF CALIFORNIA, SANTA BARBARA

And The Question Is: What are the Key AMC Compliance Focus Areas in the Current Regulatory Environment?

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

CODE OF ETHICS AND BUSINESS CONDUCT

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

IT Security & Compliance Risk Assessment Capabilities

SUMMARY OF POSITION ROLE/RESPONSIBILITIES:

Information Security Plan May 24, 2011

Virginia Commonwealth University Information Security Standard

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

The Importance of Privacy & Data Security in a Changing World

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

ADMINISTRATORS SERIES PRIVACY AND SECURITY AT UF. Cheryl Granto Information Security Manager, UFIT Information Security

Research Support Council (RSC) - What Data is Sensitive and How

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Marist College. Information Security Policy

Our Commitment to Information Security

Best Practices for DLP Implementation in Healthcare Organizations

Acceptable Use of Information Technology

EXAMINATION OUTLINE FOR PRIVATE INVESTIGATORS

Law & Ethics, Policies & Guidelines, and Security Awareness

Prepared by: The Office of Corporate Compliance & HIPAA Administration

Stephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15

DATA AND USER ACCESS POLICIES

Benefits of Social Media

Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq.

VICTOR VALLEY COMMUNITY COLLEGE DISTRICT ADMINISTRATIVE PROCEDURE. Computer Use - Computer and Electronic Communication Systems.

Ubiquity of Security Compliance and Content Management

Implementing Information Security Policies and Standards. A Real Life Example

Partner / E-Discovery Team Chair. Craig Roy Director of IT & E-Litigation Services

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Human Resources & E-Discovery Law: New Challenges in Museum Admi

How To Help Your Business With Data Security And Privacy

Identity Theft Prevention Committee Updates and Discussions: 3/15. Team,

Rowan University Data Governance Policy

BHF Southern African Conference

HIPAA Privacy and Security and Research

Cloud Security Introduction and Overview

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU

HIPAA In The Workplace. What Every Employee Should Know and Remember

Information Management Compliance and Data protection.

Operational Risk Management Policy

Agenda. Privacy & Healthcare IOM Quality Chasm. Healthcare Privacy and Security Landscape in

Information Technology

SATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks

Information Security Guideline: Cloud Computing Services. Information Security and Privacy Committee Draft version 8/1/2012

Information Resources Security Guidelines

FTP-Stream Data Sheet

Library Guide: HIPAA

Ø Externally Hosted Computing Services Appropriate Use Guidelines Ø Matrix for Appropriate Use

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

Forthcoming EU Data Protection Law

PII0IP PCI10PHI Addressing Data Governance Requirements in a Dispersed Data Environment

What Does Today s ITSM Leader Need To Know About The Cloud?

Mental Health Resources, Inc. Mental Health Resources, Inc. Corporate Compliance Plan Corporate Compliance Plan

Meeting the HIPAA Training and Business Associate Requirements Questions and Answers, with HIPAA Security Expert Mike Semel

Managing data security and privacy risk of third-party vendors

Forensic Audit Building a World Class Program

GAIN CLARITY CRITICAL ISSUES. Your Data in the Cloud : Benefits & Risks GAIN CONTROL. berrydunn.com

Standards of Ethical Conduct

ESI Incident Response Procedures 1

Bossier Parish Community College

Vendor Management Challenge Doing More with Less

Compliance Program and HIPAA Training For First Tier, Downstream and Related Entities

7Seven Things You Need to Know About Long-Term Document Storage and Compliance

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

DSU Identity Theft Prevention Policy No. DSU

How To Ensure Financial Compliance

COMPUTER USE POLICY. 1.0 Purpose and Summary

HIPAA Violations Incur Multi-Million Dollar Penalties

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Sensitive Data Management: Current Trends in HIPAA and HITRUST

Balancing Security Investment Against Today's Threat Environment

UNIVERSITY COMPLIANCE PLAN

INFORMATION TECHNOLOGY SECURITY STANDARDS

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Establishing An Effective Corporate Compliance Program Joan Feldman, Esq. Vincenzo Carannante, Esq. William Roberts, Esq.

White Paper: The Seven Elements of an Effective Compliance and Ethics Program

Privacy and Data Breach Issues

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1

AUDIT COMMITTEE BEST PRACTICES CHECKLIST

HIPAA/HITECH: Conditional Access Management for Business Performance. Mark Seward, Director Security and Compliance Solutions Marketing

Identity Management: Securing Information in the HIPAA Environment

How To Use A College Computer System Safely

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

What s New in Access, Privacy and Health Care. Brian Beamish Commissioner. Ontario Connections May 21, 2015

UNIVERSITY OF CALIFORNIA, MERCED Red Flag and Security Incident Reporting Policy

Institutional Data Governance Policy

Transcription:

UC PRIVACY AND INFORMATION SECURITY STEERING COMMITTEE OCTOBER 25, 2010

Agenda 1:00 pm Welcome Introductions Review of the Committee s Charge A Provisional 18-Month Plan 1:30 Setting the Stage Privacy Issues Impacting UC 2:00 Determining the Path Forward Committee Deliverables Statement of Community Principles and Values Foundational Questions Proposal for 2010 2:50 Logistics 3:00 Adjourn 2 AGENDA

Welcome Introductions Review of the Committee s Charge A Provisional 18-Month Plan 3

Review of the Committee s Charge to make recommendations for: an overarching privacy framework that enables UC to meet statutory and regulatory obligations in a manner respectful of individual privacy; specific actions or phases needed to implement this framework as University policy; governance, implementation, and accountability structures across the University with respect to privacy and information security; and a formal ongoing process through which the University can examine and, where necessary, address through policy vehicles, the technical and societal changes that have an impact on University policy and practice in the areas of privacy and information security. 4 WELCOME

A Provisional 18-Month Plan Fall 2010 Privacy issues impacting UC UC principles and values of community Foundational questions Winter 2011 Governance and accountability Spring A framework Statement of community principles and values Governance Accountability Policies Summer Break Fall Sustainable review process Implementation process Winter 2012 Recommendations 5 WELCOME

Setting the Stage Privacy Issues Impacting UC 6

Movie http://www.aclu.org/ordering-pizza 7 SETTING THE STAGE

Privacy Issues Impacting UC Regulatory compliance Serious consequences of failure Financial and operational necessity Increased demand for data sharing Confidential institutional data Faculty and staff between individuals and institutions Technology The expectations of individuals Research and innovation In loco parentis 8 SETTING THE STAGE

Regulatory Compliance HIPAA FERPA Patriot Act California Information Practices Act FTC Red Flag Rules GLBA Intellectual Property Protection Federal Privacy Act (SSNs) PCI-DSS (Credit Cards) California Public Records Act Clery Act DOJ IRS E-Discovery Data Mgmt. Plans Mandated By Funding Agencies DMCA CMS Research Misconduct (e.g. human subjects) ADA 9 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Regulatory Compliance Best practices for compliance due diligence now sometimes requires preemptive measures rather than reactive corrective action, in contrast to the University s current stance on civil liberty privacy (cf. UC stance on illegal file sharing). 10 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Serious Consequences of Failure Data breaches: financial (notification expenses, fines, legal fees, productivity loss), reputational and legislative consequences Virginia Tech tragedy Regulatory investigations (e.g., by Cal/OSHA, OIG, FDA, OCR, ) Suspended research programs Potential loss of Federal financial aid funding (HEOA) 11 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Financial and Operational Necessity Regents resolution on administrative efficiency Public transparency and accountability Marketing Development Outsourcing and the ubiquity of free Internet services Complexity and number of University policies related to privacy, information security and records management Incidental personal use PCI banking status to accept credit cards Role of big brother relating to employees (e.g., surveillance cameras) 12 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Increasing Demand for Data Sharing Collect more, share more of what s been collected By business, legislators, law enforcement, customers Service provisioning (e.g., atyourservice.ucop.edu) IT security, network management, audit, Health information exchange and networks Tension between California legislature desires for reduced SSN use and increased analysis of student outcomes and accountability (requiring SSNs) California Public Records Act requests USA PATRIOT Act and National Security Letters Open exchange of information and ideas 13 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Confidential Institutional Data Institutional data beyond personal information that we may want to protect Infrastructure plans Computer security information Intellectual property Accreditation reviews Campus directories 14 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Faculty and Staff: Between Individuals and Institutions Faculty and staff have expectations as individuals, but are also expected to be institutional stewards Authority to access confidential data for work purposes versus for personal purposes (e.g., looking up one s own records or those of family or friends) Clinical faculty are custodians of patient data as physicians, but want more access to data as researchers Social media (e.g., Facebook) friend requests Faculty as patients Blurring of personal and work lives Use of personally owned devices in the workplace Use of institutional resources for (incidental) personal use 15 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Technology The net: ubiquitous broadband, free email accounts, texting The cloud and outsourcing Mobile devices (smartphones) Emerging technologies (e.g., genetic screening) Civil disobedience in cyberspace Location services (e.g., Foursquare, Loopt and RFID transponders for toll kiosks and automated traffic volume display on billboards) Use of consumer-oriented devices or services in the workplace (e.g., ipads, Skype) 16 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Changing and Conflicting Expectations by Individuals I expect: To be able to do routine administrative tasks online (e.g., booking flights, paying bills, ) any time and from anywhere The right people will have access to my personal information (e.g., my doctors, different services from the same campus) That my confidential information will be properly used and protected and that I understand and have a say in what is proper To be safe from on- and off-line threats/crimes Shaped by mainstream media, ubiquitous free net services, information fire hose, Facebook culture, blurring of work and personal lives 17 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Research and Innovation Technology research as human subjects research Using network traffic for research Openness open exchange of information and ideas Does privacy stifle innovation? cf. EU Privacy Directive 18 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

In Loco Parentis Raising student awareness about the potential consequences of their actions How to be smart about using Facebook, etc. Illegal file sharing (DMCA / HEOA) Affirmatively protecting students Making information about students available to credit card companies Availability of information that could embarrass a student in the future Publicly posting names in connection with police activity logs Video of a heated classroom debate 19 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Determining the Path Forward Committee Deliverables: Recommendations Foundational Questions Statement of Community Principles and Values Proposal for 2010 20

Committee Deliverables: Recommendations A framework Statement of community principles and values Governance Accountability Policies Sustainable review process Implementation process 21 DETERMINING THE PATH FORWARD

Foundational Questions 1. How does the University balance the civil liberty of privacy with its many values and obligations? 2. Do we have a single policy for everyone, or different policies for different communities and/or types of data? 3. Is incidental personal use a right, a privilege or something else? 4. What is the University s level of risk tolerance, especially for regulatory compliance? 5. How does the University determine appropriate ownership of, and access to, data by individuals, campuses, the administration, the Regents and external entities? 22 DETERMINING THE PATH FORWARD

Statement of Community Principles and Values How does the University balance the civil liberty of privacy with its many values and obligations? Supervisor cannot read employee s email SCENARIO: PRIVACY OF EMPLOYEE EMAIL Supervisor can read only with employee s consent Privacy protection only as required by law Supervisor obligated to read/review employee s email MORE INDIVIDUAL PRIVACY Fosters: Freedom of inquiry and speech, academic freedom An ethical and respectful workplace High employee morale Ability to whistleblow confidentially 23 LESS INDIVIDUAL PRIVACY Fosters: Better regulatory compliance Lower risk of privacy breaches Lower risk of financial, legal and reputational consequences Streamlining of business operations DETERMINING THE PATH FORWARD

Proposal for 2010 Working Group develops an initial draft statement of community principles and values 24 DETERMINING THE PATH FORWARD

Logistics Additional functional expertise? Communications 25

Adjourn universityofcalifornia.edu/privacyinitiative 26

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information