UC PRIVACY AND INFORMATION SECURITY STEERING COMMITTEE OCTOBER 25, 2010

Similar documents
Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Index All entries in the index reference page numbers.

Impact of Legal and Regulatory Compliance on Higher Education Information Security Management. Dan Han Virginia Commonwealth University

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Peer to Peer File Sharing and Copyright Infringement Policy

I. U.S. Government Privacy Laws

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

CODE OF ETHICS AND BUSINESS CONDUCT

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

IT Security & Compliance Risk Assessment Capabilities

SUMMARY OF POSITION ROLE/RESPONSIBILITIES:

Information Security Plan May 24, 2011

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

ADMINISTRATORS SERIES PRIVACY AND SECURITY AT UF. Cheryl Granto Information Security Manager, UFIT Information Security

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Marist College. Information Security Policy

Our Commitment to Information Security

Best Practices for DLP Implementation in Healthcare Organizations

Acceptable Use of Information Technology

EXAMINATION OUTLINE FOR PRIVATE INVESTIGATORS

Law & Ethics, Policies & Guidelines, and Security Awareness

Prepared by: The Office of Corporate Compliance & HIPAA Administration

Stephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15

Benefits of Social Media

Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq.

VICTOR VALLEY COMMUNITY COLLEGE DISTRICT ADMINISTRATIVE PROCEDURE. Computer Use - Computer and Electronic Communication Systems.

Ubiquity of Security Compliance and Content Management

Implementing Information Security Policies and Standards. A Real Life Example

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Human Resources & E-Discovery Law: New Challenges in Museum Admi

How To Help Your Business With Data Security And Privacy

Rowan University Data Governance Policy

Cloud Security Introduction and Overview

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU

Information Management Compliance and Data protection.

Operational Risk Management Policy

Information Technology

Information Resources Security Guidelines

FTP-Stream Data Sheet

Library Guide: HIPAA

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

Mental Health Resources, Inc. Mental Health Resources, Inc. Corporate Compliance Plan Corporate Compliance Plan

Meeting the HIPAA Training and Business Associate Requirements Questions and Answers, with HIPAA Security Expert Mike Semel

Managing data security and privacy risk of third-party vendors

Forensic Audit Building a World Class Program

Standards of Ethical Conduct

ESI Incident Response Procedures 1

Bossier Parish Community College

Compliance Program and HIPAA Training For First Tier, Downstream and Related Entities

7Seven Things You Need to Know About Long-Term Document Storage and Compliance

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

DSU Identity Theft Prevention Policy No. DSU

How To Ensure Financial Compliance

COMPUTER USE POLICY. 1.0 Purpose and Summary

HIPAA Violations Incur Multi-Million Dollar Penalties

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Sensitive Data Management: Current Trends in HIPAA and HITRUST

UNIVERSITY COMPLIANCE PLAN

INFORMATION TECHNOLOGY SECURITY STANDARDS

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Establishing An Effective Corporate Compliance Program Joan Feldman, Esq. Vincenzo Carannante, Esq. William Roberts, Esq.

White Paper: The Seven Elements of an Effective Compliance and Ethics Program

AUDIT COMMITTEE BEST PRACTICES CHECKLIST

Identity Management: Securing Information in the HIPAA Environment

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

What s New in Access, Privacy and Health Care. Brian Beamish Commissioner. Ontario Connections May 21, 2015

Institutional Data Governance Policy

Transcription:

UC PRIVACY AND INFORMATION SECURITY STEERING COMMITTEE OCTOBER 25, 2010

Agenda 1:00 pm Welcome Introductions Review of the Committee s Charge A Provisional 18-Month Plan 1:30 Setting the Stage Privacy Issues Impacting UC 2:00 Determining the Path Forward Committee Deliverables Statement of Community Principles and Values Foundational Questions Proposal for 2010 2:50 Logistics 3:00 Adjourn 2 AGENDA

Welcome Introductions Review of the Committee s Charge A Provisional 18-Month Plan 3

Review of the Committee s Charge to make recommendations for: an overarching privacy framework that enables UC to meet statutory and regulatory obligations in a manner respectful of individual privacy; specific actions or phases needed to implement this framework as University policy; governance, implementation, and accountability structures across the University with respect to privacy and information security; and a formal ongoing process through which the University can examine and, where necessary, address through policy vehicles, the technical and societal changes that have an impact on University policy and practice in the areas of privacy and information security. 4 WELCOME

A Provisional 18-Month Plan Fall 2010 Privacy issues impacting UC UC principles and values of community Foundational questions Winter 2011 Governance and accountability Spring A framework Statement of community principles and values Governance Accountability Policies Summer Break Fall Sustainable review process Implementation process Winter 2012 Recommendations 5 WELCOME

Setting the Stage Privacy Issues Impacting UC 6

Movie http://www.aclu.org/ordering-pizza 7 SETTING THE STAGE

Privacy Issues Impacting UC Regulatory compliance Serious consequences of failure Financial and operational necessity Increased demand for data sharing Confidential institutional data Faculty and staff between individuals and institutions Technology The expectations of individuals Research and innovation In loco parentis 8 SETTING THE STAGE

Regulatory Compliance HIPAA FERPA Patriot Act California Information Practices Act FTC Red Flag Rules GLBA Intellectual Property Protection Federal Privacy Act (SSNs) PCI-DSS (Credit Cards) California Public Records Act Clery Act DOJ IRS E-Discovery Data Mgmt. Plans Mandated By Funding Agencies DMCA CMS Research Misconduct (e.g. human subjects) ADA 9 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Regulatory Compliance Best practices for compliance due diligence now sometimes requires preemptive measures rather than reactive corrective action, in contrast to the University s current stance on civil liberty privacy (cf. UC stance on illegal file sharing). 10 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Serious Consequences of Failure Data breaches: financial (notification expenses, fines, legal fees, productivity loss), reputational and legislative consequences Virginia Tech tragedy Regulatory investigations (e.g., by Cal/OSHA, OIG, FDA, OCR, ) Suspended research programs Potential loss of Federal financial aid funding (HEOA) 11 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Financial and Operational Necessity Regents resolution on administrative efficiency Public transparency and accountability Marketing Development Outsourcing and the ubiquity of free Internet services Complexity and number of University policies related to privacy, information security and records management Incidental personal use PCI banking status to accept credit cards Role of big brother relating to employees (e.g., surveillance cameras) 12 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Increasing Demand for Data Sharing Collect more, share more of what s been collected By business, legislators, law enforcement, customers Service provisioning (e.g., atyourservice.ucop.edu) IT security, network management, audit, Health information exchange and networks Tension between California legislature desires for reduced SSN use and increased analysis of student outcomes and accountability (requiring SSNs) California Public Records Act requests USA PATRIOT Act and National Security Letters Open exchange of information and ideas 13 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Confidential Institutional Data Institutional data beyond personal information that we may want to protect Infrastructure plans Computer security information Intellectual property Accreditation reviews Campus directories 14 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Faculty and Staff: Between Individuals and Institutions Faculty and staff have expectations as individuals, but are also expected to be institutional stewards Authority to access confidential data for work purposes versus for personal purposes (e.g., looking up one s own records or those of family or friends) Clinical faculty are custodians of patient data as physicians, but want more access to data as researchers Social media (e.g., Facebook) friend requests Faculty as patients Blurring of personal and work lives Use of personally owned devices in the workplace Use of institutional resources for (incidental) personal use 15 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Technology The net: ubiquitous broadband, free email accounts, texting The cloud and outsourcing Mobile devices (smartphones) Emerging technologies (e.g., genetic screening) Civil disobedience in cyberspace Location services (e.g., Foursquare, Loopt and RFID transponders for toll kiosks and automated traffic volume display on billboards) Use of consumer-oriented devices or services in the workplace (e.g., ipads, Skype) 16 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Changing and Conflicting Expectations by Individuals I expect: To be able to do routine administrative tasks online (e.g., booking flights, paying bills, ) any time and from anywhere The right people will have access to my personal information (e.g., my doctors, different services from the same campus) That my confidential information will be properly used and protected and that I understand and have a say in what is proper To be safe from on- and off-line threats/crimes Shaped by mainstream media, ubiquitous free net services, information fire hose, Facebook culture, blurring of work and personal lives 17 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Research and Innovation Technology research as human subjects research Using network traffic for research Openness open exchange of information and ideas Does privacy stifle innovation? cf. EU Privacy Directive 18 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

In Loco Parentis Raising student awareness about the potential consequences of their actions How to be smart about using Facebook, etc. Illegal file sharing (DMCA / HEOA) Affirmatively protecting students Making information about students available to credit card companies Availability of information that could embarrass a student in the future Publicly posting names in connection with police activity logs Video of a heated classroom debate 19 PRIVACY ISSUES IMPACTING UC EXPECTATIONS OF INSTITUTIONS

Determining the Path Forward Committee Deliverables: Recommendations Foundational Questions Statement of Community Principles and Values Proposal for 2010 20

Committee Deliverables: Recommendations A framework Statement of community principles and values Governance Accountability Policies Sustainable review process Implementation process 21 DETERMINING THE PATH FORWARD

Foundational Questions 1. How does the University balance the civil liberty of privacy with its many values and obligations? 2. Do we have a single policy for everyone, or different policies for different communities and/or types of data? 3. Is incidental personal use a right, a privilege or something else? 4. What is the University s level of risk tolerance, especially for regulatory compliance? 5. How does the University determine appropriate ownership of, and access to, data by individuals, campuses, the administration, the Regents and external entities? 22 DETERMINING THE PATH FORWARD

Statement of Community Principles and Values How does the University balance the civil liberty of privacy with its many values and obligations? Supervisor cannot read employee s email SCENARIO: PRIVACY OF EMPLOYEE EMAIL Supervisor can read only with employee s consent Privacy protection only as required by law Supervisor obligated to read/review employee s email MORE INDIVIDUAL PRIVACY Fosters: Freedom of inquiry and speech, academic freedom An ethical and respectful workplace High employee morale Ability to whistleblow confidentially 23 LESS INDIVIDUAL PRIVACY Fosters: Better regulatory compliance Lower risk of privacy breaches Lower risk of financial, legal and reputational consequences Streamlining of business operations DETERMINING THE PATH FORWARD

Proposal for 2010 Working Group develops an initial draft statement of community principles and values 24 DETERMINING THE PATH FORWARD

Logistics Additional functional expertise? Communications 25

Adjourn universityofcalifornia.edu/privacyinitiative 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information