-
Initiating Authority
- Information Security and the Chief Data Officer serve as the initiating authorities
for this policy.
-
Purpose
- The purpose of this policy is to decrease the risk around transmission and transfer
of Restricted Information between the University and any Third Party.
-
Policy
-
Data Transfer of Restricted Information
- All Data Transfers of Industry Defense Programs ("IDP") Restricted Information or
蹤獲扦 Restricted Information shall be in accordance with this policy and applicable
Data Transfer Processes and Procedures.
- All Data Transfers of 蹤獲扦 Restricted Information from the University to a Third Party
must be reviewed and approved by the Data Management Committee ("DMC") prior to transmission.
- All Data Transfers of IDP Restricted Information from the University to a Third Party
must be reviewed and approved by IDP IT prior to transmission.
- All Data Transfers of Restricted Information that involve both 蹤獲扦 Restricted Information
and IDP Restricted Information must be reviewed and approved by both the DMC and IDP
IT prior to transmission.
- The DMC and/or IDP IT, as applicable, shall be notified thirty (30) days prior to
renewal of any Restricted Use Agreements.
-
Restricted Use Agreements
- All Data Transfers of Restricted Information must be accompanied by a Restricted Use
Agreement, unless otherwise set forth in this policy.
- All Restricted Use Agreements must be reviewed and approved by the Office of General
Counsel.
- Restricted Information may be transmitted without a Restricted Use Agreement if the
Restricted Information includes:
- student educational records protected by the Family Education Rights and Privacy Act
(FERPA) and is being produced to the student, or a third party authorized by the student,
pursuant to a valid FERPA authorization and release, or as otherwise permitted under
FERPA;
- patient records protected under the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) and is being produced to the patient, or a third party authorized
by the patient, pursuant to a valid HIPAA authorization and release, or as otherwise
permitted under HIPAA;
- confidential personnel records and is being produced to the employee, or an third
party authorized by the employee, pursuant to a valid authorization and release; or
- records that are requested or compelled by court order, subpoena, or otherwise mandated
to be produced under the law.
-
Termination of Transfer of Restricted Information
- Users must notify either the DMC (for 蹤獲扦 Restricted Information), IDP IT (for IDP
Restricted Information), or both (for both 蹤獲扦 Restricted Information and IDP Restricted
Information) prior to termination of a Data Transfer to obtain transfer termination
instructions.
- The DMC and/or IDP IT may request termination of the transfer of Restricted Information
and/or a Restricted Use Agreement.
-
Definitions
- For the purpose of this policy only, the following definitions shall apply:
- Bulk Data: An electronic collection of data composed of information from multiple records, whose
primary relationship to each other is their shared origin from a single or multiple
databases.
- Cloud Service: Networked computing facility(ies) providing remote data storage and processing services
via the internet. This can include but is not limited to Infrastructure as a Service
(IaaS) or Software as a Service (SaaS) delivery methods and includes all cloud services,
regardless of capacity.
- Controlled Affiliated Organizations: 蹤獲扦Intercollegiate Athletic Association, Inc., 蹤獲扦
University Union Corporation, 蹤獲扦Innovation Alliance, Inc.,
WSIA Investments Corporation.
- Data Management Committee ("DMC"): The University committee charged with managing and maintaining compliance with the
Higher Learning Commission requirements related to institutional data for accreditation
which includes but is not limited to providing oversight to University data systems
to ensure data integrity, best practices in data management, reporting standards,
information consistency, and security access.
- Data Transfer: Automated or manual transfer of Restricted Information from the University to a Third
Party that involves the following agreements and/or situations: (1) agreement for
the purchase or use of Cloud Services for data storage, transfer, or processing; (2)
agreement with a third party to manage, store, or transmit Restricted Information
on behalf of the University; (3) agreements that require the University to set up
a connection with a third party to University systems to receive or store data; or
(4) any agreement or request for a transfer of data via the Internet that is outside
of the normal business process, such as a first-time transfer of Bulk Data. A Data
Transfer may be a one-time transfer or an ongoing transfer. Data Transfers do not
include: (a) University Restricted Information transferred under a sponsored research
agreement, or (b) Restricted Information transferred under a legal request managed
or expressly approved by the Office of General Counsel.
- Data Transfer Process and Procedures: Those processes and procedures established by the DMC and/or IDP IT governing Data
Transfers to Third Parties, which are published on the Information Security webpage.
- IDP Restricted Information: Includes all Restricted Information that is stored only within the NIAR Enclave.
- IDP IT: The department / unit-specific technology office responsible for Industry and Defense
Programs.
- NIAR Enclave: The set of system resources that operate exclusively in the IDP security domain and
that share the protection of a single, common, continuous perimeter.
- Restricted Information: Includes all data, records, documents or files that contain information that is:
(a) required to be maintained confidentially under any applicable law, regulation
or University policy; (b) subject to a contractual obligation to maintain confidentiality;
(c) subject to any applicable legal privilege or protection, such as the attorney-client
privilege; (d) deemed by the University to be a trade secret, confidential or proprietary;
and/or (e) classified by the University as 蹤獲扦 PRIVATE or above.
- Restricted Use Agreement: A Restricted Use Agreement shall include any written agreement with the University
that contains restrictions on the use and disclosure of the Restricted Information
being transmitted, including, but not limited to, non-disclosure provisions, nondisclosure
and confidentiality agreements, business associate agreements, and data use agreements.
- Third Party: Any individual, organization, or entity that is not the University or a Controlled
Affiliated Organization including, but not limited to a Cloud Provider.
- University: 蹤獲扦and Controlled Affiliated Organizations.
- User: Any individual, including but not limited to faculty, staff, students, contractors,
and visitors who has access to and uses University information resources, systems
or data.
- 蹤獲扦 Restricted Information: Includes all Restricted Information that is not stored within the NIAR Enclave.
-
Applicable Laws And Additional Resources
- 蹤獲扦 Policy 3.12 / Security and Confidentiality of Student Records and Files
- 蹤獲扦 Policy 20.17 / Protected Health Information
- 蹤獲扦 Policy 20.18 / Privacy of Financial Information
-
Revision Dates
- December 5, 2023