As a University of Utah employee or student, you are especially vulnerable to cybercrime.
Why?
Under the Family Educational Rights and Privacy Act (FERPA), public schools can disclose “directory” information. For example, student and employee names, email addresses, and phone numbers, as well as student majors and staff office locations, are all available in the university Campus Directory. The public, however, can no longer view information about students via the directory.
Employee salaries also are publicly available on the Utah Division of Finance website.
Additionally, you may work with sensitive and restricted data, such as personal health care information (PHI) or protected student information. If a criminal were able to steal your uNID and password, they would have access to all of that information, plus your own personal data.
Students can opt out of the Campus Directory. To do so, log in to CIS, select “Personal Profile,” and then select “Privacy Restrictions.”
Employees can opt out under special circumstances by making a request through their HR representative.
Information Security Policy 4-004
The U’s Information Security Policy 4-004 and its accompanying rules were created to protect the privacy of students, employees, and patients, create a culture of cybersecurity, and ensure compliance with state, federal, and local laws like HIPAA and FERPA.
We know that no one gets excited about policy, but it’s really important and directly impacts your studies, research, and work every day. Plus, it’s mandatory for all U community members — no exceptions.
Check out the video below for a quick introduction to Information Security Policy 4-004.
Supporting information security rules
While Policy 4-004 has 15 supporting rules, here’s a quick look at two that affect all University of Utah community members: the Acceptable Use Rule and the Data Classification and Encryption Rule.
Acceptable Use Rule
The Acceptable Use Rule establishes “the general parameters for the use of IT Resources, Information Systems, and Electronic Resources.” Simply put, the rule can help you understand your responsibilities when:
- Using a personal device to conduct university business
- Soliciting business from U colleagues using a university email address
- Posting something to social media on behalf of, or as a representative of, the university
- Storing personal data on university-owned resources, such as UBox
Box and Microsoft OneDrive are secure, university-approved cloud storage services available to current students and employees. When storing sensitive or restricted data, use these services. Storing sensitive or restricted data in personal or unapproved cloud storage accounts is strictly forbidden.
Data Classification and Encryption Rule
The Data Classification and Encryption Rule describes the “requirements for managing University electronic data and Information Assets.” You should refer to the rule when:
- Determining whether certain data is considered public, sensitive, or restricted
- Deciding whether certain data needs to be encrypted before emailing it
Forwarding your UMail to a personal account — like Gmail or Yahoo — is expressly prohibited for hospital employees and is strongly discouraged for campus students, faculty, and staff.
If you are a U employee and use personal devices like laptops or smartphones to do your work, then your personal device is subject to the same policies and rules as university-owned devices. That includes full-disk encryption for any device containing sensitive or restricted data.
Questions?
Have questions about the U’s information security policy and/or rules? The Information Security Office's Governance, Risk & Compliance (GRC) team can help. Contact GRC at iso-grc@utah.edu.
_______________
Patient privacy
The University of Utah Health Information Privacy Office ensures patient privacy policies are in place and enforced so that protect health information (PHI) is protected and HIPAA regulations are followed. The Privacy Office will investigate when there is a concern that HIPAA regulations were not followed or that patient information was inappropriately shared. Additionally, the Privacy Office provides outreach and education in regards to HIPAA, PHI, and patient privacy.
If PHI has been inappropriately shared, lost, or compromised, please report the incident to the Privacy Office. You can either:
- Complete an online incident form on the Information Privacy page in Pulse
- Can call the Privacy Office at 801-587-9241
If you would like to remain anonymous, you can contact the university’s Ethics and Compliance Hotline. You can either:
- Call 888-206-6025
- Complete an online EthicsPoint form
