UNIVERSITY
POLICY
| SUBJECT: | ADMINISTRATION | TITLE: | INFORMATION MANAGEMENT |
| CODING: | 00-01-10-30:00 | ADOPTED: | 08/16/99 | AMENDED: | 08/16/99 |
I. PURPOSE
B. Intellectual Property: Copyrights and Royalties 00-01-20-21:00
C. Educational Use of Copyrighted Works 00-01-90-50:05
D. Patient Confidentiality & Health Information 00-01-40-60:00
E. Confidentiality of Student Records 00-01-25-05:00
A. General Principles:
1. The University has ownership of institutional data
and information; exceptions include, but are not limited to:
data produced under contract with the University or its agents; instances
where the University does not claim
ownership by choice, practice or tradition; patient health-care records
in which the patient shares ownership
with the University; and external data licensed or accessed by the University
under contract or covered by
copyright.
2. The University's rights and responsibilities must
be balanced with the rights of individual faculty, staff, students
and patients.
3. The responsibility for maintaining confidentiality
and privacy rights of faculty, staff, students and patients must
be balanced with the University's responsibilities to provide effective,
efficient services and to comply with
federal and state requirements.
4. The University is committed to providing appropriate
safeguards for privacy and confidential information, and
will impose disciplinary action for breaches of privacy and confidentiality.
5. The University is committed to an integrated information
environment for which flexible information policies
and procedures are essential.
6. Institutional data shall be used solely for their
intended, legitimate, University-related purpose, and released
solely to authorized recipients, unless explicit permission is granted
for additional use or release by those with
the appropriate authority (see section B).
B. Authority and Stewardship:
1. The University's senior management shall be the highest
level University authority for approving, promulgating,
reviewing, coordinating and enforcing all information-management policies
and procedures for the University,
and for coordinating University policies and procedures with those governing
external databases and with
those of external institutions (such as clinical affiliates). This
authority shall normally be delegated to the
pertinent deans and vice presidents with administrative responsibility
for the gathering and maintenance of
specific databases and information, including:
a. the Vice President/CEO of University Hospital (UH),
the Vice President/CEO of University
Behavioral HealthCare (UBHC), and the deans: for patient
health-care records at UH, UBHC, other
University health-care facilities and the faculty practices, respectively;
b. the University Librarian: for all library information systems;
c. the Vice President for Legal Management: for
legal and contractual information and for intellectual
property policies regarding institutional data and databases;
d. the Vice President for Human Resources: for Human Resources databases;
e. the Vice President for Finance and Treasurer: for financial and budgetary databases;
f. the Senior Vice President for Academic Affairs:
for University-wide academic and research
databases;
g. the associate deans for student affairs and the
University Registrar: for personally identifiable
student information databases;
h. the associate deans for research: for school research databases;
i. the Vice President for IST: for any academic
and administrative computing and telecommunications
databases.
2. Data stewardship * is the operational responsibility
for and management of particular datasets and other
information. Data stewardship shall be vested in or shared by designated
University personnel, offices,
schools or units responsible for the creation or collection of the data,
as delegated by the pertinent dean(s) or
vice president(s).
3. The deans and vice presidents,
in conjunction with IST, shall have the responsibility for: (a) establishing
specific procedures to implement this University policy with regard to
input, access, confidentiality, security,
retention, usage and release of data; (b) establishing and applying sanctions
for breaches of these policies; (c)
adhering to technical system standards developed by IST; (d) ensuring and
monitoring the quality of their
data (see section F); and (e) educating faculty, staff and students
concerning information policies and training
them in the technical aspects of privacy, confidentiality and security
safeguards.
1. Access to institutional databases is a privilege granted
by the University, to be used only for those purposes
for which the access is authorized.
2. The nature and extent of authorized access to institutional
databases shall be determined by (a) legitimate
needs to fulfill job responsibilities; (b) local/state/federal/funding
agency requirements; (c) confidentiality
requirements; and (d) security requirements.
3. Each individual who develops or is given access to
institutional databases shall receive a copy of, read and
understand this policy and all derivative policies, and shall sign a standard
confidentiality statementprior to
receiving access (see Exhibit).
4. Each individual with access to institutional databases
is responsible for all actions and transactions occurring
during each exercise of his or her access privilege.
5. Each data steward shall have responsibility for (a)
deciding access to the databases originating in her or his
school or unit; (b) publishing and disseminating the policies and procedures
regarding access; (c) ensuring
prompt termination of access when authorized users transfer from one department
to another, terminate their
employment, graduate or otherwise withdraw from the University, or when
courtesy accounts are inactive or
no longer needed; and (d) providing security for school- or unit-level
systems.
6. The Vice President for IST shall be responsible for
providing University-wide systems with the proper level of
security and an authorization mechanism by which access will be restricted
to authorized users and authorized
users will be restricted to specific files.
D. Confidentiality and Privacy:
1. Confidentiality of information and the privacy rights of
individuals to control personal information about
themselves are determined by one or more of the following: laws and regulations;
ethical considerations;
societal expectations; custom; case law; policy; practice.
2. The categories of institutional information that shall be
considered confidential and/or private include, but are
not limited to:
a. patient health-care and human subjects research records
b. quality-assurance and peer-review information from patient care units
c. National Practitioner Data Bank information
d. Employee Assistance Program records
e. employees’ job performance information
f. student academic records and financial aid status
g. student examination questions
h. private information about students, employees and patients
i. University proprietary information, including copyrightable and patentable information
j. proprietary information belonging to other individuals
or entities, such as under a non-disclosure
agreement or contract
k. attorney-client privileged information and certain other legal matters
l. library circulation records and any information about use of any library information resource in any format
m. certain business records such as business plans containing
competitive information; management memos
discussing proposed policies; audit information; contract negotiation strategies;
proposed employee
wage/benefit information
n. executive session minutes from the Board of Trustees and other committees
o. medical and personal information in research records.
3. Each dean and vice president shall develop, publicize
and enforce, and data stewards shall implement the
University information and confidentiality policies for the data
and information under his/her authority that (a)
identify the specific information considered confidential; (b) define internal
need-to-know and access for each
type of confidential information; (c) define appropriate conditions and
procedures for information release, the
people authorized to make releases and to receive information; (d) establish
retention rules; and (e) set
sanctions for breaches of policy.
4. The Vice President for IST shall ensure the development
of and shall carry out ongoing training programs in
security and confidentiality policies and procedures for all users of information
before
being granted access to
any confidential information systems.
5. Each authorized user of confidential databases shall
sign a statement on confidentiality which lists the policies
and restrictions on data access, usage, release and retention, and disciplinary
actions for breaches (see
Exhibit). Data stewards shall report incidents of unauthorized
access to private or confidential information
within 24 hours and penalties shall be imposed as appropriate.
6.
IST shall oversee all vendors, contractors, subcontractors, consultants
and external auditors who are given
access to confidential databases.
7.
Unauthorized breaches of confidentiality with or without release of confidential
documents shall result in
sanctions in accordance with University policies and procedures and/or
law and regulation. Sanctions shall be
uniform throughout the University and shall be applied consistently to
all violators regardless of job title or level
in the organization.
E. Security, Integrity and Accountability:
1. The security of data in a distributed environment
is the protection of user files and system resources from
intentional or unintentional loss, damage, inappropriate access, and unauthorized
disclosure or use of
confidential or private information. Integrity of data is
assurance that, once entered, data will not be
subject to unauthorized modification intentionally or unintentionally,
and that data will remain unaltered during
transmission between sending and receiving systems. Accountability
is the ability to explain security breaches
and to link them to the originator. An appropriate degree of security must
be balanced against ease of access
by authorized individuals. Security systems techniques include:
a. authentication of network users and systems, and determination
of access and authorization levels (e.g.,
via passwords, personal identification numbers, digital signatures, token
cards, smart cards, one-time
passwords, biometrics)
b. transmission and communications security, protection
of remote access points and of external electronic
communications (e.g., via firewalls, encryption)
c. physical security of key network components
d. online monitoring, logging and audit trails to maintain
information about network access and transactions
(e.g., logon activity logs, reference monitors, access alerts)
e. data integrity technologies (e.g., automated error
checking, purge criteria, checksums, system
backups, archives, redundant systems, anti-virus software, data disposal
schedules)
f. ongoing system assessment (e.g., hacker scripts, password crackers).
2. Each dean and vice president shall be responsible
for the security for the databases under his/her authority
and for taking disciplinary action for security breaches.
3. The Vice President for IST shall be responsible for
recommending and coordinating University-wide security
policies and procedures.
4. Each data steward shall be responsible for implementing
and enforcing the security policies and procedures
recommended by IST.
5. Data stewards shall promptly report security breaches,
unauthorized access, audit trail data or other system
warnings about unusual or inappropriate activity, violations of policy,
and weaknesses in security measures to
the pertinent dean or vice president and to the Vice President for IST
who shall ensure that penalties are
imposed when appropriate. Incidents of unauthorized access to private or
confidential information shall be
reported within 24 hours.
F. Quality:
1. Quality includes integrity, accuracy, consistency, completeness, timeliness and currency.
2. Under the University-wide coordination of the Vice President
for IST, data stewards shall establish written
quality-control procedures. Data stewards shall ensure training in
quality-control procedures of all personnel
granted working access to databases.
3. Distributed databases that contain school, unit and/or University
data must be verified to ensure data integrity
with the official University data. It is the responsibility of the
data steward who owns and maintains that data
to comply. In addition, any information that is generated from this
local data and provided to any internal or
external user must include the statement that "this data is not produced
from the official University data and
should be treated as such."
G. System Standards:
The Vice President for IST shall ensure the development of standards for
hardware and software that will enable
integration of the University's information systems and databases (e.g.,
hardware configuration, data definition,
communication/networking, software implementation/use). The
specifications for approved hardware and
software shall be published and distributed to the University community.
These standards shall include:
1. for integrated University administrative databases,
data standards for communicating information that
establish a minimum data set, and set content standards for specific application
areas
2. standards for data representation and data exchange
to support exchange of information among different
organizations and institutions
3. security standards for the University's computer network and all hardware connected to it
4. security standards for patient data confidentiality
5. data integrity and system security standards
6. University-wide networking
V. EXHIBIT
A. Database
Confidentiality Statement
By Direction of the President:
__________________________________________
Vice President for Information Services and Technology
__________________________________________
Vice President for Academic Affairs
I, the undersigned, agree to maintain the appropriate confidentiality for the databases, to which I have access. I acknowledge that access is permitted only to perform the duties and functions of my employment and/or education at the University and for no other purposes. Further, I will not release this information to or permit access by other people who do not have permission of the University to access such data. Any copy of the information kept by me shall also be kept secure and confidential and shall be destroyed as soon as there is no further need for the data. I acknowledge that the University shall have the right to institute disciplinary actions for breaches of confidentiality by me. I further acknowledge that my breach of confidentiality may subject me to personal civil and criminal liability.
I agree to abide by the University policies governing confidentiality, including but not limited to:
Signature: __________________________________
Name Printed: ______________________________
Title: ______________________________
Department: ______________________________
School: ______________________________
Extension: ______________________________
 Policy
Manual Table of Contents |
OPPM
Home Page |
UMDNJ
Home Page |
format