Table of Contents
Date Created: August 24, 2018
Date Last Amended/Reviewed: August 7, 2019
Date Scheduled for Review: August 2024
Reviewing Office: Office of Information Technology Services
The following rules are critical to our ability to effectively manage Data.
- Training: All Data Users will receive training in the structure and definitions of Institutional Data as well as relevant policies prior to accessing data.
- Privacy and Confidentiality: Data Users must respect the privacy of individuals whose records they may access. No subsequent disclosure of personal information contained in files or databases may be made. Disclosure is understood to include (but is not limited to) verbal references or inferences, correspondence, memoranda and sharing of electronic files. Institutional Data must be stored in such a way as to ensure that the data is secure, and that access is limited to authorized users. When electronic data is no longer required for administrative, legal or historical reasons, it should be deleted in such a way that recovery is not possible.
- All devices taken out of service shall be purged of all data, including remnant data, in accordance with processes defined by the Chief Information Security Officer.
- Data Integrity: Institutional Data must be protected and managed at all levels to ensure its integrity. Employees who identify inaccurate, inconsistent or unreliable data should notify the appropriate Data Steward or the Director of Institutional Research and Assessment (IRA) immediately. The Data Steward shall within five business days document the error and correct the data and/or refer the problem to the Director of IRA and the appropriate Data Trustee. Problems may also be anonymously reported through Temple’s Ethics & Compliance Helpline at https://www.temple.edu/about/ethics-compliance/helpline.
- Social Security numbers must not be used as a primary identifier for Temple-related individuals, except when required by law.
- The University Privacy Officer shall maintain an accurate inventory and map of the usage of all Confidential Data and Sensitive Data.
- Data must be maintained in an appropriately secure, accurate and reliable manner. Confidential Data and Sensitive Data may not be viewed or downloaded to a non-Temple technology resource without a method of protection approved in advance by the Office of Information Technology Services.
- Data security measures must be implemented commensurate with the Data Classifications described above. These classifications are based on the sensitivity of data, and the risks associated with improper disclosure.
- Data related to research must adhere to compliance requirements stipulated by applicable law, the granting or contract-issuing authority and any applicable Temple University policies. Research data management and compliance is the responsibility of the researcher(s).
- All systems and storage handling of confidential or sensitive data, whether internal, outsourced, or hosted, are subject to a security risk assessment conducted in advance. All systems must meet minimum security standards. If a system does not meet such standards, the Chief Information Security Officer will require the design and implementation of compensating controls before a unit can proceed with implementation.
- Data users must not send confidential data via email, and sensitive data may only be sent by email within the internal Temple community. Email should not be considered private, particularly in light of the open nature of the Internet and related technology and the ease with which files may be accessed, copied and distributed.
- Data users are required to use an encryption solution (e.g. TUSafeSend or Owlbox) approved by Information Technology Services to store, process or transmit all confidential and sensitive data. As such, confidential or sensitive data may never be transmitted over clear-text channels such as email, instant messaging, FTP, HTTP or similar unencrypted methods.
- All devices that store, process or transmit any Confidential Data must adhere to University lockdown standards and guidelines for encrypted, enable session lockout passwords, disable file sharing and install an approved version of endpoint protection. Laptops containing Confidential Data should never connect to an unsecured wireless or wired network and must be physically secured at all times. If a device is lost or stolen, contact the Help Desk immediately at 215-204-8000.
- University departments which store, process or transmit confidential or sensitive data in the ordinary course of departmental business or a research grant or project are required to budget for and utilize an encryption solution approved by Information Technology Services.
- Confidential Data or Sensitive Data may not be used in non-production systems, in presentations, or in training sessions unless approved in advance by the Chief Information Security Officer.
- Media or devices containing Confidential Data or Sensitive Data must be purged by the university’s Computer Recycling Center following the approved method authorized by the Chief Information Security Officer.
TEMPLE-RELATED INDIVIDUALS include Temple students, employees, faculty, applicants for employment as well as certain other individuals associated with the university including, but not limited to, alumni, trustees, donors, vendors, volunteers, clients, temporary employees of agencies who are assigned to work for the university and third-party contractors engaged by the university and their agents and employees.