UCLA Policy 404 : Encryption of Electronically Stored Personal Information
I. PURPOSE & APPLICABILITY
UCLA collects, stores, and uses Personal Information for its academic, patient care, public service, and business operations. UCLA is committed to protecting Personal Information that is in its custody or control from unauthorized access, use, disclosure, disruption, or modification.
The purpose of this Policy is to:
- Require encryption of electronically stored Personal Information;
- Require designation of an IT Compliance Coordiantor (ITCC); and
- Establish the authority and procedures to request exceptions to encrypting electronically stored Personal Information.
This Policy requires the encryption of electronically stored Personal Information, thereby minimizing the risk of a breach. However, should a breach occur, as per UCLA Policy 420, Breaches of Computerized Personal Information, its cost will be the responsibility of the organization in which it occurred. This Policy, together with UCLA Policy 420, serves to implement the provisions required by UC IS-3, Electronic Information Security, to identify and protect electronically stored Personal Information and respond to breaches of the same.
This Policy applies to:
- Organization Heads
- Data Stewards
For the purposes of this Policy, the following definitions shall apply:
Data Steward means UCLA personnel who have Personal Information under their physical or logical control: for example, a faculty or staff member who places Personal Information on a Device; or a database adminstrator responsible for a campuswide or departmental database.
UCLA personnel are not Data Stewards if they are:
- Only users of a database (e.g., access or modify Personal Information via a web site or mainframe screen and have no control over the ability to encrypt the database itself);
- Do not store a local copy of Personal Information under their control; or
- Do not have responsibility for the database itself.
Device means any computer or computing device, including, but not limited to, desktops, laptops, tablets, smartphones, or removable media such as CDs, USB flash drives, or portable hard drives.
Organization Head means one of the following:
- Chancellor (as head of the Chancellor’s Office Organization)
- Vice Chancellor
- Vice Provost
- University Librarian
- Director, Intercollegiate Athletics
- Executive Director, ASUCLA
Personal Information means an individual’s first name or first initial, and last name, in combination with any one or more of the following:
- Social Security number;
- Driver’s license number or California identification card number;
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- Medical information, any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
- Health insurance information, an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify an individual, or any information in an individual’s application and claims history, including any appeals records.
Personal Information in the custody or control of UCLA should be stored only when there is an academic, patient care or business purpose.
Electronically stored Personal Information must be encrypted. Each organization must maintain an inventory of their electronically stored Personal Information, including individuals responsible for this Personal Information. Organization Heads have the authority to impose more restrictive standards for electronically storing Personal Information in their area of responsibility.
Employees who violate this Policy will be subject to the disciplinary process in accordance with University policies and collective bargaining agreements.
Exceptions to Encryption of Electronically Stored Personal Information
An exception to encryption may be requested only if the Personal Information cannot be encrypted or there are circumstances that make it inappropriate to do so.
Requests for an exception must be completed on the Request Form (Attachment A). Requestors should consult with their organization’s ITCC for assistance.
Other Relevant Policies, Requirements and Offices
Various UCLA offices have responsibility for the oversight of, or regulatory compliance with requirements for the privacy and security of certain types of data that overlap with Personal Information. These include, but are not limited to, the following:
- Medical records defined by the Federal Health Insurance Portability and Accountability Act (HIPAA) under the purview of the UCLA HIPAA Privacy Officers;
- Human subjects research data under the purview of the UCLA Institutional Review Board;
- Credit card data under the responsibility of Business & Finance Solutions. See UCLA Policy 314, Payment Card Processing Standards;
- UCLA Human Resources Procedure 21, Appointment - a background check is required when hiring new employees, transfering, promoting or reclassifying current employees into critical positions (including those requiring access to Personal Information);
- UC Business & Finance Bulletin IS-3, Third-Party Agreements, as it pertains to contracts that are established with third-parties - contractors, consultants, or external vendors - working with Personal Information must include satisfactory assurances that the contracting third-party will appropriately safeguard University information; and
- UCLA Policy 401, Minimum Security Standards for Network Devices - devices connecting to the UCLA network, including those storing Personal Information, must comply with the security standards set forth in that policy.
Specific responsibilities and duties are assigned in order to implement and ensure compliance with this Policy. In addition, there are designated campus officials who are assigned the responsibility to review requests for exception to encryption and to approve, or recommend approval of such requests.
Organization Heads have ultimate accountability for compliance with this Policy in their organization, even if specific responsibilities are delegated. Each Organization Head must:
- Ensure that Data Stewards in their area of responsibility are aware of and comply with this Policy;
- Review all requests for an exception to encryption within their organization and recommend whether the exception should be granted. The authority to make this determination cannot be delegated; and
- Designate an IT Compliance Coordinator for their organization.
Organization Heads have the authority to impose more restrictive standards for electronically storing Personal Information in their area of responsibility.
Authorizing Officials are responsible for reviewing exception requests and have the final authority to approve such requests. Authorizing Officials are: Administrative Vice Chancellor for UCLA’s main campus, Vice Chancellor, Health Sciences & Dean of the School of Medicine for the UCLA Health System & David Geffen School of Medicine, and the Chancellor and Executive Vice Chancellor and Provost for all exception requests.
Information Security Officers are responsible for recommending approval of an exception request based on a review of the documented circumstances and the proposed compensating controls for information security risks and technical reliability. The Information Security Officers are: the Chief Information Security Officer for UCLA’s main campus and the Chief Information Security Officer for the UCLA Health System & David Geffen School of Medicine.
Privacy Officers are responsible for recommending approval of an exception request based on a review of the documented circumstances and the proposed compensating controls for privacy risks and institutional impact. The Privacy Officers are: the Chief Privacy Officer for UCLA’s main campus and the Chief Privacy Officer for the UCLA Health System & David Geffen School of Medicine.
ITCCs within their organization are responsible for assisting requestors in completing the Request Form for Exception to Encryption of Electronically Stored Personal Information (Attachment A).
Data Stewards are responsible for complying with this Policy and any local requirements of their specific organization to protect Personal Information.
- UC Business and Finance Bulletin IS-3, Electronic Information Security;
- UC Business and Finance Bulletin IS-2, Inventory, Classification, and Release of University Electronic Information;
- UCLA Human Resources Procedure 21 – Appointment;
- UC Appendix DS, Additional Terms and Conditions – Data Security and Privacy;
- UCLA Institutional Review Board;
- UCLA Policy 314: Payment Card Processing Standards;
- UCLA Policy 401: Minimum Security Standards for Network Devices;
- UCLA Policy 420: Notification of Breaches of Computerized Personal Information;
- California Civil Code, Information Practices Act of 1977, §1798.29 (California Breach Notification Law);
- UC HIPAA web site www.universityofcalifornia.edu/hipaa/;
- List of IT Compliance Coordinators https://www.itsecurity.ucla.edu/itcc; and
- UC Statement of Ethical Values and Standards of Ethical Conduct.
/s/ Waugh, Scott
Executive Vice Chancellor