Data Protection Rule
Approved and Implemented: February 22, 2017
Reviewed/Updated: November 2024
Related Policies, Procedures, and Resources- Data Protection and Security Policy
- UAB HIPAA Core Policies
- Data Classification Rule
- Data Protection Rule
- Data Access Policy
- Acceptable Use Policy
- Data Custodian Responsibilities
1.0 Introduction
The objective of this data protection rule is to assist the UAB community in the protections requirements of data and systems based on the Data Classification Rule.
2.0 Scope and Applicability
All UAB data stored, processed, or transmitted must be protected in accordance with this requirement. Based on classification; users are required to implement appropriate security controls.
3.0 Responsibilities for Protecting Institutional Data
All users with access to UAB data are required to protect these data appropriately. Likewise, the Data Steward must grant formal approval for the access and use of institutional data. Please refer to the Data Access Policy
3.1 Specific Roles and Responsibilities for Protecting Institutional Data
3.2 Data Stewards have administrative control and are officially accountable for a specific information asset. Data Stewards shall:
- assign an appropriate classification to the information;
- govern processes for determining access to information assets; and
- ensure compliance with policies and regulatory requirements related to the information.
Examples: VP of Financial Affairs & Administration - financial and HR data; VP of Research & Economic Development - research administration data; Deans and Unit Chairs and data from their respective academic area.
3.3 Data Custodians safeguard the data on behalf of the Data Steward.
- UAB's central Information Technology (UAB IT) units shall be responsible for protecting all Institutional Data maintained/stored in the institutional information systems.
- Distributed Information Technology (IT) units shall be responsible for protecting all Institutional Data maintained/stored in unit level information systems.
3.4 UAB Information Security
Members of the UAB Information Security team are responsible for developing and implementing an information security program as well as supporting data security and protection policies, standards and procedures.
3.5 Information Security Liaison (ISL)
Each unit senior manager will designate at least one ISL who will act as a liaison to the UAB information Security Team. ISLs oversee information security responsibilities for the units and schools, including assisting with security awareness and security incident response.
3.6 System Administrators
System Administrators are individuals within the UAB IT/HSIS or school/units with day-to-day responsibility for maintaining information systems.
3.7 Data Users
Data Users are individuals authorized to access UAB data and are responsible for protecting the information assets on a daily basis through adherence to UAB policies.
4.0 Protection Requirements Based on Classification
The table below defines minimum protection requirements for each category of data when being used or handled in a specific context (e.g. Sensitive Data sent in an email message). Please note that these protections are not intended to supersede any regulatory or contractual requirements for handling data.
| Public Data – Low Risk | |
|---|---|
| Collection and Use | No protection requirements | 
| Granting Access or Sharing | No protection requirements | 
| Disclosure, Public Posting, etc. | No protection requirements | 
| Electronic Display | No protection requirements | 
| Open Records Requests | Data can be readily provided upon request. However, individuals who receive a request must coordinate with University Relations Office before providing data. | 
| Exchanging with Third Parties, Service Providers, Cloud Services, etc. | No protection requirements | 
| Storing or Processing: Server Environment | Servers that connect to the UAB network must comply with IT Security Practices. | 
| Storing or Processing: Endpoint Environment (e.g. laptop, phone, desktop, tablet, etc.) | Systems that connect to the UAB network must comply with IT Security Practices. | 
| Storing on Removable Media (e.g. thumb drives, CDs, tape, etc.) | No protection requirements | 
| Electronic Transmission | No protection requirements | 
| Email and other electronic messaging | No protection requirements | 
| Printing, mailing, fax, etc. | No protection requirements | 
| Disposal | No protection requirements | 
| Sensitive Data – Moderate Risk | |
|---|---|
| Collection and Use | Limited to authorized uses only. Units/Colleges that collect and/or use Sensitive Data should participate in the Information Security Program by reporting servers to the Enterprise Information Security Office. In addition, any/all servers that process or store Sensitive Data must meet all requirements associated with applicable laws and/or standards. Additionally, sensitive institutional data must be stored and managed in unit or higher systems. | 
| Granting Access or Sharing | Access shall be limited to authorized University officials or agents with a legitimate academic or business interest and a need to know as outlined by UAB policies. All access shall be approved by an appropriate data steward and tracked in a manner sufficient to be auditable. Before granting access to external third parties, contractual agreements which outline responsibilities for security of the data shall be approved through the UAB contract process. | 
| Disclosure, Public Posting, etc. | Sensitive Data shall not be disclosed without consent of the data steward. Sensitive Data may not be posted publicly. Directory information can be disclosed without consent. However, per FERPA, individual students can opt out of directory information disclosure. | 
| Sensitivity Label | All documents (documents, spreadsheets, pdfs, etc.) that contain Sensitive data must be identified with a sensitivity label of Sensitive. It is incumbent on the UAB community to apply appropriate sensitivity labels to data. | 
| Electronic Display | Only to authorized and authenticated users of a system. | 
| Open Records Requests | Sensitive Data is typically not subject to open records disclosure. However, some open records requests can be fulfilled by redacting sensitive portions of records. Individuals who receive a request must coordinate with the University Relations Office. | 
| Exchanging with Third Parties, Service Providers, Cloud Services, etc. | A contractual agreement (or MOU if governmental agency) outlining security responsibilities shall be in place and approved through the UAB contract process before exchanging data with the third party / service provider. UAB Box.com – no special requirements. UAB M365 – no special requirements. | 
| Storing or Processing: Server Environment | Servers that process and/or store sensitive institutional data must comply with IT Security Practices, as well as applicable laws and standards. Additionally, sensitive institutional data must be stored and managed in unit or higher systems. | 
| Storing or Processing: Endpoint Environment (e.g. laptop, phone, desktop, tablet, etc.) | Systems that connect to the UAB network must comply with IT Security Practices, as well as applicable laws and standards. In addition, any/all systems that process or store Sensitive Data must be on an encrypted volume and endpoint must require PIN and/or password for access to device. | 
| Storing on Removable Media (e.g. thumb drives, CDs, tape, etc.) | Sensitive Data shall only be stored on removable media in an encrypted file format or within an encrypted volume. | 
| Electronic Transmission | Sensitive Data shall be transmitted in either an encrypted file format or over a secure protocol or connection. | 
| Email and other electronic messaging | Messages shall only be sent to authorized individuals with a legitimate need to know. Messages with Sensitive Data shall be transmitted only to other uab.edu or uabmc.edu email recipients. Sensitive Data may be shared through approved UAB services. UAB email forwarding to personal email accounts is prohibited. | 
| Printing, mailing, fax, etc. | Printed materials that include Sensitive Data shall only be distributed or available to authorized individuals or individuals with a legitimate need to know. Access to any area where printed records with Sensitive Data are stored shall be limited by the use of controls (e.g. locks, doors, monitoring, etc.) sufficient to prevent unauthorized entry. Do not leave printed materials that contain Sensitive Data visible and unattended. | 
| Disposal | Follow the UAB Secure Media Destruction process for the secure disposal of discs, CDs, DVDs, tapes and hard drives. Repurposed for University Use - Multiple pass overwrite. NOT Repurposed for University Use - Physically destroy. Follow the Destruction of University Records Procedure for printed materials. Refer to the UAB Records Retention Policy and Records Retention Schedule for specific guidance on records retention. | 
| Restricted/PHI Data – High Risk | |
|---|---|
| Collection and Use | Limited to authorized uses only. Units/Colleges that collect and/or use Restricted data should participate in the Information Security Program by reporting servers to the Enterprise Information Security Office. In addition, any/all servers that process or store Restricted Data must meet all requirements associated with applicable laws and/or standards. Additionally, restricted/PHI data must be stored on servers located in the UAB data center and managed by Central IT. SSNs may not be used to identify members of the UAB community if there is a reasonable alternative. SSNs shall not be used as a username or password. SSNs shall not be collected on unauthenticated individuals. All credit/debit card uses must be approved by the VP of Financial Affairs and Administration Office. | 
| Granting Access or Sharing | Access shall be limited to authorized University officials or agents with a legitimate academic or business interest and a need to know as outlined by UAB policies. All access shall be approved by an appropriate data steward and tracked in a manner sufficient to be auditable. Before granting access to external third parties, contractual agreements which outline responsibilities for security of the data shall be approved through the UAB contract process. | 
| Disclosure, Public Posting, etc. | Not permitted unless required by law. | 
| Sensitivity Label | All documents (documents, spreadsheets, pdfs, etc.) that contain Restricted data must be identified with a sensitivity label of Restricted. It is incumbent on the UAB community to apply appropriate sensitivity labels to data. | 
| Electronic Display | Restricted data shall be displayed only to authorized and authenticated users of a system. Identifying numbers or account number shall be, at least partially, masked or redacted. | 
| Open Records Requests | Restricted data is typically not subject to open records disclosure. However, some open records requests can be fulfilled by redacting Restricted portions of records. Individuals who receive a request must coordinate with the University Relations Office. | 
| Exchanging with Third Parties, Service Providers, Cloud Services, etc. | A contractual agreement (or MOU if governmental agency) and/or Business Associate Agreement (BAA) outlining security responsibilities shall be in place and approved through the UAB contract process before exchanging data with the third party / service provider. UAB Box.com – Subject to any applicable laws. UAB M365 (OneDrive, SharePoint, Email, Teams) – Subject to any applicable laws. | 
| Storing or Processing: Server Environment | Servers that process and/or store sensitive institutional data must comply with IT Security Practices, as well as applicable laws and standards. Additionally, restricted/PHI data must be stored on servers located in the UAB data center and managed by UAB IT. Storing Credit/Debit card PAN data is not permitted. | 
| Storing or Processing: Endpoint Environment (e.g. laptop, phone, desktop, tablet, etc.) | Any/all systems that process or store Restricted Data must be encrypted volume and endpoint must require PIN and/or password for access to device. Storing Credit/Debit card PAN data is not permitted. Storing Restricted Data on personally-owned devices is not permitted. Devices storing or processing restricted data must be physically secure at all times. Avoid storing Restricted Data on portable devices. | 
| Storing on Removable Media (e.g. thumb drives, CDs, tape, etc.) | Not permitted unless required by law. If required by law, Restricted Data stored on removable media shall be encrypted and the media shall be stored in a physically secured environment. Storing restricted data on personally-owned media is not permitted. | 
| Electronic Transmission | Secure, authenticated connections or secure protocols shall be used for transmission of Restricted Data. | 
| Email and other electronic messaging | Messages with Restricted Data shall be transmitted in either an encrypted file format or only through secure, authenticated connections or secure protocols. Restricted Data may be shared through approved UAB services. UAB email forwarding to personal email accounts is prohibited. Messages with Restricted Data shall be transmitted only to other uab.edu or uabmc.edu email recipients. SSNs may not be shared through email or other electronic messaging. Credit card data may not be shared through email or other electronic messaging. | 
| Printing, mailing, fax, etc. | Printed materials that include Restricted Data shall only be distributed or available to authorized individuals or individuals with a legitimate need to know. Access to any area where printed records with Restricted Data are stored shall be limited by the use of controls (e.g. locks, doors, monitoring, etc.) sufficient to prevent unauthorized entry. Do not leave printed materials that contain Restricted Data visible and unattended. Social Security Numbers shall not be printed on any card required to access services. New processes requiring the printing of SSN on mailed materials shall not be established unless required by another state agency or a federal agency. | 
| Disposal | Follow the UAB Secure Media Destruction process for the secure disposal of discs, CDs, DVDs, tapes and hard drives. Repurposed for University Use - Multiple pass overwrite. NOT Repurposed for University Use - Physically destroy. Follow the Destruction of University Records Procedure for printed materials. Restricted Data that is no longer necessary for University business should be disposed to minimize risk of data breach. Refer to the UAB Records Retention Policy and Records Retention Schedule for specific guidance on records retention. | 
