8.2.2.19 Category D2 Data Protection Standard

Summary

This standard defines the minimum data protection practices for Category D2 - Research data.

Body

Purpose

Category D2 data includes research data generally planned for release or publish to the public, or data not under contractual or regulated obligations for data protection. Category D2 data is governed by the State of Oklahoma Policy, Standards, Procedures, and Guidelines (PSPG).

Data Collection and Use

  1. Use of de-identified clinical research data for IRB-approved or IRB-waived studies must be approved by the Clinical Research Informatics Oversight Committee.  
  2. A Notice of Collection that describes the purpose for which personal data is collected must be specified at, or prior to, the time of collection (also known as the Right to be informed).  Data collected must only be used in accordance with the Notice of Collection.

Granting Access or Sharing

  1. Reasonable methods shall be used to ensure internal data is accessed by or shared with authorized individuals or individuals with a legitimate need to know.
  2. Per the Identity and Access Management Policy, all access shall be approved by an appropriate Data Owner or Steward and tracked in a manner sufficient to be auditable.
  3. Staff, faculty, or student accounts must authenticate to Category D2 data, using an an approved authentication method, in accordance with the Identity and Access Management Policy.
  4. Data Owners and Stewards must review access to Category D2 data in accordance with the Identity and Access Management Policy.

Disclosure or Posting

  1. Disclosure or public posting of Category D2 data is not permitted unless approved by the Sponsor and the Principal Investigator.

Electronic Display

  1. Reasonable methods shall be used to ensure Category D2 data is only displayed to authorized individuals or individuals with a legitimate need to know. 

Open Records Request

  1. Data can be readily provided upon request with approval from the OU Open Records Office. 

Exchanging with Third Parties, Service Providers, or Cloud Services

  1. Reasonable methods shall be used to ensure the third party’s responsibilities for confidentiality/privacy of the data are defined and documented.
  2. An IT Security Assessment must be scheduled with OU IT GRC before the purchase or integration of new hardware, software, or third-party technology services that collect, store, transmit, or process Category D2 Data. 
  3. All contractors, consultants, third parties, or other non-employees must only be given Privileged Access to data or systems when the Data Steward or Asset Administrator, determines there is a legitimate business need.  These privileges must be enabled only for the time period required to accomplish approved tasks and then promptly disabled upon completion of the approved tasks.  Unattended access by contractors, consultants, third parties, or other non-employees requires an OU IT Exception Request be submitted. 
  4. All access by contractors, consultants, third parties, or other non-employees must be monitored and reviewed by the Office of Information Technology and Asset Administrators.

Storing or Processing: Server Environment

  1. Servers that connect to the OU network shall comply with IT Security Policies and Standards.

Storing or Processing: Endpoint Environment (e.g., laptop, phone, desktop, tablet, etc.)

  1. Endpoints that connect to the OU network shall comply with IT Security Policies and Standards.
  2. Category D2 data must not be stored on laptop unless encrypted in accordance with the Encryption Standard.

Storing on Removable Media (e.g., USB drives, flash drives, CDs, DVDs, etc.)

  1. Category D2 data shall only be stored on removable media if encrypted in accordance with the Encryption Standard.

Electronic Transmission

  1. No protection requirements

Email and other Messaging

  1. Reasonable methods shall be used to ensure Category D2 data is only included in messages to authorized individuals or individuals with a legitimate need to know.

Copying and Printing

  1. Data should only be printed when there is a legitimate need.
  2. Paper copies of data must be limited to individuals with a need to know.
  3. Paper copies should not be left unattended where others may see them.
  4. Unauthorized access to printed materials must be prevented by locking doors, cabinets, etc.

Retention and Disposal

  1. Data shall be retained in accordance with the State of Oklahoma General Records Disposition Schedule for State Universities and Colleges or contractual obligations.
  2. Copies of records may be destroyed when they are no longer required for administrative purposes.
  3. Data shall be deleted and rendered unrecoverable using a DoD 3-pass secure deletion technique.
  4. Printed materials or paper copies shall be destroyed by the shredding method.

Revision, Review, and Approval History

  • October 2023: OU IT Governance, Risk, and Compliance: Initial draft, opened for comments
  • January 2024: OU IT Governance, Risk, and Compliance: Comment period closed
  • March 2024: OU IT Governance, Risk, and Compliance: Added Granting Access and Sharing statements.  Added Exchanging with Third Parties statements.  These statements align with the Identity and Access Management Policy.

Details

Details

Article ID: 3100
Created
Wed 10/25/23 2:15 PM
Modified
Tue 4/2/24 10:14 AM

Related Articles

Related Articles (1)

The University of Oklahoma (OU) recognizes that Institutional Data is an asset and critically important to effectively supporting OU’s mission. The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access. The university has an obligation to protect the integrity and quality of institutional data, privacy of data subjects, and security of institutional d