This policy applies to all students, employees, foundations, vendors, contractors, third-party systems vendors and agencies which handle or process MTSA data for any reason. Individuals/organizations listed above are responsible for reading, understanding and abiding by this policy and are collectively referred to henceforth as “policy constituents”.
Purpose:
The purpose of this policy is as follows:
- To make policy constituents aware of their responsibility regarding the “handling” (collection, storage, transmission, processing, transport, and/or disposal) of all MTSA data, particularly “sensitive data”.
- To provide guidelines and acceptable practices for handling sensitive data.
- To identify unacceptable practices and emphasize that these practices be discontinued immediately.
What is Sensitive Data?
Sensitive data is any data that can be used for unintended purposes depending on the situation and circumstances. Data related to identity theft such as SSN, credit card number, bank account information, driver’s license, professional licensure, Middle Tennessee School of Anesthesia Identification (MTSAID), other unique IDs, name, address, passwords, PINS, and ID pictures are of particular concern as all or most of this information is collected in the course of School business.
None of these numbers, or parts of a sensitive sequence of numbers should be used for the MTSAID. Other types of data such as donor information, mailing lists, scholarship information, and financial information are examples of data that could require confidential handling and/or restricted access. The above examples are not exhaustive or all inclusive. Policy constituents handling any School data must understand what data is sensitive and confidential in nature.
Data Handling Guidelines:
- Do not collect and/or store SSN unless it is required by a federal or state agency and there is no other option in terms of unique identifier. If collection and storage of a SSN are required for operations, a written explanation should be sent to the Executive Vice President and the Director of EducationTechnology explaining why SSN must be utilized and how and where it is being collected/stored.
- Use the MTSAID assigned to all students as the unique identifier for all MTSA students. If the MTSAID is not available or does not exist for certain populations, use a non-SSN type of ID.
- Data should be stored in as few places as possible and duplicated only when necessary. Unless absolutely necessary, data should be stored in Sharefile only.
- Avoid storing data on individual computers or creating “Silo” databases that duplicate data in Sharefile.
- Inventory and identify the data under your control that is external to Sharefile. Know where you have data and in what form (electronic, paper, etc.). Keep data that you control “cleaned up” by purging files in a timely manner. Data on old machines, network drives, floppy disks, backup tapes, etc. should be inventoried and purged/archived or moved to more secure locations.
- Do not store or copy sensitive data to mobile, external storage devices such as CD, DVD, floppy disks, laptops, USB memory devices, PDAs, cell phones, or any other device that can easily be copied, stolen or compromised.
- Do not store or copy sensitive data to local workstations unless such data is not available in Sharefile. If you must store data on your workstation, it is your responsibility to secure your workstation and/or ensure that only authorized individuals have access.
- Do not use shared network drives to share or exchange data internally or externally unless you are certain that access to those shared drive resources is restricted to individuals authorized to handle such data.
- Know and understand your environment technically. Understand who has access to areas where you send, receive, store, or transmit data. Attend any MTSA Sensitive Data Protection seminar offerings.
- Transmission of any sensitive data should be encrypted. Websites should use HTTPS or SSL encryption if they collect data. FTP/Telnet or any other means of transferring files and data should use encrypted versions of these protocols: Example SSH and SFTP. When in doubt, contact the Director of Information Technology.
- Do not send, receive, or store any sensitive data using email under any circumstances. Email is not secure.
- Under no circumstances should credit card numbers be collected and stored on stand-alone devices, digital media, or paper media. Processing credit card numbers should be done via secure methods which authorize or deny the transaction in real time but DO NOT retain or store the credit card number. Collecting credit card numbers via phone calls, websites or email and retaining such numbers on paper or in electronic files for some sort of periodic processing is a bad practice. It is insecure and should not be used. If you need help processing credit cards securely, contact the Business Office. Any administrator’s credit card information used by assistants in making travel or other arrangements will be kept in a secure location.
- Report any breaches, compromises, or unauthorized/unexplained access of sensitive data immediately to the Director of Information Technology and MTSA Administration.
Policy Adherence:
Abuses or violations of this policy will be referred to the President’s Council for consideration under the School’s disciplinary processes. The School reserves the right to take any action, up to and including suspension/dismissal for an MTSA student and discipline/termination for an MTSA employee.
All employees of the School are responsible for reading and understanding this policy and must certify that they have read it and understand it.