Protected Information Handling Policy

Policy Statement

This policy describes a set of requirements that apply to all persons who use information that has been designated as protected information.

Reason for Policy

The primary purpose of this policy is to ensure that the necessary policy and awareness exist so that University employees and students comply with all applicable laws and regulations. This document establishes minimum requirements for the proper handling and protection of Adelphi Protected Information.

Who Is Governed by this Policy

This policy applies to all Adelphi University employees, students, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing information that is owned by Adelphi University and has been designated as protected information.

Policy

1. In consultation with the Information Security Officer, the Information Owner must define requirements for protection, disclosure of, and/or access to protected information.
2. All information categorized as Regulated, Protected, Critical, or Controlled is considered Protected Information.
3. Protected Information may only be created, collected, stored, transmitted and/or processed if a need to do so exists, and if that need cannot be satisfied in any other way.
4. Protected Information must be securely destroyed when it is no longer needed.
5. Protected Information must be handled with due care.
6. When loss of unauthorized disclosure of protected information has been detected, or if it is suspected to have taken place, the Information Security Officer must be notified and an information security incident may be declared.

Guidance

Using due care to handle protected information includes the requirement to appropriately restrict access to the protected information by placing it on a network server that has restrictive access controls in place, password protecting it, or encrypting it using a strong encryption algorithm. Due care also requires that protected records in non-electronic format are stored in restricted locked areas, such as closed and non-accessible offices, locked desk drawers, or locked filing cabinets. In addition, transmission of protected documents to personal addresses or any other non-approved destinations is not allowed. Limit the amount of copies made of sensitive data, and do not copy sensitive files to unencrypted portable media.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Definitions

Information Owner: A person or role who has the authority to make informed decisions about certain classes of information.

Forms

This policy does not have forms associated with it at this time. Upon periodic policy review this area will be evaluated to determine if additional information is needed to supplement the policy.

Related Information

This policy does not have related information at this time. Upon periodic policy review this area will be evaluated to determine if additional information is needed to supplement the policy.

Document History

• Last Reviewed Date: March 30, 2023
• Last Revised Date: September 01, 2017
• Policy Origination Date: June 18, 2009

Who Approved This Policy

Carol Ann Boyle, Chief Information Officer