Overview:
Data is one of UC Berkeley’s most critical assets. The complexity and volume of the data we are taking in is growing while at the same time regulatory requirements are becoming more stringent. These factors make correctly managing data vital for ensuring its confidentiality, integrity, and availability remain intact.
The data management lifecycle:
Proper handling of data throughout its lifecycle is critical to optimizing its utility, minimizing the potential for errors, and protecting it from breaches. No matter who has access to the data or where it resides, protecting university Institutional Information is required. As a general rule of thumb,
- Collect and retain only that data which is essential to the performance of assigned tasks, and
- Securely delete personal or sensitive information when there is no longer a business need for its retention.
Additionally, individuals and departments are urged to establish procedures to minimize the collection, distribution, and retention of personally identifiable information (PII) to the extent possible while still meeting business needs.
Below are questions that should be asked within each of the four phases pictured above.
Planning and Creation:
- Has the data been properly classified per Berkeley’s Data and IT Resource Classification Standard?
- Check out our helpful Data and IT Resource Classification Guideline.
- Based on the classification, are plans in place to meet the Minimum Security Standards for Electronic Information?
- If non-UC vendors or service providers have access to the data, is UC's "Appendix - Data Security" contract language included in agreements involving personal information or other sensitive information?
- In addition to the above, are there any legal, regulatory, or access requirements that could apply to the data? Examples of Regulations that apply might include (but are not limited to):
- California Data Security Breach Notification Law (CA Civil Code 1798.29)
- Family Educational Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- Gramm-Leach-Bliley Act (GLB Act or GLBA)
- California Public Records Act (CA Government Code Division 10)
- Note: Several of the above laws and regulations require notification of affected individuals or regulatory bodies in the case of a data breach. Notification typically must happen very quickly, so be prepared in advance for this eventuality.
Using and Sharing (including transmitting electronically):
-
How will the data be used and shared?
-
Are people informed of the level of sensitivity of the data they will be using/receiving and made aware of protection requirements?
-
Are processes in place to ensure that access to sensitive data is only provided to those who need it to perform assigned duties?
-
Is personal or sensitive information not critical to the task redacted from data sets prior to sharing?
-
Have you read Berkeley’s requirements for sharing and storing data in bMail, bDrive, and Box?
-
Will data be emailed or transferred in a manner that meets UC Berkeley’s security requirements?
-
Are there appropriate data use agreements in place per UC Berkeley’s requirements?
-
Are there appropriate data access agreements in place per UC Berkeley’s requirements?
-
If required, is your data de-identified per UC Berkeley requirements?
-
If you are publishing or copyrighting your research does it meet UC Berkeley requirements?
Storing:
-
Will the data be stored via a UC Berkeley-vetted contracted service or tool?
-
Researchers https://researchdata.berkeley.edu/service-areas/data-storage-backup
-
General https://bconnected.berkeley.edu/collaboration-services
-
How will the availability of the platform be maintained?
-
Will the data and system adhere to the UC Continuity Planning and Disaster Recovery Policy?
-
Will the data be backed-up?
Destroying:
-
Are you following the UC Berkeley Records Retention Schedule?
-
Is your paper media destroyed per UC Berkeley requirements?
-
Is your electronic media destroyed per UC Berkeley requirements?
-
Did you perform adequate data off-boarding procedures at the end of your project?
For Developers:
-
Are databases designed so that personal information can be identified?
-
Whenever possible, configure electronic applications that check authorizing or authenticating databases to return confirming responses rather than personal information.