UNIVERSITY OF PITTSBURGH POLICY 10-02-06
CATEGORY: SUPPORT SERVICES
SECTION: Computing, Information, and Data
SUBJECT: University Administrative Computer Data (UACD) Security and
Privacy
EFFECTIVE DATE: February 1, 2007 Revised
PAGE(S): 2
I. SCOPE
This policy establishes data security standards and practices for the
protection of University administrative computer data (“UACD”) from
unauthorized disclosure, and includes the rights and responsibilities of
computer data users. It applies to all users of University administrative
computer data.
II. POLICY
Protecting University Administrative Computer Data
Computer systems within the University contain information necessary to
conduct the business of the institution. This information is defined as
University administrative computer data (“UACD”). Examples include
employee personnel records, student educational records, financial data,
and electronic documents as well as e-mails used for administrative
purposes.
UACD are institutional resources and must be protected from unauthorized
modification, destruction, or disclosure, whether accidental or
intentional.
It is the responsibility of all levels of management to ensure that all
UACD users within their area of accountability are aware of their
responsibilities as established by this policy, and for guaranteeing a
secure office environment with regard to UACD.
Users of UACD are responsible for:
- Complying with all University computer security and access policies,
procedures and standards.
- Using UACD only as required in the performance of their job
functions.
- Disclosing confidential UACD only to other faculty or staff or
students, whose responsibilities require knowledge of such data.
- Exercising due care to protect UACD from unauthorized use,
disclosure, alteration, or destruction.
- Adhering to applicable federal and state laws and University
procedures concerning storage, retention, use, release,
transportation, and destruction of data.
Users of UACD are responsible for all transactions occurring during the
use of his or her user ID and/or password. A workstation logged into the
network with access to UACD must not be left unattended. The sharing of
passwords and/or use of any University computer account is prohibited.
Access to University Administrative Computer Data
Access to UACD is only permitted to those individuals who are authorized
to use UACD as required in the performance of their job functions.
The University will comply with all applicable laws and regulations
regarding the collection, maintenance, dissemination, and protection of
data. Employees and students may review personal information maintained
by the University. Such reviews will be only at reasonable times and only
in accordance with University policy and the law. See Policy 07-06-05,
Access to Employee Personnel Files; and Policy 09-08-01, Access to and
Release of Education Records.
The Data Owner, as identified in University Policy 10-02-04, Computer Data
Administration, of UACD will confer with University counsel to obtain
advice on legal security requirements and regulations, and the
interpretation of privacy laws, and consult with senior management
regarding information access to University data.
Reporting Violations of Data Security Policy
Violations of this policy should be reported immediately to the
University’s Information Security Officer or to the Office of General
Counsel, or by sending e-mail to abuse@pitt.edu. The University will
strive to maintain confidentiality to the extent possible consistent with
other obligations.
Disciplinary Action
Violations of this policy will result in appropriate disciplinary action,
which may include loss of computing privileges, suspension, termination,
or expulsion from the University, and legal action.
Violations of any federal, state, or local law concerning the unauthorized
access or use of University computers and computing services will result
in the appropriate disciplinary action up to, and including termination
from the University.
III. REFERENCES
Policy 07-06-05, Access to Employee Personnel Files
Policy 09-08-01, Access to and Release of Education Records
Policy 10-02-04, Computer Data Administration
Policy 10-02-05, Computer Access and Use