IT - Data Protection Action Plan

On this page:

1. KNOW how data is categorized at UMass Amherst
2. IDENTIFY: Have an accurate inventory of the sensitive data in your department
3. PURGE: Keep what’s necessary, delete what’s not
4. SECURE: Handle, store, & dispose of sensitive data securely
5. DOCUMENT the business processes that require the use of sensitive data
6. RESPOND: Know how to respond to potential data security incidents
7. UNDERSTAND the consequences of a security breach

State and federal legislation and University policies mandate that campus collages and departments take appropriate steps to protect the data available to them.

To comply with these requirements and enable the University to respond in case of a security or privacy breach, colleges and departments are required to:

1. KNOW how data is categorized at UMass Amherst

‘Sensitive data’ is a blanket term used to designate classes of data with a high level of sensitivity that the University is legally or contractually required to protect. Personal information, such as social security numbers, credit card information and health information are considered restricted and carry the highest level of sensitivity. In general, the sensitivity of data is directly proportional to the damaged caused if the data were to be accidently exposed or stolen. When in doubt, assume that any data you are handling is confidential and only use trusted applications to store this information.

2. IDENTIFY: Have an accurate inventory of the data in your department

Departments must develop a strategy for keeping track of the data available to them. This includes maintaining an up-to-date inventory of the data and IT devices that process, store and access the data.

3. PURGE: Keep what’s necessary, delete what’s not

University policies require departments to collect and retain only the minimum amount of data necessary and delete it when it is no longer needed. Departments must review their business requirements for data and purge data on an ongoing basis, in accordance with the records retention policies.

For more information on records retention, see: Record Retention and Disposition Schedules | Public Records | UMass Amherst

4. SECURE: Handle, store, & dispose of sensitive data securely

The following are general requirements for handling, storing, and disposing sensitive data securely. Other, more specific requirements may apply, depending on the type of data and the context in which data is being used.

Handling requirements
Faculty, staff, and students working with sensitive data should:

Not use, store, or display Social Security Numbers unless required by law.
Only collect, use and store data as necessary for business functions.
Only use the sensitive data essential to the performance of assigned tasks.
Use caution when disseminating sensitive data and only do so within the confines of the law and University policies. If in doubt, assume data is confidential and cannot be shared.

Storage requirements
Departments must choose appropriate storage solutions for all sensitive data available to them.

For storage guidance, see: Where can I store or share my data? UMass Amherst Service Categorizations

Disposal requirements
The UMass Amherst Office of Waste Management provides departments, faculty, and staff with a convenient, no cost way to destroy and dispose of computers, hard drives, backup tapes, and other media that contain sensitive data. This service is designed to help University departments comply with state and federal laws, and University policies. See Hard Drive & Magnetic Tape Destruction.

5. DOCUMENT the business processes that require the use of sensitive data

For compliance purposes, departments must identify the business processes that require them to use sensitive data and maintain internal documentation on:

The types of sensitive data available to them
The contexts in which sensitive data is used
The methods for collecting, storing, and sharing sensitive data

This documentation should be reviewed and updated as necessary.

6. RESPOND: Know how to respond to potential data security incidents

The primary goals of our incident response processes are to, as quickly as possible:

Comply with the relevant laws, business regulations, policies and standards
Contain the incident and reduce the risk to people, data, IT systems, and accounts.
Return affected systems, accounts and data back to an operational state.

For more information on how to respond to different types of potential incidents, see Information Security Incident Reporting and Response

7. UNDERSTAND the consequences of a security breach

Security breaches can have serious, long-lasting consequences. The reputation of the individual department as well as the University may be adversely affected. Departments may:

Be held financially responsible for the cost of the breach.
Risk legal action.
Face increased inquiries and audits from federal and state agencies.
Incur additional fines and penalties.