Applies to: (examples; Faculty,Staff, Students, etc)
Faculty , Staff , Students , Contractors_Vendors
Faculty , Staff , Students , Contractors_Vendors
University of Health Sciences and Pharmacy in St. Louis (“University”) has adopted this policy to establish an Incident Response Plan (“IRP”) to manage the process for responding to a possible Security Incident involving Customer Information (“CI”) or Personally Identifying Information (“PII”) as defined below. The policy is intended to ensure a consistent process to follow when responding to any Security Incident, to mitigate potential risk and harm to affected parties, and to provide for post-incident review to facilitate appropriate changes to improve business practices for safeguarding and handling of Personal Information.
This policy applies to all faculty, staff, student workers, temporary employees, consultants, and vendors.
Customer Information (“CI”) means any record containing nonpublic, personally identifying information about a student or a Customer that is handled or maintained by or on behalf of the University or its affiliates. The term includes Personally Identifying Information (“PII”) that is: (i) provided to obtain a financial service from the University, or (ii) financial service with the University. Examples of a covered financial product or service include offering or providing credit or debit cards and student loans, grants, or scholarships. Examples of CI related to a financial product or services include tax or financial information obtained from a student or the student’s parent in connection with a financial aid award or application, income and credit histories relating to a credit card or loan application, account balances, the amount of funds transferred or disbursed to a student, and debt collection activity. Generally, nonfinancial information about students or information related to employee group benefits such as retirement plan participation levels are subject to other privacy or security requirements under other laws such as FERPA or ERISA.
Security Incident means the attempted or unauthorized access or acquisition of CI or PII that compromises the security, confidentiality, or integrity of such information. Good faith acquisition of CI or PII by a University employee or agent for a legitimate purpose is not a breach provided that the information is not used in a manner that violates the law or harms or poses an actual threat to the security, confidentiality, or integrity of the information.
Incident Response Team (“IRT”) means the Director, IT, the Vice President Operations, the General Counsel and Chief Compliance Officer, and such other individuals as the IRT may appoint to assist with a Security Incident or Breach.
Incident Response Team Coordinator means, in the case of electronically stored or transmitted CI or PII, the Director, IT, and with respect to CI or PII in physical form, the Vice President Operations.
Information Security Program (ISP) means the policies and practices implemented by the University to secure CI or PII.
Personally Identifying Information (“PII”) means the following information or data that is stored or transmitted in any form that involves an individual’s first name or first initial and last name in combination with any one of the following: social security number, driver’s license or unique identification number created or collected by a government body, financial account number, credit or debit card number in combination with any required security code, access code, or password, medical information, or health insurance information. PII also includes information that consists of direct or indirect identifiers covered under the Family and Educational Rights to Privacy Act including the name and address of the student or family member, unique identifiers, date or place of birth, parent’s names, or other information which can be used to determine the identity of the student directly or indirectly through linkages to other information.
The IRT is responsible for identifying, and coordinating the University's response to any suspected or actual Security Incident including completing a post-incident assessment and report, and making recommendations to the President for improving the ISP.
Post–incident Review and Report
Position/Office/Department |
Responsibility |
Director, IT |
Serves as the IRT Coordinator and is responsible for managing and responding to any Security Incident involving IT, prepares the incident report, and maintains related audit records and any logs or documentation. |
General Counsel and Chief Compliance Officer |
Provides legal advice throughout the discovery, investigation and remediation process on compliance, insurance claims reporting, privacy, security, and reporting issues, including assisting in developing the communication plan to impacted individuals and notifying law enforcement and governmental authorities as required by law. |
Vice President, Operations
|
Serves as the IRT Coordinator and is responsible for managing and responding to any Security Incident involving CI or PII in physical form, prepares the incident report, and maintains related audit records and any logs or documentation. |
Family Educational Rights to Privacy Act, 20 USC Section 1232g, 34 CFR Part 99
UHSP Academic Catalog, Family Educational Rights to Privacy Act Policy
Information Technology Customer and Personally Identifying Information Security Policy
Missouri Revised Statutes 407.1500
Name |
Contact Information |
Zachary Lewis, Director, IT |
Zachary.Lewis@uhsp.edu (446-8402) |
Eric Knoll, Vice President Operations |
Eric.Knoll@uhsp.edu (446-8375) |