Confidentiality of Private Information

Introduction

This document describes the Institute's policy on security and confidentiality of certain private data and information, such as social security numbers. This policy covers both computerized and non-computerized storage and appropriate use of such information.

Background

In recent years, identity theft has become a major problem and has helped to fuel a drive for privacy of information that is gathered and stored by companies and institutions. Privacy concerns have also driven the creation of several laws, including FERPA (Family Educational Rights and Privacy Act), the Gramm-Leach-Bliley Act ("GLB"), the Health Insurance Portability and Accountability Act "HIPAA"), and the California Data Security Law. This document is intended to set forth Caltech's policy on protected data and information and to insure Caltech's compliance with these laws.

Definitions

Covered or protected data and information means sensitive, personal information. For the purpose of this policy, it includes student financial information required to be protected under GLB, medical and health insurance information required to be protected under the California Data Security Law, and other personal information that is not directory information or publicly available. In addition to this coverage, an individual's first name or first initial and last name in combination with any one or more of the following data elements is considered protected data when either the name or the data elements are not encrypted: (i) Social Security number; (ii) driver's license number or California Identification Card number or (iii) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. Caltech chooses as a matter of policy to also define covered data and information to include any credit card information received in the course of business by the Institute, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.

Student financial information is that information the Institute has obtained from a student or parent in the process of offering a financial product or service, or such information provided to the Institute by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR 225.28. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.

Medical information is any information regarding an individual's medical history, mental or physical condition, medical treatment or diagnosis by a health care professional.

Health insurance information is an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.

Policy

It is the policy of the California Institute of Technology that the collection of protected information be limited to the extent possible, that all necessary precautions are taken to maintain such information securely and that access to such information is limited only to those with a legitimate Institute purpose and need. In addition:

Central storage of protected information, whether computerized or hard copy, is the preferred method of storage for protected information. Personnel should understand that local storage of protected information is discouraged and that where done, extreme care must be taken to ensure security. The individual will personally bear the responsibility for any breaches related to their local storage of protected information.

  1. Computerized central storage of protected information is limited to approved servers. Servers are approved by Caltech's Information Security office and will only be approved where a valid Institute business need exists for the server to store protected information. Approved servers must be maintained in a way so as to be as secure as practicable“ physical security must be ensured, security patches must be kept up date, access granted and revoked according to established procedures, appropriate usernames and strong passwords or other secure access credentials used, and access logged or audited. Network access to these servers must be controlled via an appropriately configured software or hardware firewall, and login credentials for network-based access must be transmitted in encrypted form only. Once approved, these servers will be scanned for security on an annual basis.

  2. Physical Security - Paper documents containing protected information must be kept in file cabinets, rooms or vaults that are locked. Paper documents that contain protected information are shredded at the time of disposal.

  3. Protected information should be transmitted electronically in a way so as to avoid interception of such information. As an example, encrypted email should be used as a transmission medium, and servers containing protected data should be accessed using SSL or similar encryption protocols.

  4. Contractors that handle or store protected information on Caltech's behalf must be contractually bound to safeguard and secure protected information.

  5. In the event of a breach of security involving protected information, the Office of the General Counsel will be notified as well as Campus Security or Information Security as appropriate.

  6. If a breach of security occurs and protected information is released, the affected individuals will be promptly notified.

last updated December 2007