°ÄÃÅÁùºÏ²Ê¹ÙÍø¿ª½±

Live now: Board of Curators meeting

UM System

HR-124 HR Data Security

Summary

The °ÄÃÅÁùºÏ²Ê¹ÙÍø¿ª½± maintains essential employment data which must be managed, used, and protected in accordance with federal and state laws, and with university policies to ensure its integrity, availability, privacy, and confidentiality. This policy applies to the management and distribution of human resources and payroll data to external University sources and internal proprietary systems, including but not limited to integrations with third-party systems and data feeds to systems other than approved HR System of Record technologies.

This policy does not apply to standard PeopleSoft queries and reports used for authorized internal purposes, regulatory requirements, or information provided in de-identified aggregate.

If any part of this policy does not reflect the Collected Rules and Regulations (CRR), the provisions of the CRR will govern.

HR Policy Provisions

  1. Purpose – This policy provides a framework for protecting sensitive and confidential HR data in connection with the Data Classification System policy, specifically as it applies to data feeds to external University sources and internal proprietary systems.

  2. HR Data Classification Levels
    Human resources data requests are classified by the HR Data Security Team in accordance with university information security Data Classification System levels and definitions below. If any part of the information below does not reflect the Information Technology Security Office policy noted at umsystem.edu/ums/is/infosec/classification-definitions, the provisions of the Information Technology policy will govern.

    DCS LEVELS

    EXAMPLES
    DCL 1 - Public data or information which is purposefully made available to the public. Job postings, name, employment dates, job title, and work address/phone/email.
    DCL 2 - Sensitive data or information which is not openly shared with the general public but is not specifically required to be protected by statute, regulation, or policy. EmplID number, personal cell phone numbers, department policies, salaries, degrees, and certificates.
    DCL 3 - Restricted data or information which is highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data. It is intended for a very specific use and should not be disclosed except to those who have explicit authorization to review such data. Performance records, date of birth, date of death, home address/phone number/email, gender, ethnicity, race, citizenship, visa/immigration status, disability, and ADA accommodations.
    DCL 4 - Highly restricted data is business or personal information that is required to be strictly protected. There are often governing statutes, regulations or standards with specific provisions that dictate how this type of data must be protected. It is intended for a very limited use and must not be disclosed except to those who have explicit authorization to view or use the data. Social security number, bank account information, credit card information, employee tax records, driver’s license number, and individually identifiable health information including but not limited to protected health information (PHI).
  3. Responsibilities
    1. Campus, Hospital, and System Human Resourcesare responsible for reviewing and authorizing DCL 1-2 level HR data requests.
    2. HR Data Security Team, as identified by the Vice President of Human Resources, is responsible for reviewing and making recommendations for authorizing DCL 3-4 level HR data requests. The team may include HRIS, Office of General Counsel, Information Technology, Internal Audit and Compliance, and others as approved.
    3. Data users, including employees, contractors, vendors, and other entities who are authorized to use institutional data in conducting university business, may be required to sign a confidentiality agreement.
  4. Use or disclosure of data
    1. HR Data may only be distributed for approved University business purposes. 
    2. Approved DCL 3-4 data shall be transmitted in a secure manner as approved by IT Security and the Information Technology Standards and Requirements Questionnaire (ITSRQ) approval. 
    3. Persons who violate this policy may be denied access to university resources and may be subject to other penalties and disciplinary action. 
    4. Any suspected loss or unauthorized use or disclosure of DCL 3-4 data shall be reported immediately to the appropriate information security office. For more information, please see Mandatory Reporting Requirement site.
  5. Procedure Information
    1. All requests in accordance with this policy are submitted and reviewed by the respective campus or hospital Human Resources office.
      1. Requests for DCL 1-2 are approved or denied by the campus or hospital HR department.
      2. Requests for DCL 3-4 are submitted to UM System HR Data Security team by completing the HR Data/Interface Request form (see link below).The Data Security Teams will review and recommend approval or denial of DCL 3-4 requests to the Vice President of Human Resources or designee.
    2. If applicable, the ITSRQ process must also be completed with the Department of Information Technology in accordance with policy BPM 12004.
    3. Approved DCL 3-4 requests should be reviewed periodically. If the previously approved elements have changed, or the data elements no longer meet their purpose, a new request may be required. Please review the ITSRQ approval summary for additional information.
    4. At least every three (3) years, or at external contract renewal periods, existing DCL 3-4 approvals may undergo a review.

See Also

 
Access to IT Accounts and Electronic Information 
CRR Section 110.005: Acceptable Use Policy 
Data Classification Systems 
Information Management Policy 12000 
Information Technology & Telecommunications Purchases Policy 12004

Date Created: 10/25/2024
Updated:

Reviewed 2024-10-24