Ohio Admin. Code 3354:2-11-04

Current through all regulations passed and filed through October 28, 2024
Section 3354:2-11-04 - Data security and privacy assurance
(A) Purpose
(1) Lakeland community college endeavors to protect the confidentiality, integrity and availability of all data in its care. Lakeland provides legitimate and timely access to information necessary to its teaching, learning, and administrative functions in support of its mission. The college recognizes that the interests of information security and free access to information are at times in conflict. Lakeland will attempt to resolve these conflicts, but prefers to protect data in what it views as necessary in compliance with federal, state, or local laws.
(2) Information security is to be embedded into all Lakeland activities. Rather than being merely the responsibility of the designated compliance officers, every Lakeland employee is responsible for the security of college information.
(B) Definitions
(1) Information security provides that data that should remain confidential is protected against inappropriate use, while data required to carry out the college's mission is available to those who need it.
(2) Covered data refers to all information collected by, shared with, or reported to the college in the course of its daily activity that is protected by local, state or federal law or that the college is contractually obligated to protect. In addition, Lakeland may designate additional covered data through the creation of standards, procedures and guidelines. Covered data includes, but is not limited to:
(a) Education records of students as defined by the Family Educational Rights Privacy Act (FERPA)
(b) Protected health information as specified by the Health Insurance Portability and Accountability Act (HIPAA);
(c) identity theft regulations as enacted by the Federal Trade Commission at 16 C.F.R. 681 ("Red Flag" Rules);
(d) student and customer financial information as specified by the Gramm Leach Bliley Act; and
(e) credit card data covered by the Payment Card Industry standards.
(C) Guiding principles
(1) Compliance. Lakeland is committed to ethical business practices and compliance with all applicable laws, regulations, and policies that govern the privacy of Covered Data.
(2) Minimize access privileges. Lakeland only grants to assigned individuals the reasonable, minimum access to covered data as needed to accomplish their institutional or pedagogical goals.
(3) Separation of duties. As can be reasonably accommodated, for each assigned duty that uses covered data, the College assigns one or more individuals or review bodies to oversee the proper handling and protection of that data.
(4) Balance with Ohio Public Records Law Lakeland favors reasonable expectations of privacy of its constituents, consistent with the accomplishment of institutional goals and in accord with applicable laws, standards and college policies. However, the College must always balance that expectation relevant to any records request under the State of Ohio's Public Records Law.
(5) Notification. In the event of a breach of security that leaks covered data, senior college officials will determine, in light of the circumstances and applicable law, what risks are posed by the breach and whether and how those persons whose covered data was released should be notified.
(D) Responsibilities
(1) Compliance Officers are responsible for the creation, implementation, and oversight of Information Security for Lakeland's Covered Data. Although these Compliance Officers may report to different College officials, they are required to work closely together, along with other Lakeland employees, to:
(a) identify reasonable, foreseeable vulnerabilities and threats to Covered Data;
(b) design and implement safeguards to minimize risk, including the development and communication of College procedures;
(c) periodically evaluate the effectiveness of safeguards;
(d) limit the damage from security breaches; and
(e) report findings to relevant College officials. Lakeland's designated Compliance Officers by area are the:
(i.) Director for admissions and registrar for the Family Educational Rights and Privacy Act;
(ii.) Director for human resources for the Health Insurance Portability and Accountability Act;
(iii.) Controller and bursar for red flag rules;
(iv.) Director of administrative technologies for the Gramm Leach Bliley Act; and
(v.) Director of financial systems and deputy treasurer for Payment Card Industry Data Security standards.
(2) In addition to its Compliance Officers, Lakeland has established additional responsibilities to support Information Security for its Covered Data including, but not limited to:
(a) Network, system, database, and application security administrators to define standards, procedures, and guidelines that minimize the risk of intrusion or breach, while allowing Lakeland entities to utilize these assets to their maximum benefit;
(b) Area data custodians. Every piece of information collected by the College in its daily activities is collected on behalf of a department that requires that data for the realization of a specific goal. Employees in these departments are the custodians of that data, and have a responsibility to work with relevant compliance officers for maintaining the confidentiality and integrity of any Covered data; and
(c) Incident Response Teams. An Incident Response Team will be activated when a possible breach in information security for college covered data occurs to provide effective and orderly response and communications. An incidence response team will include relevant college officers and the affected compliance officer(s).
(E) Additional assurance responsibilities
(1) If, in the process of executing their duties, a member of Lakeland discovers a possible breach of information security for college covered data, they must report their findings immediately to either:
(a) college officer; or
(b) the relevant compliance officer. That college or compliance officer will coordinate necessary steps to investigate that possible breach as well as concurrently notify the college's chief of Staff. The college's chief of Staff will determine the appropriateness of activating an Incident response team.
(2) As permitted by federal, state, or local laws, covered data may be disclosed to third parties pursuant to an executed agreement that requires that third party by contract to implement and maintain necessary information security safeguards.

Ohio Admin. Code 3354:2-11-04

Effective: 3/20/2015
Promulgated Under: 111.15
Statutory Authority: 3354
Rule Amplifies: 3354
Prior Effective Dates: