Department: UW School of Dentistry IT Services
Effective Date: 2/25/2016
Revision Date: 11/16/2023
Reviewer: Compliance & Training Committee, Alex Agpalo
Purpose
This policy establishes UW School of Dentistry requirements for protecting the confidentiality, integrity and availability of electronic data. It also addresses related regulatory requirements, and summarizes existing University policies as they apply to the use and protection of electronic data.
Applicability
This Electronic Data Policy applies to all electronic data associated with UW School of Dentistry business; UW School of Dentistry electronic data and all other electronic data that applies to the University of Washington must also comply with UW Data Classification.
Policy
All workforce members must comply with the UW policies and the following requirements governing the classification, use, handling, transmittal, storage, retention, disposal, and manipulation of UW School of Dentistry electronic data.
Data Classification (DC)
To know what security controls to put in place on a system and to safeguard the electronic data; it must be properly classified.
Requirement: (DC-1) All data must be classified as public, restricted, or confidential in accordance with the UW APS 2.10 – Minimum Data Security Standards: Data Classification and Related Measures of Protection.
Data Storage (DS)
Based on the data classification, there are specific requirements around how electronic data can be stored on a computing system or mobile computing device.
Requirement: (DS-1) All electronic data must be stored on a computing device with security controls sufficient for the protection of and by the class of the data.
Data Access (DA)
All user access to electronic data will be based on the principle of least privilege”.
Requirement: (DA-1) Access to electronic data must only be provided according to a user’s job function. System Owners must ensure that user access is limited by job function and appropriate data access is granted based on the principle of least privilege.
Requirement: (DA-2) All workforce members that approve access for users must document the users access privileges that they approve.
Physical Security (PS)
All data that is not otherwise encrypted must be physically secured.
Requirement: (PS-1) Data centers and other areas where operational computer equipment with data is maintained or stored must be secured. Physical access controls and records must be maintained.
Data Removal (DR)
Individuals removing electronic data from its original computing system are responsible for its confidentiality and integrity.
Requirement: (DR-1) Electronic data that is classified as Restricted or Confidential cannot be taken out of UW School of Dentistry facilities without the workforce member’s manager’s approval (i.e. – supervisor, director, chair, dean).
Data in Transit (DT)
Electronic data in transit (e.g., email, “cloud” services, copying to removable media, text messaging, etc.) must be managed in a manner that prevents inappropriate access, data loss, or alteration. No matter what method is employed to transfer data from one place to another, these requirements must be followed.
Requirement: (DT-1) All restricted and confidential electronic data in transit must be encrypted or otherwise physically secured in a manner that prevents its theft or inappropriate use. This includes computing system to computing system communications via shared public networks.
For guidance on how to use UW email securely, please see our policy on Emailing Protected Health Information (PHI).
When possible, verification of receipt of the Restricted or Confidential information should be provided by the data recipient.
Data Backup (DB)
Electronic data is vulnerable to many different threats that may make it unusable. The computing devices that store the data may also become inaccessible at times when the data is needed.
Requirement: (DB-1) All electronic data must be backed up at a frequency that meets the business need for that data.
Requirement: (DB-2) All systems designed to retain electronic data must have operational and/or electronic procedures to support emergency mode operations should the electronic data become unavailable or in case of loss. Data retained on backup electronic media must be tested for use and integrity on a regular basis.
Data Disposal (DD)
Electronic data accumulates on computing devices and electronic storage media the longer they are in service. Much of the data used for job functions is considered Restricted or Confidential and may not be used by the next workforce member receiving that computing device.
Requirement: (DD-1) All Restricted and Confidential electronic data must be electronically erased, removed, or physically destroyed from all computing devices prior to recycling, reuse or reassignment in a manner which does not allow for its restoration with readily available resources.
Data Retention (DRT)
Many regulatory requirements and policies stipulate that data must be retained for a specific period of time for audit and record keeping.
Requirement: (DRT-1) Electronic data must be retained in accordance with its classification and type. Legal mandates and subpoenas for data will supersede local requirements should they be in conflict.
Data Integrity (DI)
For electronic data to be used properly for its intended purpose it must not be accidentally or inadvertently altered from its usable state.
Requirement: (DI-1) All electronic data must be checked for unauthorized changes according to its classification. Data with a higher criticality and classification must be verified in a manner consistent with its use and criticality.
Requirement: (DI-2) All electronic data must have safeguards in place to mitigate the possibility of unauthorized data alteration.
Policy Approval
This policy was signed and approved by:
André V. Ritter, DDS, MS, MBA, PhD Dean
University of Washington School of Dentistry