Generally, any use or processing of data like Social Security Numbers, HIPAA ePHI, or donor information has been considered “high risk” by the university under APM 30.11. Compromise of this data may have significant impact on the university, the individual, or both. In addition to direct legal or breach costs, this may include reputational costs that are difficult to estimate or recover from.
The best practice is to use only benefits-eligible employees who have successfully passed a criminal background check for processing of this kind of data. Processing of high risk data should be considered “security sensitive” under APM 50.16 and requires a criminal background check, even if the position doesn't automatically require it under policy.
However, if it becomes necessary to augment university work force with temporary help it may be difficult to limit this access to only benefits-eligible employees. Please consider the following:
-
Does this work really need to be done? Eliminating the work that requires handling of sensitive data would reduce or eliminate the risk of compromise.
-
Can duties be shifted to keep the high risk data access only with full time employees?
Temporary employees may increase the risk to university data because they have little financial motivation to stay at the university or follow all policies and standards. Additionally, many times temporary help employees, particularly students, have very limited background to be checked in a criminal background check. But at the same time, we have the opportunity to instill in our temporary employees the conscientious and ethical behavior which will benefit both the university and their future employers.
If you encounter a situation where you still require a temporary help employee to use or process high risk data, make sure use of temporary employees has been explicitly authorized by the data owner. This should include review of mitigations being used. Consider the following mitigations:
-
Include in the job description that the position requires successfully passing a criminal background check, per APM 50.16
-
Limit access to high risk data to only that which is required of the work being performed.
-
Data access should be limited to employee type accounts, and not granted to student or other accounts. (See: Identity and Access Management APM 30.10)
-
Supervisors should be clear and transparent on the job expectations, and share with the employees all requirements around safe handling of the data, including how to manage their account, never sharing their password, where encryption is required, where data can be stored, etc. (See: Acceptable Use APM 30.12)
-
Have the employee sign a non-disclosure agreement (NDA) that emphasizes the importance of protecting university data, and following UI policies. (See General Counsel for an NDA appropriate for your area.)
-
Include ethics training, or a signed code of ethics if appropriate, as part of employee orientation. (We are not aware of an individual ethics agreement currently available at UI, but please see FSH 3170.)
-
Employee onboarding should include completion of IT Security and other required employee training prior to any access being granted.
-
Any suspected use or misuse of accounts, violations of IT policy, or potential breach of high risk data, must be reported to OIT Security immediately (security@uidaho.edu).
-
High Risk data should only be accessed from a device owned and managed by the university that meets all requirements for accessing high risk data, including device encryption, and no personal devices should be used.