Data Security Policy

1. No member of the USF community is permitted to electronically store or maintain credit card or debit card numbers, expiration dates, and/or security codes in any way relating to USF or USF-sponsored activities. Information Technology (IT) must approve the use of any system or application that electronically processes, stores, or transmits credit card data.

2. Paper documents containing credit card data should be secured in a locked office and stored in a cabinet. In an open office environment paper documents should be stored in locked cabinets. Paper documents should not be left in an unsecured office after work hours. When the information is no longer needed, the physical documents must be shredded using a university-approved device prior to being discarded; or destroyed by a university-approved facility.
All credit card processing (e.g., online, phone, mail, over-the-counter, card-swiping) must be reviewed and approved by the Vice President of Administration and Finance.

3. The following Confidential data types can only be electronically stored on an IT managed server and can only be accessed from an IT managed computer.

• Social Security number
• Driver's license number
• State/Federal ID card number
• Passport number
• Financial account numbers (checking, savings, brokerage, CD...)

In the event that an exception is necessary in order to carry out the business of the University, the user must get written approval from both his/her Vice President, as well as, the Vice President for Operations and Technology.

4. It is recommended that all other Confidential data and Restricted data types be electronically stored or accessed from one of the following list of devices, in order of preference: IT managed server, IT managed desktop computer, encrypted laptop, encrypted mobile storage device. Any encrypted device must be encrypted using a process documented and approved by IT.

5. When handling physical documents containing any Confidential and/or Restricted data types, the documents must be in your possession at all times; otherwise they should be stored in a secure location (e.g. room, file cabinet, etc.) to which only specifically-approved individuals have access through lock and key. When the information is no longer needed, the physical documents must be shredded using a university-approved device prior to being discarded; or destroyed by a university-approved facility.
Confidential data and Restricted data should not be taken or stored off-campus unless the user is specifically authorized to do so by a Vice President and notification of the authorization is sent to the Vice President for Operations and Technology.

6. University of St Francis reserves the right to electronically scan all USF-owned resources and resources connected to the USF network for Confidential data. In the event that Confidential data is found in unauthorized locations, the Vice President for Operations and Technology will follow-up with the responsible Vice President to remedy the situation.

7. Confidential data cannot be transmitted through any electronic messaging (i.e. email, instant messaging, text messaging) even to other authorized users. Confidential data in a physical format cannot be transmitted through untracked delivery methods. Campus mail and regular postal services are not tracked delivery methods.

8. All faculty, staff, and student USF account passwords must have a password. Passwords must be a minimum of 6 characters long.

USF student account passwords will expire after 180 days. USF employee account passwords will expire after 60 days. Passwords must never be written down or shared with other users in accordance with the USF Technology Password Policy.

9. Users who are authorized to access or maintain Confidential data or Restricted data must ensure that it is protected to the extent required by the USF technology policy or law after they obtain it. All data users are expected to:

• Access data only in their conducting of University business.
• Request only the minimum Confidential data or Restricted data necessary to perform their University business.
• Respect the confidentiality and privacy of individuals whose records they may access.
• Observe any ethical restrictions that apply to data to which they have access.
• Know and abide by applicable laws or policies with respect to access, use, or disclosure of data.

10. Compliance with these data protection policies is the responsibility of all members of the University community. Violations of these policies will be dealt with seriously and will include sanctions, up to and including termination of employment. Users suspected of violating these policies may be temporarily denied access to the data, as well as, University information technology resources during investigation of an alleged abuse. Violations may also be subject to prosecution by state and federal authorities. Suspected violations of USF’s data protection policies must be reported to the Vice President for Operations and Technology.