RF Confidential Information Policy

Background

Confidential information stored on the Research Foundation of State University of New York (RF) network and/or in any media is an important resource for all RF employees and those acting on behalf of the RF in performing their job duties. As the organization has grown so, too, have internal and external threats to the security and confidentiality of RF information.

Maintaining the integrity of RF confidential information is of utmost importance to the organization. In response, the RF developed this policy to reduce the risk of compromising confidential RF information and to comply with applicable state and federal laws, including the New York State Information Security Breach and Notification Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Americans with Disabilities Act (ADA) of 1990. In addition, the RF's Code of Conduct emphasizes the organization's commitment to operating in an ethical, honest, and lawful manner.

Policy

All RF employees and those acting on behalf of the RF who have access to confidential RF information will ensure that this information is treated in accordance with the "Requirements for Maintaining Confidential Information" (found below in this document).

In addition, all RF employees and those acting on behalf of the RF are responsible for immediately reporting any suspected violation(s) of this policy or any other action which violates confidentiality of RF information to the manager/supervisor, department vice president/head, or RF operations manager/designee, as appropriate, at the campus location.

Definitions

For purposes of this policy, the following are definitions that will assist employees and those acting on behalf of the RF in understanding and ensuring compliance with the policy:

"Information" is defined as any communication or reception of knowledge regarding the RF and includes facts, data, or opinions that may consist of numerical, graphic, or narrative forms, whether oral, downloaded to equipment, or maintained in mediums, including, but not limited to, computerized databases, papers, microfilms, magnetic tapes, disks, CDs, flash drives, and cell phones.

"Confidential Information" is defined as any RF "Information" as described above that specifically identifies and/or describes an employee, an employee's protected health information, and/or RF organizational information, which if disclosed or released, a reasonable person would conclude that negative financial, competitive, or productive loss may occur and/or may cause legal or other non-beneficial impacts on the RF.

Confidential information does not include grant and contract proposal information released to sponsors and project partners as part of a formal submission, and subsequent award information and correspondence received from or sent to those parties.

Examples of "Confidential Information"

Additional specific examples of "confidential information" include, but are not limited to, the following items. Individuals who are uncertain if the type of information being used is confidential should seek clarification from their manager/supervisor.

Requirements for Maintaining Confidential Information

All RF employees and those acting on behalf of the RF with authorized access to confidential information stored on the RF network or in any media format are required to protect this information. All RF employees and those acting on behalf of the RF:

  1. will access confidential information for the sole purpose of performing their job-related duties.
  2. will not seek personal benefit or permit others to benefit personally from any confidential information that comes to them through their work assignments.
  3. will not permit unauthorized use of any confidential information that can be found on the RF network or in any media format. (Refer to the RF's
    Notification for Breach of Privacy of Protected Health Information)
  4. will not enter, add, change, or delete confidential information to the RF network or any media format outside of the scope of their job.
  5. will not release or disclose RF confidential information other than what is required to perform their job-related duties and in accordance with applicable
    RF policies and procedures on releasing or disclosing confidential information. (Refer to the RF's Confidentiality of Employee Information Policy and
    the RF's Confidentiality of Health Information Policy.)
  6. will not exhibit the contents of any confidential information on the RF network or in any media format to any person unless it is necessary to perform
    their job-related duties and in accordance with all applicable RF policies and procedures on exhibiting confidential information. (Refer to the policies
    mentioned above.)
  7. will keep personal passwords confidential and will not disclose them to anyone within or outside the organization. Passwords should be kept in
    secure places. Forgotten passwords and suspected compromises of passwords should be reported to the individual responsible for RF security or
    customer services and to the appropriate supervisor so the required action can be taken.
  8. will strive to keep confidential information on desktops or on computer screens from being viewed by others and will strive to ensure that computer
    screens are locked when away from their desk or office.
  9. will strive, for training purposes, to use simulated training information when possible; when this is not possible, will strive to protect and/or disguise
    any confidential information used for training purposes, including but not limited to, business system screen captures and business system instances.
  10. will strive to keep confidential information that is in any media format saved to their personal LAN drive and will strive to keep this information stored
    in a locked cabinet. Confidential information that requires viewing by more than one individual will either be stored on a restricted public drive or use
    a password protection feature.
  11. will strive to dispose of confidential information in accordance with applicable laws and/or RF policies on record retention. Refer to the RF's:
  12. will not discard any confidential information in a waste receptacle or recycling bin (if applicable); will shred hard copy confidential information prior to disposal.
  13. will not remove confidential information from work premises without written authorization from the operations manager or designee.
  14. will not disclose confidential information to consultants without receiving prior approval from the operations manager or designee. In addition, consultants
    will not be allowed to remove confidential information from the premises without prior written approval from the operations manager or designee. Written
    approval indicates that a copy of the information can be removed from the premises but must be returned by a specified date.

Reporting a Suspected Violation(s)

RF employees and those acting on behalf of the RF must report a suspected violation(s) of this policy to the appropriate person (supervisor/manager, RF operations manager/designee), or department vice president) at their campus location. If the suspected violation involves an "electronic" breach of information, the operations manager/designee or department vice president must be notified per the RF's Notification for Breach of Privacy of Protected Health Information.

All reports will be held in strict confidence and promptly investigated by the appropriate person at the campus location.

Disciplinary Action Regarding a Knowing Violation

For an RF employee, disciplinary action, up to and including termination, may occur if it is determined that a knowing violation(s) of this policy has occurred. If a violation involves a SUNY employee, the RF operations manager/designee at the campus location will work with the campus SUNY official to determine the appropriate action to be taken.

Retaliation

The RF will not tolerate retaliation toward or harassment of employees who in good faith report a suspected or knowing violation(s) of this policy. The identity of individuals providing information about a suspected violation(s) will be protected within legal limits. Individuals who take retaliatory action will be subject to disciplinary action, up to and including termination.

Responsibilities

The following table identifies individuals and their responsibilities with regard to this policy.

Individual

Responsibilities

All RF employees and those acting on behalf of the RF

Abide by this policy for maintaining confidential information.


Report a suspected violation(s) of this policy to the appropriate person at the campus location (manager/supervisor, operations manager/designee, department vice president).

Supervisor/manager, department vice president/head

Abide by this policy for maintaining confidential information.


Encourage all RF employees and those acting on behalf of the RF to abide by this policy.


Report a suspected violation(s) of this policy to the appropriate person at the campus location (operations manager/designee) to protect both the alleged violator and the individual reporting a potential violation.


Do not retaliate against the alleged violator or the individual reporting a potential violation(s).

RF operations manager/designee at the campus location

Abide by this policy for maintaining confidential information.


Encourage all RF employees and those acting on behalf of the RF to abide by this policy.


Authorize the removal of confidential information from the work premises in accordance with this policy.


Report a suspected violation(s) of this policy to the Vice President for Human Resources or designee at central office to protect both the alleged violator and the individual reporting the violation(s).


Investigate a reported suspected violation(s) and determine if a violation(s) did or did not occur.


Work with the campus SUNY official if a violation occurs involving a SUNY employee.


Communicate to the appropriate personnel at the campus location any disciplinary action that will occur as a result of an actual violation(s) of this policy.

Vice President for Human Resources or designee, central office

Interpret sections of the policy relating to maintaining confidential information and guide campuses through implementation of the policy as requested.


Revise policy as needed.

Additional Resources

Change History

 

 

Feedback
Was this document clear and easy to follow? Please send your feedback to webfeedback@rfsuny.org.

Copyright © 2012 The Research Foundation for The State University of New York