|One Step Ahead
September 4, 2007, Volume 54, No. 2
Another tip in a series provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy.
Legal Requirements for Penn Data
Many faculty and staff at Penn work with personal information of Penn constituents as part of their job responsibilities. Indeed, personal data drives many critical functions at Penn—from assigning grades to students, to managing and paying staff, to performing life-saving medical research on human subjects.
Taking steps to protect confidential data from falling into the wrong hands is critical— someone else’s private information may literally be in your hands.
In addition to protecting data out of concern for others, it is critical to bear in mind the legal and industry requirements that apply to much of the data on the Penn campus.
Examples of significant requirements are:
• The federal HIPAA law protects identifiable health information for Schools and Centers providing care or health plan functions.
• The federal FERPA law protects the privacy of education (i.e., student) records.
• The federal Gramm-Leach-Bliley law requires reasonable safeguards of certain financial information about customers.
• CAN SPAM, a federal law, requires that certain bulk e-mail with primarily commercial messages be properly labeled and provide an opt-out.
• The credit card industry's PCI DSS standards impose strict security protections for credit card data.
• And Penn procedures put limits on the collection, retention, and disclosure of Social Security numbers.
If you have questions about the applicability of these rules or other requirements to protect confidential data, please write to email@example.com or firstname.lastname@example.org.
For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.