Encryption at UMass Lowell: Safeguarding Confidential Data
Members of the university community may work with various types of data that require protection under university policies, system-wide standards, and legal or contractual obligations. Ensuring data security is vital to comply with privacy regulations, protect our reputation, and minimize the risk of costly incidents.
Examples of sensitive data that must be safeguarded include:
- Student education records protected under the Family Educational Rights and Privacy Act (FERPA).
- Medical or payment information covered under the Health Insurance Portability and Accountability Act (HIPAA).
- Personally identifiable information (PII), such as Social Security numbers, driver’s license numbers, and financial account details, protected by state privacy laws, including Massachusetts General Laws Chapter 93H.
- Credit cardholder information covered by the Payment Card Industry Data Security Standards (PCI-DSS).
The Role of Encryption
To protect sensitive data, UMass Lowell IT configures university-provisioned computers with encryption-at-rest as a standard best practice. Encryption-at-rest renders data stored on a device unreadable without proper authorization. Encryption safeguards data by preventing unauthorized access in the event a device is lost or stolen. This additional layer of security helps minimize risk of data exposure.
It’s important to note that encryption is just part of the data protection picture. It is better to keep data within the university’s secure application systems. When a local copy is necessary, using a backed up, access-controlled UML OneDrive location provides for better security and recoverability than storing files on a laptop or other portable device drive. Whenever sensitive information is involved, best practice is to limit access to just those workforce members who require it for their job responsibilities and to use only the minimum necessary data for the work at hand. Don’t share a large file with many records or data elements if the need is only for a specific record or data element.
Encryption on Other Devices
- Smartphones and tablets: When configuring a device to access UMass Lowell email, faculty and staff must enable a passcode to activate native device encryption.
- Other equipment: Faculty and staff who work with sensitive data on non-standard university devices should open a ticket with IT Security to explore encryption options.
Protecting University Data
For more information about what types of data must be safeguarded and how to protect it, refer to the following university policies and resources:
- Data Classification Policy
- Institutional Review Board (IRB) Data Security Policy
- University of Massachusetts Payment Card Industry (PCI) Compliance Guide (pdf)
- Family Educational Rights and Privacy Act (FERPA)