Standard for Handling Institutional Information - 5. Special Requirements for Regulated Information
In addition to the requirements set forth in the previous sections, some types of information have special handling requirements established by law and/or regulation.
Education Records
The New School often relies on software-as-a-service providers to handle services that it cannot efficiently provide itself. In some cases, these providers need access to Personally Identifiable Information (PII) from students’ Education Records in order to deliver the agreed-upon services. FERPA’s school official exception to consent is most likely to apply to The New School’s relationships with service providers. When The New School outsources institutional services or functions, FERPA permits The New School to disclose PII from Education Records to contractors, consultants, volunteers, or other third parties provided that the outside party
- performs an institutional service or function for which The New School would otherwise use employees;
- has been determined to meet the criteria set forth in The New School’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records;
- is under the direct control of The New School with respect to the use and maintenance of Education Records; and
- uses Education Records only for authorized purposes and may not re-disclose PII from Education Records to other parties, unless the provider has specific authorization from The New School to do so and it is otherwise permitted by FERPA.
When PII from Education Records is disclosed to the provider, FERPA still governs its use, and The New School is responsible for its protection. PII from Education Records disclosed under FERPA’s school official exception to consent may only be used for the purposes authorized by The New School. A contract or formal written agreement between The New School and the service provider is necessary to ensure that these requirements are met.
NOTE: Do not disclose Education Records to any third party except as approved by the University Registrar, Office of the General Counsel, and/or Information Security and Privacy Office.
Personal Data
The Data Protection Handbook provides information about the factors that must be considered, and the actions that must be taken, to ensure that Processing of Personal Data by The New School meets the requirements of all applicable laws and regulations.
NOTE: Do not store, process, or transmit Personal Data without first completing all actions required by the Data Protection Handbook (including determination of legal basis for processing, creation of a privacy notice, and completion of a Data Protection Impact Assessment). Contact the Information Security and Privacy Office for assistance.
Payment card data
Credit and debit card data (including primary account number, cardholder name, expiration date, and “security” codes) is high-risk confidential information that The New School is obligated to protect under state, federal, and international law. Additionally, credit card associations require that all entities accepting payment cards (“merchants”) comply with the Payment Card Industry Data Security Standard (PCI DSS), a set of technical and operational requirements designed to protect Cardholder Data and guard against fraud and identity theft.
The New School requires that any school, department, student organization, or individual that wants to accept credit or debit card payments obtain advance approval from the Office of Finance and Business and the Information Security and Privacy Office before offering this service. Once approved, the school, department, student organization, or individual may only use university-approved payment processing systems, vendors, and devices to accept payments. Credit and debit card payment information—whether from students, employees, donors, conference or workshop attendees, or the general public—must never be solicited or accepted through:
- Email (including New School Gmail and SecureSend)
- Web-hosted forms (including New School Google Forms, Qualtrics, and JotForm)
- Non-university approved Internet-based payment processors (including PayPal, Authorize.net, Dwolla, Stripe, etc.)
- Non-university approved mobile card readers (including Square, PayPal Here, Clover Go, etc.)
NOTE: Do not accept payments via credit or debit cards, or handle payment card data, except as approved by the Office of Finance and Business and the Information Security and Privacy Office.
Health and human subject information
The Health Insurance Portability and Accountability Act (HIPAA), through its Privacy and Security Rules, defines policies, procedures, and guidelines for maintaining the privacy and security of individually identifiable health information. HIPAA primarily applies to “covered entities” (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions). The New School, with the exception of the New School Health Plan, is not a covered entity.
Compliance with the HIPAA Privacy and Security Rules would require The New School to implement special administrative, technical, and physical safeguards on the environment where protected health information is processed. These safeguards include the establishment of specific administrative staff roles, creation of specialized employee training programs, installation of physical security measures in offices and computer data centers, and implementation of specialized security measures in its information technology environment.
As of this writing, The New School does not have the policies, protocols, or infrastructure in place to conduct HIPAA-compliant research at the university. Furthermore, the administrative, technical, and physical safeguards required by the New School Human Research Protection Program (HRPP) to protect data and samples may not be provided by all components of the New School information technology environment. Researchers should consult with the Office of Research Support, Information Technology, and the Information Security and Privacy Office before embarking on research using these categories of data to ensure that all information security requirements for their project can be met.
NOTE: Do not store, process, or transmit HIPAA-regulated information or human subject research data except as approved by the Institutional Review Board (IRB).
Controlled unclassified information
U.S. government agencies routinely generate, use, store, and share information that, while not meeting the standards for classified national security information, requires safeguarding and dissemination controls. Historically, this information (sometimes referred to as “Sensitive But Unclassified” (SBU) information) has been shared using an ad hoc ungoverned body of policies and practices. Across the federal government, there are a variety of markings and different labeling or handling procedures for SBU information, resulting in confusion for both its producers and its users.
In 2010, the White House issued Executive Order 13556, which defined Controlled Unclassified Information (CUI) to gather these various information categories into a single definition for all federal agencies, placing the National Archives in the role of creating the definitions, which can be found in the Controlled Unclassified Information (CUI) Registry. Some types of CUI that New School researchers might receive from (or produce under contract for) a federal agency include student records or personally identifiable information, export control-research data, critical infrastructure information, and controlled technical information.
When the federal government shares CUI with The New School, there may be particular federal laws or regulations that specify how that information must be protected. To address situations in which there is no applicable federal law or regulation addressing how the CUI must be protected, the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, applies. In either case, The New School would be required to implement the prescribed administrative, technical, and physical safeguards in the environment where CUI is processed.
As of this writing, The New School does not have the policies, protocols, or infrastructure in place to conduct NIST 800-171-compliant research at the university. Furthermore, the administrative, technical, and physical safeguards required by other federal laws and regulations governing the protection of CUI may not be provided by all parts of The New School information technology environment. Researchers should consult with the Office of Research Support, Information Technology, and the Information Security and Privacy Office before embarking on research using these categories of data to ensure that all information security requirements for their project can be met.
NOTE: Do not store, process, or transmit Controlled Unclassified Information except as approved by the Institutional Review Board (IRB).