In a guest post for National Cyber Security Awareness Month, Chief Privacy Officer Micki Jernigan explains the purpose and intricacies of privacy reviews and security risk assessments.
Privacy reviews and security risk assessments are intended to protect:
- individuals’ information (students, employees, alumni, patients, donors, etc.)
- researchers
- research data
- other information the University is entrusted with
- the University’s reputation
They also provide an avenue to comply with legal, regulatory and policy requirements; prevent fines and penalties; and require vendors, consultants, independent contractors and others we share this information with to further protect this information.
What does Privacy do?
Privacy’s role is to assist in determining what needs to be protected normally based on applicable law, regulation, policy or best practice. Security’s role is to determine options for protecting the “what.” What needs to be protected is not often flexible — either the information needs to be protected or it does not. This “how to protect” may be dictated by law, regulation or policy but may also be flexible depending on the situation. This is one of the major differences between Privacy and Security that is often misunderstood — the flexibility of security and often lack thereof in privacy.
Get it right from the beginning
These reviews aren’t just to be a pain in your @#$ or delay a purchase or progress. Getting it right before a transaction or project begins is much easier and less expensive to the University than cleaning it up after it goes wrong and the work completed must be redone. This is especially true if information was inappropriately shared and notifications must be provided to the individuals and federal and state authorities. It is also often very difficult to negotiate privacy and security measures with a vendor after a purchase agreement is already executed.
For the Health Insurance Portability and Accountability Act (HIPAA) a Business Associate Agreement (BAA) and a HIPAA Security Risk Assessment are likely required if access (even potential access) to protected health information (PHI) is part of the project or purchase.
Both of these processes can take a good amount of time to complete. This is often based on the participation and cooperation of the vendor or external party (or lack of) in providing all needed information to complete the review or negotiating the BAA. The Privacy and Security staff have very little control over this aspect of the review timeline.
Ask for a review early
Key takeaway: The sooner that either the Institutional Privacy Office or Information Security Office is contacted about a review, the faster the product or project can be evaluated. It is likely that a completed data access questionnaire (DAQ) will be requested to begin the process. If payment card information, student data or Social Security numbers are also part of the project, other groups must also conduct reviews. Most of these reviews can be conducted in parallel. This information and instructions are available on the latest version of the DAQ.