Data Protection and Security Policy   



Data (electronic) created at UAB must be protected and maintained in accordance with all applicable federal and state laws and university policies.

Effective Date: 2/22/2017


Review/Revised Date: 6/30/2022


Category: Information Technology


Policy Owner: VP Information Technology/CIO

Policy Contact: Director - Security Risk Management and IT Compliance




UAB electronic information assets (data) must be protected and maintained in accordance with all applicable federal and state laws and university policies.  The intent of this policy is to provide a framework to ensure that electronic data, in all forms, are adequately protected.  This policy specifically outlines:
  •         The roles and responsibilities of the UAB community for data protection and security;
  •        Additional requirements associated with the use and maintenance of systems containing sensitive information.


Managing and protecting data are responsibilities shared by all members of the UAB community (i.e., all individuals (faculty/staff/students/visitors), schools, departments, affiliates, and/or other similar entities within the UAB, including employees of contracted or outsourced non-UAB entities).  This policy applies to all UAB data and systems including, but not limited to, centralized institutional systems, departmental/unit systems, systems created or operated by third party vendors under the direction of UAB, and UAB data in any system.


All members of the UAB community should protect their data and data under their control and periodically review all applicable data security, confidentiality, and acceptable use policies.  The following rules and policies apply to data classification and protection:
Any information system that stores, processes or transmits institutional data must be secured in a manner that is considered reasonable, appropriate, and compliant with university policies and Federal and State Laws.  The required level of security depends on the nature of the data, as defined in the UAB Data Classification Rule.
Risk Assessment
Deans and administrative unit heads (in conjunction with UAB Information Technology) are responsible for ensuring the assessment and periodic review of the business processes and technical risks associated with implementing any planned, proposed, or existing electronic information system or data collection system.  Risk assessments must identify specific procedures to minimize risks and the impact of potential breach/compromise of data.
Other Data Security Policies at UAB
Other data security policies implemented at UAB (campus-wide or locally by/for a specific department, school, or system) may be more restrictive than this UAB-wide policy but may not be less restrictive.  Each university department/unit is responsible for implementing, reviewing, and monitoring internal policies, practices, etc. to assure compliance with this policy.
Incident Reporting and Management
Any suspected breach or compromise of sensitive or restricted data must be reported immediately to the Information Security Office in the Office of the Vice President for Information Technology who will inform the dean or administrative unit head.  Specific procedures for reporting a suspected or actual breach/compromise of data are located on the Information Security web site.  Upon receiving the report, the Information Security Office will be responsible for conducting or coordinating the investigation, making or assessing recommendations for corrective action, reporting the incident to the Executive Computer Incident Response Team (ECIRT) and other administrative units as needed, and maintaining documentation of the incident.
Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate academic or business needs.  To request a security exception, complete the exception request.


Confirmed violations of this policy will result in consequences commensurate with the offense, up to and including termination of employment, appointment, student status, or other relationships with UAB.


This policy will be reviewed by the UAB's Information Security Office periodically or as deemed appropriate.


The Vice President for Information Technology is responsible for the oversight and implementation of this policy, including the overall procedures related to its implementation and management.

(Replaces policy dated March 19, 2007) 

Related Policies, Procedures, and Resources
Data Classification Rule
Data Protection Rule
Minimum Security for Computing Devices Rule