Data Protection Policy | St. George's University

Data Protection Policy

August 3, 2018

Purpose

This Data Protection Policy mandates proper protections around the access, transmission, and storage of data in St. George’s University, University Support Services, and any other operating units of Medforth Global Healthcare Education Group LP identified by management (collectively, Enterprise) environment. This policy requires protection of data at-rest and in-transit with appropriate security measures, in order to support the Enterprise’s adherence to legal and regulatory data protection obligations.

Scope

This policy applies to data in all forms including electronic information, information stored in hard copy form, and information shared orally or visually through media such as telephone and video conferencing.

Objective

The objective of this policy is to formalize the relationship between the classification of Enterprise data and the unique protection requirements for different subsets of that data.

Roles and Responsibilities

  • General Counsel: One role of General Counsel is to assist the Enterprise in ensuring that the handling of data is compliant with the applicable data protection laws.
  • System Administrators:  System Administrators are members of the Office of Information Technology who provide secure infrastructure in support of data protection practices, including storage, processing, transmission, and disposal.
  • Data Users: Users include any employee, faculty, staff, student, volunteer, representative, contractor, or any agent acting on behalf of Enterprise given access to Enterprise data. All users are responsible for protecting the integrity and security of that data. If any user is aware of an active or potential weakness in the protection of the data, that individual must report their concerns to Information Security.

Policy Statement

The Data Protection Policy addresses elements of the data lifecycle that warrant appropriate security measures. Enterprise must define specific protective requirements for each type of data outlined in the organization’s Data Classification Policy. Specific implementation solutions pertaining to the protection of Enterprise data should be generated and proposed by Information Technology, and must be approved by the Cyber Security Committee.

Access
Enterprise must protect data from unauthorized access and ensure that the organization only processes data necessary for a specific business purpose. The amount of data collected, extent of the processing, period of storage, and the accessibility to that data must all be limited to only what is necessary for performing core business activities. Enterprise must maintain informative data processing documentation and adhere to the principle of least privilege as outlined in the Enterprise’s Access Management Policy.

Storage
Enterprise internal data, whether in electronic form or hard copy, must be stored in a manner that protects the data in accordance with its classification. Standards and procedures in support of this policy should define which protective measures are required for each type of Enterprise data. The organization must also retain all data in accordance with any internal standards for data retention.

Transmission
The Enterprise data in-transit must be protected using an approved encryption method that satisfies the organization’s protection standards and any applicable legal regulations.

Backups AND RETENTION
Enterprise must define standards and procedures for the regular backup of Enterprise data, including appropriate timeframes for regular backups, an approved method for generation of secure backups, and an approved secure location for backup storage.

Data Owners must adhere to retention timelines for all data types in compliance with the Enterprise’s legal and regulatory environment, including both data stored on live systems and data preserved in backups.

Disposal and Destruction
When disposing of any Enterprise data stored on paper, the data must be shredded. Electronic data must be expunged, and digital media must be wiped clean of any residual data in accordance with Enterprise’s requirements.

Release of Information
The Enterprise data protection standards must define whether data of each sensitivity classification may be released, and whether or not that release requires the approval of the Cyber Security Committee. The release of any internal information must be compliant with all legal and regulatory requirements.

Related Documents