×
Skip to main content

Personal Information Protection

Scope

The Personal Information Protection Compliance Review Protocol covers all users of computers, electronic devices, and media capable of storing Loyola Protected data or Loyola Sensitive data as defined by the Data Classification Policy

Purpose

The purpose of this protocol is to ensure that all divisions and departments of Loyola University Chicago are in, and remain in, compliance with the Policies established for the security of Loyola Protected data or Loyola Sensitive data.

Policy

Each division will conduct compliance reviews in accordance with the Loyola Protected Data & Loyola Sensitive Data Identification Policy.

Each division or department head will designate one individual as the department’s primary data steward and one individual as the department’s alternate data steward. If the primary data steward is unable to perform their listed duties, the alternate data steward will perform those duties. The duties of the two data stewards cannot be delegated further. Each division or department will communicate the names of the designated data stewards to ITS. The primary data steward has primary responsibility for the security of information within their division. This will be the same person who is responsible for ensuring the department performs the necessary scans as defined in Loyola Protected Data & Loyola Sensitive Data Identification Policy. The role of the designated individual may be rotated. The alternate data steward will assist the primary data steward, and perform the functions of the primary data steward if the primary data steward is unavailable to do so.

The primary data steward will be responsible for conducting the review of his/her department or division, reviewing scan results, ensuring compliance with all policies listed in the appendix in the Applicable Policies Covered section, confirming that all devices covered by the Loyola Protected Data & Loyola Sensitive Data Identification Policy were scanned, and certifying on the certification form shown in the appendix that their office meets the identified security standards.

ITS and HR will train the data stewards on information security policies. Each department shall provide additional training to their data stewards on the local, state and federal regulations or standards on information security that apply to their department. The primary data steward will be responsible to make certain that all staff members, department heads, student workers in, and outside parties used by, their department are fully aware of Loyola University Chicago’s information security policies. They will arrange special training as needed by contacting subject matter experts listed in the appendix.

Questions about this policy

If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.

Policy adherence

Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Appendix

Applicable Policies Covered

Definitions

Primary data steward – The person who has primary responsibility for the security of information within their division. This will be the same person who is responsible for ensuring the department performs the necessary scans as defined in Loyola Protected Data & Loyola Sensitive Data Identification Policy.

Alternate data steward – The person who will assist the primary data steward, and perform the functions of the primary data steward if the primary data steward is unavailable to do so.

Exceptions

Exceptions to this policy will be handled in accordance with the ITS Security Policy.

Review

This policy will be maintained in accordance with the ITS Security Policy.

Emergencies

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Plan.  These actions may include rendering systems inaccessible.

History

  • March 4, 2008: Initial policy
  • June 19, 2015: Annual review for PCI Compliance
  • June 20, 2016: Annual review for PCI Compliance
  • June 21, 2017: Annual review for PCI Compliance
  • Aug 24, 2018: Added Exceptions, Review and Emergencies sections, annual review for PCI Compliance
  • Sep 26, 2019: Annual review for PCI Compliance

Scope

The Personal Information Protection Compliance Review Protocol covers all users of computers, electronic devices, and media capable of storing Loyola Protected data or Loyola Sensitive data as defined by the Data Classification Policy

Purpose

The purpose of this protocol is to ensure that all divisions and departments of Loyola University Chicago are in, and remain in, compliance with the Policies established for the security of Loyola Protected data or Loyola Sensitive data.

Policy

Each division will conduct compliance reviews in accordance with the Loyola Protected Data & Loyola Sensitive Data Identification Policy.

Each division or department head will designate one individual as the department’s primary data steward and one individual as the department’s alternate data steward. If the primary data steward is unable to perform their listed duties, the alternate data steward will perform those duties. The duties of the two data stewards cannot be delegated further. Each division or department will communicate the names of the designated data stewards to ITS. The primary data steward has primary responsibility for the security of information within their division. This will be the same person who is responsible for ensuring the department performs the necessary scans as defined in Loyola Protected Data & Loyola Sensitive Data Identification Policy. The role of the designated individual may be rotated. The alternate data steward will assist the primary data steward, and perform the functions of the primary data steward if the primary data steward is unavailable to do so.

The primary data steward will be responsible for conducting the review of his/her department or division, reviewing scan results, ensuring compliance with all policies listed in the appendix in the Applicable Policies Covered section, confirming that all devices covered by the Loyola Protected Data & Loyola Sensitive Data Identification Policy were scanned, and certifying on the certification form shown in the appendix that their office meets the identified security standards.

ITS and HR will train the data stewards on information security policies. Each department shall provide additional training to their data stewards on the local, state and federal regulations or standards on information security that apply to their department. The primary data steward will be responsible to make certain that all staff members, department heads, student workers in, and outside parties used by, their department are fully aware of Loyola University Chicago’s information security policies. They will arrange special training as needed by contacting subject matter experts listed in the appendix.

Questions about this policy

If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.

Policy adherence

Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Appendix

Applicable Policies Covered

Definitions

Primary data steward – The person who has primary responsibility for the security of information within their division. This will be the same person who is responsible for ensuring the department performs the necessary scans as defined in Loyola Protected Data & Loyola Sensitive Data Identification Policy.

Alternate data steward – The person who will assist the primary data steward, and perform the functions of the primary data steward if the primary data steward is unavailable to do so.

Exceptions

Exceptions to this policy will be handled in accordance with the ITS Security Policy.

Review

This policy will be maintained in accordance with the ITS Security Policy.

Emergencies

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Plan.  These actions may include rendering systems inaccessible.

History

  • March 4, 2008: Initial policy
  • June 19, 2015: Annual review for PCI Compliance
  • June 20, 2016: Annual review for PCI Compliance
  • June 21, 2017: Annual review for PCI Compliance
  • Aug 24, 2018: Added Exceptions, Review and Emergencies sections, annual review for PCI Compliance
  • Sep 26, 2019: Annual review for PCI Compliance