Data Regulation and Management
Sidebar
Data Regulation and Governance
University of Louisville data is a critical university resource and asset. It often contains information about the university, as well as personal information about faculty, staff, students, patients and other affiliated parties. Protection of this information may be required by federal, state, industry or other agency regulations or it may be driven by financial, reputational, legal or other university requirements. It is the responsibility of each individual to ensure the security and protection of university information assets (data, systems, electronic or hardcopy) they own, control or use. The Data Governance Committee has provided additional information on how to classify and protect university data.
If you have questions regarding data regulations and how they apply to the data in your area, please contact the ISCO at isopol@louisville.edu.
FERPA - Student Information
Student grades and other enrollment information – examples include (1) personal information (student, parent or family member) (2) enrollment records (3) grades (4) schedules
Gramm-Leach Bliley Act - GLBA (financial information)
Ensure security and confidentiality of customer information collected or maintained by/on behalf of financial institutions or affiliates. The university is classified as a financial institution under GLBA due to processing or servicing student loans.
GDPR - EU General Data Protection Regulation
European Union law which governs the use and ownership of personal data. Personal data means any information which, directly or indirectly, could identify a living person. Includes data provided while a resident of the EU regardless of citizenship.
HIPAA – Health Information
Health Insurance Portability and Accountability Act of 1996 - Any identifier along with health information. Examples: name/initials, address, phone, email, social security #, medical/plan #, IP/device address, biometrics, images, any account or ID.
Kentucky Personal Information – KRS 61.931-934
Kentucky Breach Notification Regulation - protection of personally identifying information. Name/first initial & last name combined with: account numbers, social security, passport or driver's license number, HIPAA data, student or employee ID.
Payment Card Industry Data Security Standards (PCI)
Requirements set forth by the PCI Security Standards Council to protect credit cardholder data. University policy prohibits obtaining or transmitting credit card information via email and the storage of card information on devices not PCI compliant.