Data Management Committee Meeting
Date: Thursday, August 6th, 2009 2:00 – 3:30pm
Location: Boardroom, UW Tower, 22nd Floor
Members: K. Bailey, C. Bennett, B. Benson, B. Boiko, A. Canfield-Budde, N. Hyde Corning, L. Coveney, J. Drew, W. Dryfoos, J. Fine, J. Follman, R. Forman, P. Hoffman, J. Kresl, J. Loter, N. McDonald, T. Mildon, J. Posey, A. Walchuk-Nagel, C. Westmoreland, B Whitehead, B. Yock.
Facilitator: B. Yock
Note Taker: M. Albin
Minutes
Topic / PresentersAdministrative
· Review and approval of July 23d minutes
- Approved
· Announcements
- Charles to be facilitator next time
- New members: Nathan Dors; Tom Daniel
Privacy and Incident Management Policy
Ann Nagel and James Poland, Facility Security Officer in the Office of Research, walked through two draft policy documents with the group:
- Information Security and Privacy Assurance Policy
- Incident Management Policy
There is a need for an institution-wide security and privacy policy because current UW policies are difficult to understand and inconsistent across departments. A project team has been assembled to address this need and to combine efforts from UW Medicine, the Office of Research,and the Office of the CISO. In conjunction, an Incident Management Policy is being drafted in order to satisfy ARRA and Department of Defense requirements. The policies must be in place by September. Other points:
· Phase 1
- Develop APS on Information Security and Privacy Management
- By September
· Phase 2
- Revise UW Electronic Information Privacy Policy on Personally Identifiable Information
- Include new Privacy Policy in APS
- By December
· Phase 3
- Align existing APS with new APS on information security and privacy management
- Timeline TBD
Group discussion
- There has been discussion of the creation of a liaison role in departments for information security-related issues. Other universities have this role in place.
- There was a discussion about data that is in the hands of vendors rather than our own systems. HIPAA regulations (and others) say that we have to cover this in contracts if we are the originators of the data. This would be worth reviewing in contracts.
- Ownership of data discussed. Should it be data-driven or location driven? There are some areas in which there is overlap, such as patient/research records. This potentially leads to inconsistency in responses.
- Incidents are currently reported to a help desk depending on where they occur. Once confirmed, the incident is referred to a specific institutional officer and an incident mgmt team is formed. The liaison role would assist in identifying who needs to be involved quickly.
- Should definitions be a part of the documents, or should they be stored elsewhere? Rebecca Deardorff to be consulted.
Action: the group should review draft policy documents and prepare to discuss them at the next meeting and vote to/not to approve. / Ann Walchuk-Nagel
Jim Poland
Task Force Updates
· Access and Roles
Working on an institutional agreement that will apply to the EDW
Web Services working on automatic signage/one time for many apps and reminders
Also putting together a guideline to help DMC and custodians to implement the agreement
· Enterprise Reporting - AAG4ER
· DMC Training / Task Force Leads
Parking Lot:
· Guidelines for use of non-protected data
· Guidelines for access controls (2 factor Authn vs DAC Authz)
· Revisit DMC Overview and Guiding Principles on web site
· Custodian & Trustee Outreach Plans, Policy Approval Process
· Guidelines for PIC Assignments and Responsibilities
· ID Card Task Force Startup
· Employee ID Data Classification
· DMC Web Site & Data Map Change Management Processes
· HR / Diversity Data Access for Tacoma
· Bulk email policy clarification / Active Task Forces:
· Access and Roles
· Enterprise Reporting
· DMC Training Program