Data Custodian Responsibilities
All UAB data stored, processed, or transmitted must be classified in accordance with this data classification rules. Data Custodians must:
- Abide by the Data Access Policy and the Data Protection Rule.
- Be granted approval by the Data Steward before accepting, processing, storing, and/or transmitting data, especially when data is classified as Sensitive or Restricted/PHI by the UAB Classification Rule.
- Follow all data handling and security requirements set forth by UAB policy and standards, along with any mandates set by specific data stewards charged with protecting UAB data.
- Designate appropriate individuals with system administration responsibilities, ensuring that their role in securing the system is defined in their job description, and that they are trained in administration and security of the system.
- Ensure adherence to UAB guidelines and procedures for protecting data as found in IT Security Practices.
- Ensure compliance with all stipulations of this and other UAB policies and other legal and regulatory requirements including those related to dissemination of data (UAB’s Information Disclosure and Confidentiality Policy) and disposal of computer equipment and systems (UAB’s Equipment Accounting standards, and Guidelines for secure disposal of media containing sensitive information).
- Ensure that risk assessments are performed (including disaster recovery plans, backup and contingency plans) as required by HIPAA for all PHI. Risk assessment is recommended for all other sensitive or mission critical data.
- Ensure that documentation of data resources created, used, or stored within their area of control is maintained.
- Ensure that systems containing sensitive information are physically secured from unauthorized access.
- Ensure that the department/unit follows procedures to mitigate all identified compromises or identified data security threats.
- Ensure that actual or suspected data security breaches, especially when involving sensitive data, are reported to the Data Security Office immediately and that any recommended corrective action is implemented.
- Ensure that non-UAB entities or contracted third party vendors handle data in accordance with UAB policies and procedures.