56.50 - Data Use Limitation (UL)

Return to policies website

Policy Statement
TTUHSC El Paso shall implement controls to ensure that the scope of Personally Identifiable Information (PII) use is limited to justifiable business needs.

Reason for Policy
The purpose of the Data Use Limitation (UL) policy is to help TTUHSC El Paso implement controls that will ensure that the scope of Personally Identifiable Information (PII) use is limited accordingly.

Entities Affected by this Policy are any and all users of Information Resources at TTUHSC El Paso.

What is covered in this Policy?
The overall policy addresses the Institutional stance as it applies to internal use and information sharing with third parties.

It is the stance of TTUHSC El Paso to ensure that there are safeguards in place aligned with NIST 800-53 and TAC 202 to ensure the protection, integrity, and confidentiality of information resources at TTUHSC El Paso.

Who Should Read this Policy?
All individuals accessing, storing, viewing any TTUHSC El Paso information resources.

What happens if I violate this policy?
Any person(s) violating TTUHSC El Paso Information Technology policies are subject to penalty under federal, state, and local legislation. Disciplinary actions are further outlined in HSCEP OP 56.50, Sanctions Policy.

 

UL-01: Internal Use

TTUHSC El Paso uses Personally Identifiable Information (PII) internally only for the authorized purpose(s) identified in public notices.

PII is authorized to be used only as the data was originally authorized to be used.

UL-02: Information sharing With Third Parties

TTUHSC El Paso:

  • Shares PII externally, only for authorized purposes or in a manner compatible with those purposes;
  • Where appropriate, enters into contract or agreement, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;
  • Monitors, audits, and trains its staff on the authorized uses and sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and
  • Evaluates any proposed new instances of sharing PII with third parties to assess whether they are authorized and whether additional or new public notice is required.

Data/process owners are required to:

  1. Share PII externally, only for authorized purposes or in a manner compatible with those purposes;
  2. Where appropriate, enters into a contract with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;
  3. Monitor, audit, and train its staff on the authorized uses and sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and
  4. Evaluate any proposed new instances of sharing PII with third parties to assess whether they are authorized and whether additional or new public notice is required.

 

All other IT Policies can be found at https://ttuhscep.edu/it/policies/

 

  1. HSCEP 56.50 Sanctions Policy
  2. TAC §202.74, §202.75

 

Revised May 2018