The University of Kentucky announces a new website with the university's policy for the Data Security Compliance Program (DSCP).
The DSCP, the focus for UK's compliance with federal requirements in the U.S. Department of Justice's Data Security Program (DSP), covers all UK employees and all others who interact with UK.
On Jan. 8, the Department of Justice (DOJ) issued the DSP regulations (28 CFR 202) to prohibit certain transactions involving protected U.S. data.
Under the DSP, foreign governments (Countries of Concern) currently include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela, and Covered Persons include individuals or entities subject to jurisdiction, ownership, control or direction of Countries of Concern and other individuals or entities that the U.S. Attorney General may individually identify from or associated with any country.
The types of data covered by the DSCP include:
- Sensitive personal data of over a certain number of U.S. persons in any format, regardless of whether it is anonymized, pseudonymized, de-identified or encrypted (human genomic data, other 'omic data, biometric identifiers, personal health or financial data, certain personal identifiers).
- Certain U.S. government-related data that, if accessed by a foreign adversary, could pose a national security risk (both geolocation data that the U.S. Attorney General has determined presents a heightened risk of exploitation because of their nature or who works there, and sensitive personal data linkable to current or recent former employees or contractors, or former senior officials, of the U.S. Government, including the military and the intelligence community).
The DSP prohibits knowingly engaging in data brokerage transactions with Covered Persons or Countries of Concern and transactions involving transfers of covered data to Covered Persons or Countries of Concern (e.g., human genomic data).
Other transactions, including investment, employment or vendor agreements with Covered Persons that provide access to sensitive data, are permitted only if specific Cybersecurity and Infrastructure Security Agency (CISA) requirements are met, along with DSP compliance program requirements, audits and recordkeeping.
Attention and adherence to these new rules and training will help UK:
- Take action to protect U.S. national security.
- Provide information recommended by DOJ guidance.
- Educate employees on sensitive data they handle, its classification and how inadvertent violations could lead to disciplinary actions, including termination.
- Protect the university and individuals from penalties associated with violations.
In addition to content offered by the new website, discussion is underway on future training on the DSCP. Details will be communicated when available.
The DSCP policy is available online at https://research.uky.edu/DSCP.
