Box is a commercial online content storage, sharing, and collaboration service that has offered free personal accounts to the public since 2005. Box and Internet2 have partnered to provide university-wide Box service to Internet2 members like Penn State.
Terms of service: click here.
When uploading files, be aware of Penn State’s data categorization rules and the types of files that are permitted to be stored on Box at Penn State. Information concerning kinds of data that can be stored on Box at Penn State can be found on the Data Categorization Table for Box.
Protected Health Information (PHI)
Protected Health Information (PHI) is allowed to be stored on the Box at Penn State service. PHI is defined as “any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.”
PHI is governed by the Health Insurance Portability and Accountability Act of 1996 which protects the privacy of individually identifiable health information and sets national standards for the security of electronic protected health information. At Penn State, PHI is in the category of restricted data. More information about Penn State’s three-level data categorization plan which serves to protect data necessary for the University’s operation can be found in AD71 and ADG07. All users who work with PHI should be familiar with these documents.
Penn State can store PHI on Box due to the recent signing of a Business Associate Agreement with the Internet2 NET+ Initiative. When users store and collaborate with PHI using the Box at Penn State service, they should be aware of University rules governing the storage of this type of information on Box. All Penn State users of the Box service are bound by the general Box Terms of Service.
Although PHI is allowed to be stored on Box, other types of personally identifiable information (PII), such as social security numbers, credit card numbers, drivers license numbers, etc. are not allowed to be stored on Box. For detail on what can and can’t be stored on Box, please refer to the Data Categorization Table for Box.
In addition to the policies mentioned on this page, it is each user’s responsibility to ensure that storing PHI on Box is in accordance with local rules and the requirements of grants, research partnerships or data sharing agreements.
For questions, please send an e-mail to firstname.lastname@example.org.
The initial Box funding (2013) was provided by Information Technology Services (ITS) to support a two-year agreement. This was one-time funding, and a sustainable funding model is now needed for Penn State to continue with Box. The University has overwhelmingly adopted Box, and a cost recovery model is required to ensure sustainability of the service. An annual headcount funding model has been adopted. This includes faculty and staff from all areas of the University except the Pennsylvania College of Technology. The annual cost per person (based on headcount) is estimated to be $11.04 (2015-2016). Students will not be charged for Box service.
For more detail on this subject, please see the documents on this page.
Persons leaving Penn State
The following does not apply to staff who retire with benefits or faculty in emeritus status; in accordance with Office of Human Relations guidelines, these people retain their Access Accounts.
For all others who leave the university, Access Accounts will be deactivated at a specified period after an individual has left the University. This period of time is based on a person’s affiliation status and can be viewed here. At this point, a person will lose access to their Box account; however the Box account and its data will be retained.
If a person plans to leave the University, they should move personal data to a personal Box account. Instructions for doing that are here. Ownership of documents pertaining to an individual’s official Penn State duties should be moved to a co-worker’s account. Instructions for doing that are here.
Twelve months after a person’s Access Account becomes inactive, their Box account will be placed in an Inactive status. This means that all data owned by the account will become inaccessible for collaborators. Thirty days later (or 13 months after the Access Account is deactivated), the Box account and all of the data owned by that account will be deleted.