Data Security Policy

Date of Original Implementation: October 2011

Date of Last Revision: October 2011

Purpose

This policy defines the guidelines for the security and confidentiality of data maintained by Cambridge College, both in paper and electronic form. This policy also informs each person who is entrusted to access student, employee and/or institutional data of their responsibilities with regard to confidentiality and safeguarding Cambridge College data.

Statement of Policy

All custodians and guardians of administrative data are expected to mange, access, and utilize the data in a manner that maintains and protects the security and confidentiality of that information. All notice to Federal, State & local regulations must be considered and adhered to when using or sharing personal or confidential information. Any notice of a breach of confidential information whether in paper or electronic form MUST be reported to the appropriate Vice President for the area involved and the General Counsel immediately.

Under no circumstances shall credit card numbers be stored or sent from College servers or desktops.

DEFINITIONS

There are two primary categories of data-handling and access defined in this policy. They are Data Custodians and Data Guardians.

Data Custodians

Data custodians function as gatekeepers for the data that is collected and maintained by individuals in their departments. Custodians are responsible for establishing access procedures for the administrative data available in their area and for approving access requests for that data. The table below indicates the administrative areas that maintain the college’s primary data stores and the respective data custodians.

Administrative Areas

Data Custodian

Alumni and Development Data

Vice President for Advancement

Financial Data

College Controller

Financial Aid Data

Director of Financial Aid

Human Resources Data

Director of Human Resources

Information Technology Data

Director of Information Technology

Student Services Data

Dean of Enrollment Management

Data Guardian

A data guardian is defined as anyone who, as a function of their position at Cambridge College, possesses or has access to Cambridge College administrative data, either electronic or otherwise. Guardianship and its associated responsibilities apply to individuals who dispense or receive data.

Department heads are responsible for signing off on data access requests for employees under their supervision.

Scope

College employees, or others who are associated with the college, who request, use, possess, or have access to college administrative data must agree to adhere to the protocols outlined above. In addition, guardians, custodians and data users are prohibited from:

Changing data about themselves or others except as required to fulfill one’s assigned College duties or as authorized by a supervisor. (This does not apply to self-service applications that are designed to permit you to change one’s own data).

Using information to enable actions by which other individuals might profit. Disclosing information about individuals without prior authorization by a supervisor.

Engaging in what might be termed “administrative voyeurism” (reviewing information not required by job duties) unless authorized to conduct such analyses.

Examples include tracking the pattern of salary raises, viewing a colleague’s personal information, looking up someone else’s grades or viewing other colleague’s work product when not authorized to do so.

Circumventing the level of data access given to others by providing access that is broader than that available to them, unless authorized. For example, providing an extract file of employee salaries to someone who does not have security access to salary data is prohibited by this policy.

Allowing unauthorized access to Cambridge College’s administrative systems or data by sharing an individual’s username and password.

Engaging in any other action that violates the letter and spirit of this policy, either purposefully or accidentally.

Improper Guardianship

In assuming responsibility for the interpretation and use of College administrative data, guardians are expected to recognize the potential serious consequences of their improper guardianship. Improper maintenance, disposal, or release of college administrative data exposes the College to significant risk, including lawsuits, loss of employee and student trust, and loss of funding.
Guardians who are found in violation of this policy will be subject to Cambridge College disciplinary processes and procedures including, but not limited to, those outlined in the Student Handbook, in Cambridge College Policies and any applicable bargaining unit contracts. Illegal acts may also subject users to prosecution by local, state, and/or federal authorities.

POLICY APPLIES TO

College employees, or others who are associated with the College, who request, use, possess, or have access to College administrative data.

EXCEPTIONS

This policy does not prevent the release of institutional data to external organizations or governmental agencies as required by legislation, Regulation, or other legal requirements.

 

Individual Responsible for Revision and Implementation: Vice President for Finance and Administration and Director of Information Technology and General Counsel