Purpose
This policy defines the guidelines for the security and confidentiality of data maintained by Cambridge College, both in paper and electronic form. This policy also informs each person who is entrusted to access student, employee and/or institutional data of their responsibilities with regard to confidentiality and safeguarding Cambridge College data.
Statement of Policy
All custodians and guardians of administrative data are expected to manage, access, and utilize the data in a manner that maintains and protects the security and confidentiality of that information. All notices to Federal, State & local regulations must be considered and adhered to when using or sharing personal or confidential information. Any notice of a breach of confidential information, whether in paper or electronic form, MUST be reported to the appropriate Vice President for the area involved and the General Counsel immediately.
Under no circumstances shall credit card numbers be stored or sent from College servers or desktops.
Definitions
There are two primary categories of data handling and access defined in this policy. They are Data Custodians and Data Guardians.
Data Custodians
Data custodians function as gatekeepers for the data that is collected and maintained by individuals in their departments. Custodians are responsible for establishing access procedures for the administrative data available in their area and for approving access requests for that data. The table below indicates the administrative areas that maintain the college’s primary data stores and the respective data custodians.
Administrative Areas | Data Custodian |
---|---|
Alumni and Development Data | Vice President for Advancement |
Financial Data | College Controller |
Financial Aid Data | Director of Financial Aid |
Human Resources Data | Director of Human Resources |
Information Technology Data | Director of Information Technology |
Student Services Data | Dean of Enrollment Management |
Data Guardian
A data guardian is defined as anyone who, as a function of their position at Cambridge College, possesses or has access to Cambridge College administrative data, either electronic or otherwise. Guardianship and its associated responsibilities apply to individuals who dispense or receive data.
Department heads are responsible for signing off on data access requests for employees under their supervision.
Scope
College employees or others who are associated with the college and who request, use, possess, or have access to college administrative data must agree to adhere to the protocols outlined above. In addition, guardians, custodians and data users are prohibited from:
- Changing data about themselves or others except as required to fulfill one’s assigned College duties or as authorized by a supervisor. (This does not apply to self-service applications that are designed to permit you to change one’s own data).
- Using information to enable actions by which other individuals might profit.
- Disclosing information about individuals without prior authorization by a supervisor.
- Engaging in what might be termed “administrative voyeurism” (reviewing information not required by job duties) unless authorized to conduct such analyses.
- Examples include tracking the pattern of salary raises, viewing a colleague’s personal information, looking up someone else’s grades or viewing other colleague’s work product when not authorized to do so.
- Circumventing the level of data access given to others by providing access that is broader than that available to them, unless authorized. For example, providing an extract file of employee salaries to someone who does not have security access to salary data is prohibited by this policy.
- Allowing unauthorized access to Cambridge College’s administrative systems or data by sharing an individual’s username and password.
- Engaging in any other action that violates the letter and spirit of this policy, either purposefully or accidentally.
Improper Guardianship
In assuming responsibility for the interpretation and use of College administrative data, guardians are expected to recognize the potential serious consequences of their improper guardianship. Improper maintenance, disposal, or release of college administrative data exposes the College to significant risk, including lawsuits, loss of employee and student trust, and loss of funding.
Guardians who are found in violation of this policy will be subject to Cambridge College disciplinary processes and procedures including, but not limited to, those outlined in the Student Handbook, in Cambridge College Policies and any applicable bargaining unit contracts. Illegal acts may also subject users to prosecution by local, state, and/or federal authorities.
Policy Applies To
College employees or others who are associated with the College who request, use, possess, or have access to College administrative data.
Exceptions
This policy does not prevent the release of institutional data to external organizations or governmental agencies as required by legislation, Regulation, or other legal requirements.
Individual Responsible for Revision and Implementation:
Vice President for Finance and Administration and Director of Information Technology and General Counsel
Date of Original Implementation: October 2011
Date of Last Revision: October 2011