Body
I. Purpose
The College of St. Scholastica believes that its Institutional Data is a valuable resource. This resource may only be used in a legal, ethical, and responsible manner. This Data Access Policy establishes and defines the responsibilities and roles of users who are granted access to institutional data.
The College provides employees with the information they need to do their jobs. Therefore, an employee will be granted privileges consistent with their job duties to access Public, Confidential, and Private Information about faculty, staff, students, alumni, and donors.
All employees granted access to institutional data must complete the online Annual Confidentiality Training (ACT), which outlines student data security measures, responsibilities, and policies at The College of St. Scholastica. Each user should know their responsibilities as defined in the tutorial. In addition, each user shall read, understand, and sign off on a confidentiality statement at the end of the Annual Confidentiality Training within two weeks after receiving access to the Banner and other data systems.
Scope of the College Information Policy
This policy statement establishes measures for the protection, access, and use of The College of St. Scholastica's administrative, electronic information.
It also defines the responsibilities of all who access and manage this data and equipment. Offices may have individual guidelines that supplement, but do not supplant or contradict, this policy statement. Data entrusted to The College by other organizations (e.g., foundations and government agencies) are governed by terms and conditions agreed upon with those organizations. This policy shall govern specific issues not governed by such agreed terms.
II. Policy
Data Security
The College owns the system, and The College maintains the right to provide further regulation, as it deems appropriate, limits use or access, and monitors the systems used for security purposes. Users, by their use of the system, acknowledge The College's rights in this regard.
The College cannot completely guarantee the security and integrity of any information placed on the network, including personal data or programs placed on the network or individuals' workstations. While reasonable measures are being taken to ensure the availability, integrity, and confidentiality of information on the network, there is still the threat of natural disasters, sophisticated hackers, and password violations that could jeopardize the system. Information stored on network servers is backed up, and therefore, recoverable.
Institutional Data
Institutional data (electronic and paper) consists of information stored in any college database or on paper that contains information on past, current, or future students, employees, donors, or friends. This policy is primarily concerned with administrative data stored on college servers, scanned images document management systems, or administrative paper files. Additionally, the Institutional Review Board provides initial and continuing review of all research activity involving human participants.
Institutional data is a vital College asset. We are all stewards of The College's data. Regardless of data systems, all institutional data remain the College’s property and are governed by this policy statement.
Institutional Data Use
Institutional data shall be used only for the legitimate business of The College of St. Scholastica. Data shall be used only as required in the performance of job functions. Under no circumstances shall anyone use personally identifiable private/confidential institutional data in any publication, seminar, or professional presentation, or otherwise release data, in any form, outside The College without prior written approval from the appropriate data steward (see definition below) and/or the appropriate executive officer(s). Data must never be left on any non-College-owned device.
As a general principle of access, institutional data (regardless of who collects or maintains it) shall be shared among those employees whose work can be done more effectively by knowing such information. Though The College must protect the security and confidentiality of data, the procedures to allow access to data will not unduly interfere with the efficient conduct of College business.
All who use institutional data have the right to expect the data to be accurate. All who maintain institutional data have the responsibility to keep them accurate.
Employees of The College are required to know and adhere to the Family Educational Rights and Privacy Act (FERPA). Employees who work with protected health information must understand and comply with the Health Insurance Portability and Accountability Act (HIPAA).
Three Categories of Data
The categories of College Data are differentiated principally by two factors: 1) who is permitted access, and 2) by restrictions on handling, disclosure, or use of the data. College Data is classified into three categories.
Confidential Information
Confidential Information is defined in the MN State Statute 325E.61 (e), as an individual's first name or first initial and last name combined with any one or more of the following: social security number, driver's license or Minnesota ID number, bank or credit card account numbers, or access codes.
Confidential information, due to its nature, requires more control concerning access or disclosure. Confidential information may be accessed by College personnel with a legitimate need-to-know, based on their role within The College, or as authorized by the relevant College official.
Confidential information will typically not be disclosed outside The College or to those without a need to know. Disclosure of confidential data outside The College will occur only with the advance authorization indicated above.
Confidential data must be stored on network servers in a secure environment. Confidential data must be redacted from documents scanned into any document imaging system unless adequately secured. Confidential data must not be downloaded or saved to desktop computers or laptops unless that computer is encrypted. Even deleted files can be recovered and accessed using inexpensive data recovery tools.
Confidential data must not be downloaded and stored on USB drives or other peripheral devices without that device being adequately encrypted.
Confidential data must not be transferred via e-mail, file transfer protocol (FTP), or any other network application without being encrypted.
Printed reports containing confidential data must be kept secure and should be properly disposed of via shredding when no longer needed. Each person is responsible for security, privacy, and control of the confidential data in their possession.
Private Information
Private Information includes, but is not limited to CSS ID (Banner identification number), religion, marital status, student grades, passwords, employee phone, employee date of birth, employee address, donor name and donation, gender, ethnicity, citizenship, citizen visa code, veteran and disability status, and emergency contact information.
Because of its highly sensitive nature or legal restrictions, private information requires strict access control and limited disclosure. Private information may be accessed by College personnel with a legitimate need-to-know, based on their role within The College, and as authorized by their supervisor or the appropriate data steward.
Disclosure of private information outside The College or those not authorized by the relevant College official will typically not be allowed; however, any disclosure of private information will be made only with advance authorization of the relevant data steward and/or approval by the appropriate executive officer.
Public Information
Public Information is information or data that may be freely accessed or disseminated at the discretion of the relevant College official. Public information is often called "directory information." Examples include public relations news releases, directory information (that has not been otherwise restricted from public disclosure), general websites, and academic publications.
Examples of student public information include name, student date of birth, student home and campus address, email address, student telephone listing, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees, and awards received, photograph, and the most recent previous educational agency or institution attended. Measures should be taken to ensure the individual does not have a confidentiality hold. If an individual is both an employee and a student, the information should be considered a student.
Types of Access
Query-only access enables the user to view, analyze, and download, but not change, institutional data. Downloaded information should be used and represented responsibly.
Maintenance access provides both inquiry and update capability. Maintenance is defined as add, delete, and change. This capability is generally limited to the offices directly responsible for the collection and management of the data. This access is available to administrators and users who have an authorized need to change institutional data in the routine performance of their job duties. Each user of administrative information is assigned appropriate combinations of query-only and maintenance access to specific parts of the administrative information system. The types of access are determined by the data stewards (see definition below).
Data Ownership
Institutional Ownership
Institutional data is a College resource, although individual offices, departments, programs, or schools may have responsibilities for portions of college data. The College retains ownership of and responsibility for the data. The College shall appoint data stewards to manage specific elements of institutional data. The Office of Institutional Effectiveness maintains a current list of data stewards and implements this policy, as set forth below.
Data Stewards
Data steward responsibilities are central for maintaining College operations. Data stewards should identify a backup. Data stewards are responsible for ensuring the accuracy, completeness, integrity, and as appropriate, the confidentiality of College information.
Data stewards, in collaboration with the Office of Institutional Effectiveness and the Data and Operations Committee, are also responsible for the maintenance and control of the administrative information system's validation and rules tables, a business process that defines how business is conducted at The College, and the integrity of all coding and data entry processes. Data stewards shall provide education and training to individuals concerning access and manipulation of institutional data.
A data steward, usually an administrator of a major College office or department, may make data available to others within their purview for use and support of the unit's functions. Data stewards shall define access control principles and restrictions on use and handling for the data for which they are assigned responsibility, consistent with the data categorization described above.
Before granting access to data, the data steward shall be satisfied that protection requirements have been implemented and that a "need to know" is demonstrated. By approving end-user access to institutional data, the data steward consents to use this data within the everyday business functions of administrative and academic offices. Access to College data shall not be granted to persons unless there is an established "need to know."
Data stewards will be required to review all security authorizations at least annually for their area and make additions or deletions as necessary.
All levels of administrative management shall ensure that, for their areas of accountability, each information system user knows their responsibilities as defined in this policy and that their office environment is secure concerning institutional data.
Supervising administrators shall ensure a secure office environment concerning all institutional information systems. Administrators shall validate the access requirements of their staff according to job functions before submitting requests for the provision of access.
Information Users:
-
Each user is responsible for all transactions occurring during the use of their login and password. Passwords must never be shared for any reason.
-
Individuals are responsible for understanding all the data elements that are used. If a person does not understand the meaning of a data element, they should consult the appropriate data steward or their supervisor.
-
Users must exercise due care in using the institution's electronic information systems, to protect data files from unauthorized use, disclosure, alteration, or destruction. Each person is responsible for security, privacy, and control of their data.
Users may not:
-
Disclose data to others, except as required by their job responsibilities
-
Use data for their own personal gain, nor the gain or profit of others
-
Access data to satisfy their personal curiosity
-
Use institutional data (in detail or summary) in any publication, seminar, or professional presentation without the permission of the relevant college official
-
Misuse or inappropriate use by individuals will result in revocation of the user's access privileges.
Important Information
Information Technologies
The Office of Institutional Effectiveness shall oversee the implementation of this policy statement, review requests for exceptions to the policy, and manage disputes concerning the use and stewardship of centralized electronic institutional data and institution-wide information systems.
The Information Technologies Department shall ensure that a variety of security measures are in place. It shall maintain the central institutional database and ensure data security, integrity, and availability to all who have been granted access to it. Central database system backup will be performed regularly. A disaster recovery plan will focus on minimizing the disruption caused when the central computing facility is inoperative. Regular upgrade and maintenance of the central hardware and software will occur to protect The College's information. The cost of data protection should be commensurate with the value of data and the legal implications of the loss of such data.
The Information Technologies department shall process requests for data access through data stewards. In cases where requests for access conflict with this policy, the Office of Institutional Effectiveness will arbitrate.
Violations of this Policy
Appropriate procedures shall be followed in reporting any breach of security or compromise of safeguards. Any person engaging in unauthorized use, disclosure, alteration, or destruction of College data in violation of this policy shall be subject to appropriate disciplinary action, including dismissal or prosecution under applicable state or federal laws.
Consequences
The Office of Institutional Effectiveness is authorized to provide an interpretation of these policies. Users violating these policies will be required to discontinue their inappropriate use immediately. Any further violation may lead to the loss of network privileges approved by the appropriate Dean or Vice President.
Offenders are also subject to College disciplinary procedures as well as criminal or civil prosecution. Any appeals should follow proper College grievance procedures.
Questions
Questions on the interpretation of this Policy should be directed to the Office of Institutional Effectiveness at oie@css.edu.
Modifications to this Policy
The Office of Institutional Effectiveness reserves the right to modify this policy at any time. Users of the system will receive prompt notification of all modifications.