Effective Date: March 22, 2018
Last Reviewed: March 22, 2018
Purpose
The purpose of this policy is to identify information resources as a critical College asset and define responsibilities to safeguard these resources from unauthorized access, modification, disclosure or destruction and protect the privacy of the people whose data we maintain.
Scope
This policy applies to all Stonehill College employees, including, but not limited to staff, faculty, students, and any other individuals working for or acting as an agent or representative of the College. This policy applies to all information collected, stored or used by any division, department and person in connection with College business. This policy contains standards required in addition to any other requirements of federal, state or international law with respect to the security and privacy of educational, business, or other records maintained by the College.
Policy
1. The Chief Information Officer (“CIO”) for the College is designated as the employee responsible for the College’s information security program.
2. The General Counsel for the College is designated as the Data Protection Officer (“DPO”) responsible for implementing the College's privacy policies and processes.
3. All users of College information resources are expected to manage, access, and utilize the information in a manner that maintains and protects the security, integrity and confidentiality of that information regardless of the medium on which the data resides or the format, such as in electronic, paper or other physical form (hereinafter collectively “Data”).
4. All users of College Data pertaining to natural personal who are citizens or residents of the European Union are expected to use appropriate technical and organizational measures to ensure the security of the Data relative to the risk. The DPO or his or her designee shall create and maintain procedures in accordance with the European General Data Protection Regulation (“GDPR”).
5. Any agreement with a third-party vendor must be reviewed by the Office of the General Counsel (“OGC”), consistent with Policy 11.5, Signing Authority for Contracts and Other Agreements. The OGC shall ensure that any agreement with a third-party vendor with access to personal information shall stipulate that the vendor has the ability to protect such personal information to the extent necessary to comply with applicable law, including the Massachusetts Data Security Law and the GDPR and their implementing regulations.
6. Any agreement with a third-party vendor shall include such assurances and further require that the third-party vendor provide written certification, either as part of the agreement, or in a separate document, that such third-party vendor has a written information security program which at least meets the standards of Massachusetts law, federal law, and the GDPR.
7. Each Division Head of the College is designated as an Information Custodian (“IC”) for the information resources within their division. Each division on campus shall designate individuals to serve as additional ICs. The CIO, DPO, and ICs shall be responsible for:
a. identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any Data;
b. identifying all Data and Data storage devices (systems, servers, laptops, tablets, etc.) to determine which records and/or devices contain personal information;
c. ensuring that terminated employees cannot access Data;
d. documenting actions taken in connection with any incident involving a breach of security to include a post-incident review of events and actions taken, if any, to make changes in practices related to Data security.
8. Each Division Head may also assign individuals within their divisions to serve as Information Security Liaisons (“Liaisons”). IC’s and Liaisons are responsible for:
a. identifying and classifying the information entrusted to their care according to the level of security required as defined in this policy, which include in descending order of sensitivity Confidential, Internal Use Only, and Public, and reviewing these at least on an annual basis;
b. limiting the amount of personal information collected to what is reasonably necessary to accomplish the purpose for which it is collected;
c. limiting access to those persons who are reasonably required to know such information in connection with job responsibilities or in compliance with state or federal law; and d. limiting the time such information is retained to that which is reasonably necessary to accomplish the purpose of the Data collection, consistent with Policy E1.3, Retention Policy.
9. Any individual subject to this policy must notify the CIO and OGC immediately if Confidential information is lost, disclosed to unauthorized parties or suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the College's information systems has taken place or is suspected of taking place. The OGC is responsible for compliance with applicable laws related to breach notification.
10. Any employee who violates this policy is subject to disciplinary action up to and including dismissal.
Definitions
Information Custodians (ICs)
Information custodians function as data controllers for the information that is collected and maintained by individuals in their divisions. ICs determine the purposes and means of the processing of personal information. They are responsible for establishing access procedures for the information resources available in their area and for defining access requirements for that information.
Information Security Liaisons (Liaisons)
Information Security Liaisons assist Information Custodians to regularly identify and classify information maintained within their department or division. Liaisons also assist in limiting what is collected, who has access to it, and the time such information is retained.
Personal Information or Personal Identification Information (PII)
PII is defined by Massachusetts law as a person’s first name and last name or first initial and last name in combination with one or more of the following:
• Social Security Number
• Driver’s License Number or state-issued Identification Card Number
• Financial account number, or credit or debit card number
Personal Data
Personal data is defined by the GDPR as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data pertaining to the subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics or biometrics, health, sex life or sexual orientation, criminal record is further defined as special personal data.
Information Classifications
Confidential
Confidential information includes information protected by statutes, regulations, College policies or contractual language. It must be given the highest level of protection against unauthorized access, modification or destruction. Unauthorized access to personal confidential information may result in a significant invasion of privacy, or may expose members of the College community to significant financial risk. Examples of personal confidential information include: information protected under privacy laws including FERPA and GDPR; information concerning the pay and benefits of College employees; personal identification information or medical/health information pertaining to members of the College community.
Internal Use Only
Internal Use Only information includes information that is less sensitive than confidential information, but that, if exposed to unauthorized parties, may have an indirect or possible adverse impact on personal interests, or on the finances, operations, or reputation of Stonehill College. Examples of this type of data from an institutional perspective include internal memos meant for limited circulation, College financials or draft documents subject to internal comment prior to public release.
Public
Public information includes information that is generally available to the public and has no existing local, national or international legal restrictions on access or usage. Public data, while subject to College disclosure rules, is available to all members of the College community and to all external entities. Examples of public information include publicly posted press releases, directory information, and publicly posted schedules of classes.
Additional Security Measures:
1. The CIO shall regularly monitor the College’s compliance with this policy. The CIO shall annually review the scope of the College’s security measures and perform an additional review whenever the College makes a material change to its operational practices regarding Data security.
2. The OGC shall maintain the College’s privacy notice(s). The OCG, in coordination with ICs, shall annually update records of personal data maintained by the College that includes:
a. an overview of the College’s data collection and processing actions;
b. an explanation of the personal data that is processed;
c. a description of the purposes for which that personal data is processed;
d. a description of how the data subject explicitly consents to the collection and processing of their personal data, or the ;
e. an explanation of the applicable retention periods;
f. a description of third-parties who process personal data on behalf of the ICs; and
g. an indication of who to contact in case of a complaint, a question, or when a data subject wishes to exercise his or her rights under GDPR.
3. Confidential information may only be accessed by persons with a need-to-know under the authorization of the IC.
4. Confidential information that is accessed on College information systems that are hosted on campus shall only be accessible via the Internet through a secure Virtual Private Network.
5. Consistent with Policy F9.1, Account Password Policy, persons authorized to access College information systems shall utilize strong passwords, not share their passwords, and keep their passwords in a secure location and format. Additionally, they will stay informed about security threats to their passwords including email phishing attacks.
6. Information resources that are stored in an electronic format must be stored on servers or in services provided by IT that have appropriate firewall protection, run up-to-date operating systems, require secure authentication by authorized users, and are secured by encryption measures authorized by IT in order to protect against loss, theft, unauthorized access and unauthorized disclosure.
7. Confidential and Internal Use Only information should not be stored on laptops, tablets, smartphones, USB keys, or other portable devices without the authorization of the IC and only then with appropriate encryption.
8. Authorized persons should collect, distribute, and retain only the minimal amount of Confidential and Internal Use Only information that is related to their business needs and essential to the performance of assigned tasks.
9. Confidential and Internal Use Only information resources must be stored only in a locked drawer or room or an area that otherwise has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know.
10. Confidential and Internal Use Only information sent via fax must be sent only by an authorized person to a previously established and used address or one that has been verified as using a secured location. Any unnecessary Confidential Information should be redacted prior to transmission.
11. Confidential and Internal Use Only information resources must not be posted on any public website or social media site and should not be stored in any internet service that has not been approved by the CIO and OGC.
12. Confidential and Internal Use only information resources must be destroyed when no longer needed subject to Policy E1.3, Retention Policy. Destruction may be accomplished by the following methods.
h. "Hard Copy" materials must be destroyed by shredding or another process that destroys the data beyond either recognition or reconstruction. After destruction, materials may be disposed of with normal waste.
i. Electronic storage media shall be sanitized appropriately by degaussing prior to disposal with guidance from IT. Disposal of electronic equipment must be performed under the supervision of IT Staff.