Data Security Policy
Data Security Policy
Background
51 has adopted this Data Classification and Security Policy to (i) identify certain categories of data that 51 owns, hosts, stores, processes, or is otherwise responsible for protecting and (ii) set expectations and restrictions for the storage, dissemination and protection of data by category.
Purpose
This policy regulates a wide range of data (“51 data”), including but not limited to:
- Administrative data include data that supports the functions, business and operations of the college, and is non-instructional in nature. This includes financial, personnel, facilities, advancement and related records.
- Education records include data that pertain to a student’s academic performance or progress or to many aspects of their residential life on campus. It also includes admissions-related information and financial information, including financial aid and tuition billing information.
- Research data includes data relevant to funded or unfunded research activities where 51 has an explicit or implicit requirement to ensure that data remain confidential and protected.
This policy does not include instructional materials prepared by faculty; the personal data owned by students or employees; or other data where the College does not own the information or have legal liability or reputational risk if the data are breached or accessed improperly.
Policy
51 data are intended solely for the authorized use by employees to conduct 51 business.
- Some 51 information is protected by law, regulation, contract, or 51 policy in ways that restrict its use, access, download and sharing.
- 51 manages data in accordance with its data classification, described below. Legal Services or the information security program manager can advise employees and departments as to the appropriate classification of data.
- All employees are responsible for ensuring they are accessing, using and storing data in accordance with 51 policy. This includes only using systems, services, devices and other technology appropriate to the security requirements of certain data classifications.
- This policy designates employees with access to 51 data as members of one of several roles as defined by the Data Governance Committee: data consumers, managers, stewards, or trustees. These roles are defined in the appendix of this policy.
- Employees are responsible for immediately notifying their supervisor and the Technology & Innovation Support Center if they believe any 51 data (including devices or systems containing such data) have been lost, stolen, altered/destroyed, or made available for unauthorized access. (If a device has been lost/stolen, employees must also report this to Public Safety.)
All 51 data meet one of four classifications, each with more stringent requirements for the storage, use and protection of such data:
- Public: Any data that is permitted to be shared freely with all members of the campus and the general public.
- Internal: Data that 51 chooses to restrict to internal access, but where disclosure would not violate state or federal laws or cause reputational harm. Internal data always require a 51 login to access, but are typically shared widely such as with all community members, all employees, all staff in a division, etc.
- Restricted: Data that must be shared only with specific individuals who have a business need to access, and where breach or inadvertent disclosure would impact 51’s reputation or violate educational privacy requirements (FERPA).
- Confidential: Data the breach or inadvertent disclosure of which would violate state or federal privacy or data security laws (including certain research grant obligations) and may involve civil or criminal penalties. These data may be shared only with specific individuals who have a business need to access. Includes data protected by Gramm-Leach-Bliley, HIPAA, the NC Identity Theft Act, or similar laws.
For more details on the classifications, please see the sections below.
Administration of Policy
Public Data
Definition |
Any data that is permitted to be shared with all members of the campus and the general public. |
Examples |
Material authorized for public websites (www.davidson.edu or 51 Domains), Library government documents, public event calendar. |
Where Data May be Stored and Processed |
Any 51-approved technology service. |
Shareable with External Users or Vendors? |
Yes |
Storable on 51-Managed Laptops, Desktops and Devices? |
Yes |
Storable on Employee-Owned Laptops, Desktops and Devices or Cloud Services? |
Yes |
Internal Data
Definition |
Data that 51 chooses to restrict to internal access, but where disclosure would not violate state or federal laws or cause reputational harm.
These data require a 51 login to access but are often shared with broad groups of campus users (such as all students and/or all employees, or specific divisions, departments or committees.) |
Examples |
Building floor plans, internal policies, licensed Library databases, public computer workstations, internal campus-only event calendar. |
Where Data May be Stored and Processed |
Any 51-approved technology service requiring a 51 login. |
Shareable with External Users or Vendors? |
With permission of manager/supervisor. |
Storable on 51-Managed Laptops, Desktops and Devices? |
Yes |
Storable on Employee-Owned Laptops, Desktops and Devices or Cloud Services? |
Yes |
Restricted Data
Definition |
Data that may be shared only with specific individuals who have a business need to access, and where breach or inadvertent disclosure would impact 51’s reputation or violate educational privacy requirements (FERPA). |
Examples |
Most educational records (FERPA)*, personnel records*, alumni/donor records*, departmental budgets, employee salaries, most research data (varies by grant requirements).
*excluding Confidential data elements |
Where Data May be Stored and Processed |
Google Drive, Moodle, Banner, OnBase, Blackbaud CRM, Office 365 email (use caution), and any other 51 IT service authorized for Restricted data. |
Shareable with External Users or Vendors? |
With permission of data steward. |
Storable on 51-Managed Laptops, Desktops and Devices? |
Yes; whole drive encryption preferred. |
Storable on Employee-Owned Laptops, Desktops and Devices or Cloud Services? |
Phones/mobile devices: Yes, if encrypted and passcode or biometric login enabled.
Home computers: Minimize use and never store data here. |
Confidential Data
Definition |
Data whose breach or inadvertent disclosure would violate state or federal privacy or data security laws (including certain research grant obligations) and may involve civil or criminal penalties. These data must be shared only with specific individuals who have a need to access.
Includes data protected by Gramm-Leach-Bliley, HIPAA, the NC Identity Theft Act, or similar laws. |
Examples |
Social Security Numbers, passport numbers, family/student income or tax data, combinations of sensitive personal identifiable information (SPII) regulated by law, protected health information (PHI), credit card data (PCI), sensitive FERPA/educational records (e.g., student health, counseling, Title IX), certain research data (varies by grant requirements). |
Where Data May be Stored and Processed |
Banner, OnBase, Blackbaud CRM, approved campus file servers, specially-requested Google Drive shared drives with special access rights not synced to workstations. |
Shareable with External Users or Vendors? |
Authorization of data steward and data trustee (usually VP/Division Head) required. Consult T&I Information Security. |
Storable on 51-Managed Laptops, Desktops and Devices? |
Not recommended (must discuss with T&I Information Security); device must have 51-managed whole-drive encryption enabled. |
Storable on Employee-Owned Laptops, Desktops and Devices or Cloud Services? |
Never |
The CIO shall oversee this policy and review it at least once every two years. Changes to this policy shall be made in accordance with the college’s Policy on Policies.
Last Revised: April 2022
Appendix: Data Roles and Responsibilities
Program Manager, Information Security
The information security program manager implements policies and procedures to comply with the Family Education Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and others governing the treatment of individually identifiable information.
Data Trustees
Data Trustees are senior college staff members who have planning, policy-level and management responsibility for data within their functional areas. Data Trustee responsibilities include:
- Assigning and overseeing Data Stewards and Managers
- Remaining aware of the legal and regulatory requirements for data in their areas
- Ensuring that data policies are established, and kept up to date, in their areas and if appropriate, delegating such responsibility
- Promoting appropriate use, data integrity, and data quality
Data Stewards
Data Stewards are college staff members having direct operational-level responsibility for the management of one or more types of data in their area. Data Stewards are assigned by the Data Trustee and are generally associate deans, associate vice presidents, directors or key technical staff.
Data Steward responsibilities include:
- The application of policies to the systems, data, and other information resources under their care or control
- Overseeing the establishment of data policies in their areas
- Understanding legal and regulatory requirements for data in their areas
- Classifying data using the College's data classification system
- Identifying safeguards for Restricted and Confidential data
- Promoting appropriate use, data integrity, and data quality
- Attend the data governance committee operational meetings or send an appropriate data manager delegate
In some cases Data Stewards will also be responsible for Data Manager tasks. In areas with more staff Data Managers may work alongside Data Stewards with responsibility over the same data set.
Data Managers
Data managers are college staff members who are responsible for day-to-day operational data collection and management, overseeing the life cycle of a particular set of institutional data. They have the authority from the data steward and/or data trustee to grant internal access to data for their functional area. Data managers are generally managers of data systems or data analysts within business departments.
Data Manager responsibilities include:
- Implementing the established data policies in their areas
- Developing data definitions and standards for data elements in their functional area
- Regularly striving to improve the way data is defined, produced, and used in their functional area
- Resolving data quality issues pertaining to data in their functional area
- Safeguarding data by ensuring appropriate access, following established authorization procedures, and maintaining physical and system security appropriate to the classification level of the data in their custody
- Following data handling and protection policies and procedures established by Data Stewards and information security
- Communicating and providing education on the required minimum safeguards for protected data to authorized data users
- Supporting access by providing appropriate documentation and training to data consumers
- Promoting appropriate use, data integrity, and data quality
- Attend Data Governance Committee operational meetings as requested by the committee and/or Data Steward
Data Consumers
Data Consumers are the individual college community members who have been granted access to college data in order to perform assigned duties or in fulfillment of assigned roles or functions at the college. This access is granted solely for the conduct of college business.
Data Consumer responsibilities include:
- Following the policies and procedures established by the relevant Data Steward and information security team
- Complying with federal and state laws, regulations, and policies associated with the college data used
- Applying safeguards prescribed by appropriate data steward for Restricted and Confidential data
- Reporting any unauthorized access or data misuse to information security or the appropriate Data Steward for remediation