Drafted April, 1994
Wellesley College administrative data and applications are a valuable resource, vital to the performance of College functions and fulfillment of responsibilities. The College must therefore ensure that this resource is properly managed, used, protected, and controlled. This policy defines the security and protection requirements for administrative data and applications residing on College computing systems and accessible by College employees. This policy also details the rights and responsibilities of College personnel in the handling, dissemination, security, and protection of College data and applications.
Administrative data and applications reside on all computers used for administrative purposes including computers maintained and supported by Information Technology (IT) as well as other minicomputers and personal computers across campus. Data on other media such as paper hard copy, diskettes, and other technologies are also considered administrative data. This data security policy applies to all administrative data.
Access to administrative data whether current or archived at Wellesley College is provided to those individuals who, in the course of performing their College responsibilities and functions, must use specified data. Determined by the requirements of their jobs on a “need to know” basis, access to administrative data and applications will be granted to College employees, whether staff, faculty or employed students.
With special permission, a student, faculty member, staff member or volunteer may access specific data for special College projects with the written permission of the Data Custodian (defined in Appendix C - Glossary of Terms) under appropriate supervision.
Unauthorized or inappropriate use of the data and applications, or lack of adherence to security policies and procedures will not be tolerated and will result in disciplinary action, which may include termination of employment.
1.0 Data Definitions: Sensitive versus Non-Sensitive Data
Data belong to the College as an institution and not to any particular function, unit or individual. Data are available to any user who demonstrates a “need to know” relevant to the performance of his/her job.
The College policy on the confidentiality of student records is described in the “Wellesley College Guidelines on Student Education Records, December 1976” and sections on “Confidentiality of Student Records” and “Directory Information” in the Wellesley College Bulletin (see Appendices E and F).
Data have varying levels of sensitivity. There are three categories of administrative data: public, campus-wide (Directory Information) and restricted/sensitive.
1.1 Public Data
Public data are defined as data that are available or distributed to the general public regularly or by special request. Public data include the following:
Employee name, department, title, and employment dates for employment verification
and
reference checks
Names, Degrees. And majors of graduating seniors
Annual Financial Reports
Admissions Summary Reports
“FACT” publication
Official Statement for the Bond Issue Information
Wellesley College Catalog and Bulletin Information
1.2 Campus-Wide Data (Directory Information)
Campus-wide data are those which are typically found in the College directory or the Alumnae directory and thus are sometimes referred to as directory information.
For students, the date include:
Name, class year, college address and phone, major field, date and place of birth, dates of attendance at Wellesley College, degree, honors and awards received, home address and phone (unless student requests that home information be suppressed).
For employees, the data include;
Name, department, work phone, title, e-mail address, home address and phone (unless employee requests that home information be suppressed).
Campus-wide data are not public. The College directory contains the following statement: “The Wellesley College Directory is for use within the College Community only. Any use of this Directory for solicitation purposes is expressly prohibited.”
1.3 Restricted/Sensitive Data
Restricted/sensitive data may be protected by federal and state regulations and are intended for use only by individuals who required that information in the course of performing their College functions. If restricted data are to be accessed across multiple functional area or College-wide, the appropriate Senior Staff ember must authorize access.
Examples of restricted/sensitive data include (not a complete list):
Employee data - includes EEO data, salary data, termination/disability data, appointment data, non-salary related benefits, biographical data, and salary survey results
Faculty data - includes instructor evaluation data
Student data - financial aid data, parents’ financial data, student accounts receivable data, students’ grade data, biographical and academic data
Financial data - financial data by operating unit
Alumnae and Friends data - gift and pledge data, financial data, employment data, biographical data
Restricted/sensitive data must be treated as completely confidential and should not be discussed with others, except in the course of performing one’s College function.
2.0 Data and Application Security
Each administrative department shall designate a Data Custodian who is responsible for administrative data and specific applications in his/her functional area. The Data Custodian is usually the department head; the specific responsibilities of the Data Custodian may include:
Review and approval of all requests for access to and update capability for specific administrative data and applications
Ensuring the quality of the data residing in the administrative unit’s applications
Ensuring that the Data Custodian’s department’s uses of administrative data are consistent with existing College policies
Ensuring that administrative systems which are not managed by IT are secured and protected from unauthorized use, improper disclosure, accidental alteration, and that such systems are properly backed up
Although some of the responsibilities of the Data Custodian may be delegated to others in his/her functional area, the Data Custodian continues to have overall accountability for the use and security of the data.
3.0 Requesting Authorization for Access to Administrative Data
Requests for access to administrative data should be submitted in writing to the Data Custodian responsible for the data and applications in his/her functional area.
If a College employee requires access to administrative data and applications on computers supported and maintained by IT, a “Requests for User Access” form should be completed. Only access to the specific applications and data related to the employee’s specific College responsibilities should be requested. The form must be reviewed and signed by the Data Custodian and his/her designee, as appropriate.
If a college employee requires access to a system that is not supported and maintained by IT, he/she must request and receive written permission from the Data Custodian of that system.
4.0 Termination or Change of Status of Employees
Administrative Department Heads and Academic Department Chairs are responsible for informing the Personnel Office of the Faculty Records Office, as well as the Database Manager, of an employee’s change in status or termination. Changes in status may include leaves of absence, significant changes in position responsibilities or transfer to another department. The form “Request for User Access” must be completed and signed and sent to the Database Manager. Employees who are leaving the College are to be informed that their electronic mailboxes will be deleted two weeks after their last day of work.
Drafted May, 1991
5.0 Distributing Administrative Information - Data Extraction
Extraction of institutional data for processing on systems other than the main administrative systems should be done only if the confidentiality, integrity and accuracy of the mainframe data and downloaded data can be ensured.
Data extraction is to be done only by individuals who have been given specific rights by the Database Administrator and the Data Owner to do so. Requests for rights are handled in the same manner as requesting access to data and applications.
Extracted data are the responsibility of the user and must be secured.
Data should not be extracted for purposes that duplicate data entry or processing done on the administrative mainframe system. Data considered in this category include names, addresses, phone numbers, and social security numbers.
Requests for data extraction are to be evaluated based on guidelines determined by the Data Owner.
6.0 Maintaining Confidentiality of Data.
It is the responsibility of the Data Owner to ensure that all individuals who are given access to restricted or sensitive data are instructed about their confidential nature. The Data Owner is also responsible for conveying the status and level of confidentiality when the data is achieved.
Unauthorized release of sensitive or restricted information is a breach of data security and is cause for disciplinary action, which includes the possibility of dismissal.
7.0 Reporting Data Security Breaches
Should you be aware of or see possible breaches in data or computer security, you are required to report all such occurrences to the Manager of Database Systems in Information Services and the Data Owner. The security breach will be referred to the appropriate Senior Staff person.
Data security breaches include, but are not limited to:
the distribution of login Ids and passwords to other individuals
neglecting to log off systems when away from workstations
inappropriate dissemination of sensitive or restricted data
accessing, using, or changing data that are not necessary to perform the individual’s College functions or for which the individual has not received written permission from the Data Owner.
Unauthorized or inappropriate use of data and applications or lack of adherence to security policies and procedures will not be tolerated and may result in disciplinary action, which may include termination of employment.