The College's administrative data and applications are a valuable resource, vital to the performance of College functions and fulfillment of responsibilities. The College must therefore ensure that this resource is properly managed, used, protected, and controlled.
This policy defines the security and protection requirements for administrative data and applications residing on College computing systems accessible by College employees and faculty. This policy also details the rights and responsibilities of College personnel in the handling, dissemination, security, and protection of the College's data and applications.
Administrative data and applications reside on all computers used for administrative purposes including laptops/notebooks that are maintained and supported by the IT Department. Data on other media such as paper hard copy, diskettes, and other technologies are also considered administrative data. This data security policy applies to all administrative data.
Access to administrative data, whether current or archived at the College, is provided to those individuals who, in the course of performing their College responsibilities and functions, must use specified data. Determined by the requirements of their jobs on a "need to know" basis, access to administrative data and applications will be granted to College employees, whether staff or faculty.
With special permission, a faculty or staff member may access specific data for special College projects with the written permission from the Registrar office under appropriate supervision.
Unauthorized or inappropriate use of the data and applications, or lack of adherence to security policies and procedures, will not be tolerated and will result in disciplinary action, which may include termination of employment.
Sensitive Data versus Non-Sensitive Data
Data belongs to the College as an institution and not to any particular function, department, unit, or individual. Data is available to any staff or faculty member who demonstrates a "need to know" relevance as it relates to the performance of their job.
Data has varying levels of sensitivity. There are three categories of administrative data: public, campus-wide (directory Information), and restricted/sensitive.
Public data is defined as data that is available or distributed to the general public regularly or by special request. Public data includes the following:
- Employee name and title
- Department and employment dates
- Names, degrees, and majors of graduating seniors
- Annual financial reports
- Admissions summary reports
- Monroe College Catalog and Bulletin information
Campus-Wide Data (Directory Information)
Campus-wide data are those which are typically found in the College's directory or the Alumnae directory and thus are sometimes referred to as directory information.
For students, the data include:
- Name, class year, address, and phone
- Major field of study
- Dates of attendance at the College
- Degree, honors, and awards received
- Home address and phone numbers (unless the student requests that home information be suppressed)
For employees, the data include:
- Name and title
- Department, work phone, and work e-mail address
- Dates of employment
- Home address and phone (unless the employee requests that home information be suppressed)
- Restricted/sensitive data
Restricted/sensitive data may be protected by federal and state regulations and intended for use only by individuals who require such information in the course of performing their College functions. If restricted data is to be accessed across multiple functional areas or College-wide, the appropriate Executive Staff member must authorize access.
Examples of restricted/sensitive data include (not a complete list):
- Employee data - includes EEO data, salary data, termination/disability data, appointment data, non-salary related benefits, biographical data, social security numbers, and salary survey results
- Faculty data - includes instructor evaluation data
- Student data - includes financial aid data, parents' financial data, student accounts receivable data, students' grade data, biographical and academic data
- Financial data - includes financial data by operating unit
- Alumnae and Friends data - includes gift and pledge data, financial data, employment data, biographical data
Restricted/sensitive data must be treated as completely confidential and should not be discussed with others, except in the course of performing one's College function.
Requesting Authorization for Access to Administrative Data
Requests for access to administrative data should be submitted in writing to the Help Desk unit in the IT department.
If an employee or faculty member requires access to administrative data and applications on computers supported and maintained by the IT department, a "Help Desk" request should be completed. Only access to the specific applications and data related to the employee's specific College responsibilities should be requested. If an employee requires access to a system that is not supported and maintained by the IT department, he/she must request and receive written permission from the department head in which that system is housed.
Termination or Change of Status of Employees
Administrative Department Heads and Academic Department Chairs are responsible for informing the Finance/Human Resources and the IT Help Desk unit of an employee's termination (if possible, preferably prior to the employee's termination).
Maintaining Confidentiality of College Data
It is the responsibility of the Data Owner (the employee who has initial access to the data) to ensure that all individuals who are given access to restricted or sensitive data are instructed about their confidential nature. The Data Owner is also responsible for conveying the status and level of confidentiality when the data is achieved.
Unauthorized release of sensitive or restricted information is a breach of data security and is cause for disciplinary action, which includes the possibility of dismissal.
Reporting Data Security Breaches
Should you be aware of or see possible breaches in data or computer security, you are required to report all such occurrences to the IT department. The security breach will be referred to the appropriate Executive Staff person.
Data security breaches include, but are not limited to:
- The distribution of login IDs and passwords to other individuals
- Inappropriate dissemination of sensitive or restricted data
- Accessing, using, or changing data that is not necessary to perform the individual's College functions or for which the individual has not received written permission from the data owner
- Neglecting to lock computer systems when away from workstations
Unauthorized or inappropriate use of data and applications or lack of adherence to security policies and procedures will not be tolerated and may result in disciplinary action, which may include termination of employment.