Massachusetts College of Art and Design non-public data are a valuable resource that is vital to the performance of college functions and fulfillment of its responsibilities. Therefore, the college must ensure its data are accessible to those who require access, as well as appropriately managed, accessed, and protected.
This policy defines the security and protection requirements of non-public data stored on college owned, managed, or leased technology resources, whether on-premise or remote, and outlines the rights and responsibilities of college personnel in the handling, dissemination, security, and protection of such data.
Access to non-public data at Massachusetts College of Art and Design is granted to employees solely on a need-to-know basis, i.e. the justification is based on the requestor’s assigned duties and not their seniority, level in the organization, political influence, work relationships, or any other factor not directly related to the requirements of their job function.
A data custodian may grant a student, faculty member, staff member, or volunteer temporary (time-limited) access for special college projects while working under supervision of a College employee. The data custodian must first receive a written request with justification and proposed start and end dates before approving the request in writing. Data custodians must keep a copy of all approved requests. After the approved access period has expired, access must be removed by the data custodian.
Any usage of, or administrative action performed on, data in violation of this policy, or other approved College policies and procedures governing data usage, may result in disciplinary action, which may include termination of employment.
Data belong to the College as an institution and not to any particular function, unit, or individual. Data are available to any College-affiliated individual who provides a sound need-to-know justification based on their assigned College duties and receive written approval from the data custodian for that data. The college policy on confidentiality of student records is described in the Massachusetts College of Art and Design’s Confidentiality of Student Records policy.
Data have varying levels of sensitivity. There are three categories of administrative data at the College: Public, Protected, and Campus-wide (Directory Information).
Data Definitions
Public
Public data are defined as data that are available or distributed to the general public regularly or by special request and present no risk to the College if publicly disclosed. Public data include the following:
- Employee name, department, title, and employment dates for employment verification and reference checks
- Annual Financial Reports
- Admissions Summary Reports
- Information published on our public website, www.massart.edu, including the course catalog.
- Information obtained through a properly submitted and approved Freedom of Information Act (FOIA) request.
- Any other data that the College is required to share due to local, state, or federal regulation, such as payroll information (Massachusetts Public Records Law) or campus crime statistics (federal Clery Act reporting).
Protected
Protected data is information to which the College must protect and ensure only authorized individuals have access. It encompasses the following types of information:
- Regulatory Requirement to Protect: Data the College is required by federal or state regulation to protect and restrict access to, particularly personally identifiable information (PII).
- PII is the combination of the full name (first and last) of an individual person plus one or more other elements of uniquely identifying information, such as, but not limited to, date of birth, home address, student or employee ID number, financial account number, bank account number, credit card number, social security number, credit history, CORI record, medical record number, personal email address, or driver’s license number.
- Civil Liability if Unprotected: Data that presents tort risk exposure to the College if unauthorized access occurs, such as unpublished copyright- protected works not authorized by the copyright owner to be released (.i.e., a Master’s thesis) and information covered under client-attorney privilege.
- Security Risk if Unprotected: Certain security information about the College’s security procedures and vulnerabilities, whether pertaining to its physical or IT infrastructure, such as security, vulnerability, and risk assessments, access control diagrams, and network diagrams.
Campus-wide (directory information)
Campus-wide data are those which are typically found in the college directory and thus are sometimes referred to as directory information.
For students, the data include:
- Student’s name; local address; telephone number; hometown, field of study; dates of attendance; degrees and awards received, including departmental and graduation honors and participation in the officially recognized activities.
- Note that students can request that their campus-wide data (directory information) be suppressed, in which case for those students it is considered Protected data.
For employees, the data include:
- Name, department, title, college phone number, college email address.
- Campus-wide data are not public. The college directory is for use within the college community only. Any use of the directory for solicitation purposes is expressly prohibited.
Root Causes of Unauthorized Access of Protected Data and Consequences
Unauthorized access can happen through a lack of awareness on the part of a data custodian or other employee granting access, such as sharing confidential information without appropriate protections, or from a confidentiality breach facilitated by criminal hacking activity (e.g., a phishing email). Regardless of the cause, the College could be found to be criminally or civilly liable for any breach of Protected data in its care.
Release of Protected Data to Multiple Parties
An appropriate senior staff member must authorize in writing access to Protected data spanning multiple business areas or college-wide.
Protected Data in Conversation
Protected data must be treated as completely confidential and not be discussed with others, except in the course of performing one’s assigned College duties.
Application Data and Security
Each administrative department shall designate a Data Custodian who is responsible for administrative data and specific applications in his/her functional area. The Data Custodian is usually the department head; the duties and responsibilities of the Data Custodian may include:
- Review and Approval for all requests for access to, and update capability for, specific administrative data and applications.
- Ensuring the quality of the data residing in the administrative unit’s applications.
- Ensuring that the Data Custodian’s department’s use of administrative data is consistent with existing College policies and best practices.
- Ensuring that administrative systems which are not managed directly by Technology are secured and protected from unauthorized use, improper disclosure, accidental alteration, and that such systems are properly backed up.
Although some of the responsibilities of the Data Custodian may be delegated to others in his/her functional area, the Data Custodian continues to have overall accountability for the use and security of the data.
Requesting Access to Administrative Data
Requests for access to administrative data must be submitted in writing to the College’s assigned Data Custodian for that data.
The request must be reviewed and approved by the Data Custodian and his/her designee, as appropriate.
If a college employee requires access to administrative data and applications on computers supported and maintained by Technology, only access to the specific applications and data related to the employee’s specific job duties and responsibilities will be approved.
If a college employee requires access to a system that is not supported and maintained by Technology, they must request and receive written permission from the Data Custodian of that system.
Termination or Change of Status of Employees
Changes in status may include leaves of absence, significant changes in position responsibilities or transfer to another department.
- Human Resources is the Data Custodian for all staff records.
- Administrative Department Heads and Academic Department Chairs are responsible for informing the Human Resources Office of an employee’s change in status or termination.
- A written request for user access must be approved in writing by Chief Human Resources Officer and sent to the Technology department.
Distributing Administrative Information — Data Extraction And Reporting
Extraction of institutional data for processing on systems other than the main administrative systems, or for reporting purposes, should be done only if the confidentiality, integrity and accuracy of the source data and extracted/reported data can be ensured.
Data extraction and reporting is to be done only by individuals who have been given specific rights to do so. Requests for rights are handled in the same manner as requesting access to data and applications (i.e., must be submitted in writing to the Data Custodian).
- Extracted data are the responsibility of the user and must be secured.
- Data should not be extracted for purposes that duplicate data entry or processing done on the source system. Data considered in this category include names, addresses, phone numbers, and social security numbers.
- At no time will any form of data extraction be permitted from an off-campus location, or utilizing non-college controlled equipment.
- At no time may any extracted data be stored on any form of removable media or on the fixed storage media of a laptop computer, unless the media is encrypted with a current, industry-standard encryption method.
Consult the Information Security Officer if you are unsure of whether the proposed encryption method meets this standard.
Maintaining Confidentiality of Data
It is the responsibility of the Data Custodian to ensure that all individuals who are given access to restricted or sensitive data are instructed about their confidential nature. The Data Custodian is also responsible for conveying the status and level of confidentiality when the data is achieved.
Unauthorized release of sensitive or restricted information is a breach of data security and is cause for disciplinary action, which includes the possibility of dismissal.
Reporting Suspected Security Breaches
All users of Technology are required to report suspected data, system, or network security breaches. Data and Technology security breaches include, but are not limited to:
- Sharing login IDs and passwords with unauthorized individuals.
- Disseminating Protected data to unauthorized individuals.
- Transmitting Protected data in an insecure manner.
- Attempting to defeat College security software or safeguards.
- Attempting to maliciously disrupt College Technology services.
- Attempting to obscure or alter an employee’s assigned User network or system ID.
- Perpetrating any action that is a violation of state or federal computer regulations.
Accessing, using, or changing data that are not necessary to perform the individual’s job duties or function, or for which the individual has not received written permission from the Data Custodian.
The Chief Information may authorize or delegate actions that violate these rules for emergency incident response, to conduct security testing and assessments, to assist with internal investigations, civil or criminal matters, or at the direction of the President, or a person authorized by the President to make such a request.
Consequences of Non-compliance
Unauthorized or inappropriate use of data and applications or lack of adherence to security policies and procedures will not be tolerated and may result in disciplinary action, which may include termination of employment or expulsion from the College.
NOTES
- Portions of this policy were adapted from Wellesley College’s Administrative Data Security Policy.