I. Policy

Quincy College (QC) shall approve access to Sensitive Institutional Data in order to ensure that access to  sensitive data is authorized, that sensitive data with a need for protection are used appropriately and that authorized access complies with the QC Privacy Policy and relevant state and federal laws.

Institutional Data shall be classified in accordance with the Data Classification and Protection Standard to identify the level of confidentiality needs, legal requirements, and minimum standard protections for the data before access is granted.

Access to Sensitive Institutional Data is approved by the appropriate Vice President, Director, or his/her designee. A Data Steward may be designated to oversee data quality and permissions. The appropriate Vice President or Director shall grant access in compliance with institutional policies and all relevant regulations (e.g. FERPA, HIPAA and GLBA). Only those employees, affiliates, and systems that need the access to perform their job duties or mission shall have access to Sensitive Institutional Data. In the case  that a Data Steward is not designated, the data in question are owned by the Dean, Vice President, or department head of the unit that originates the data.

Access to Social Security Number (SSN) data shall not be granted to an employee unless approval has  been granted by a College Vice President or a Vice President's designee.

All access by individuals to Sensitive Institutional Data shall be controlled by reasonable measures to  prevent access by unauthorized users.

Data Users must responsibly use data for which they have access including only using the data for its intended purpose and respecting the privacy of members of the College community. Data Users must maintain the confidentiality data in accordance with the applicable laws and the Data Classification and  Protection Standard. Authorized access to Sensitive Institutional Data does not imply authorization for copying, further dissemination of data, or any use other than the use for which the employee was authorized. The Vice President or his/her designated Data Steward retains the right to approve and grant access to Sensitive Institutional Data.

Scope

This policy applies to access to Sensitive or Restricted data maintained by the College or a party acting on the behalf of the College. This policy does not apply to data or records that are personal property of a  member of the College community, research data, or data created and/or kept by individual employees or affiliates for their own use. Requests for records by the public are outside of the scope of this policy and shall be referred to Human Resources, Institutional Research & Assessment, or the Office of Student Records. This policy also does not apply to situations in which the College is legally compelled to provide  access to information.

II. Definitions

Access: Flow of information between a store of data and a user, system, or process. A user, system, or process is considered to have access to data if it has one or more of the following privileges: the ability to read or view the data, update the existing data, create new data, delete data or the ability to make a  copy of the data. Access can be provided either on a continual basis or, alternatively, on a one-time or ad hoc basis. Transferring any data from one party to another in any medium is tantamount to permitting access to those data.

Institutional Data: Those data, regardless of format, maintained by the Quincy College (QC) or a party acting on behalf of QC for reference or use by multiple College units. Institutional Data does not include  data that is personal property of a member of the College community, research data, or data created and/or kept by individual employees or affiliates for their own use. Examples of Institutional Data include student education records, payroll records, human resources records, and enterprise directory records.

Sensitive Institutional Data: Those Institutional Data that contain information that can be classified as either "sensitive" or "restricted" using the QC Data Classification and Protection Standard. Some examples of Sensitive Institutional Data include Institutional Data that are personally identifiable in nature and contain Social Security Numbers, Credit Card Numbers or other financial account numbers, HIPAA protected health information, or FERPA protected student education records.

Data Steward The individual responsible for the data. The Data Steward is usually the dean, vice president, or unit head of the College unit that creates or originates the Institutional Data or his/her designee.

Data User: An individual that has been authorized to access data for the performance of his/her job duties.

III. Procedure

Each College department/unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance with this policy. The Office of Technology & Mission Support is responsible for enforcing this policy.

Vice Presidents, Directors, or appointed Data Stewards shall ensure that procedures for requesting and approving access to Sensitive Institutional Data exist and are followed. Data Stewards shall also implement procedures for regularly auditing access to Sensitive Institutional Data and revoking access when it is no longer needed or authorized. Procedures may vary from Data Steward to Data Steward as  necessary to accommodate different Data Steward mission/resources/etc. and different groups of Data Users. However, all procedures shall include sufficient tracking for requests, approvals, and revocations  such that authorized access to Sensitive Institutional Data is auditable.

A Vice President, Director, or Data Steward may delegate the ability to approve access to Sensitive Institutional Data to trusted individuals in designated roles. A Data Steward may delegate by creating procedures through which the designee may approve access by employees that have certain pre- approved roles and responsibilities. Data Stewards retain the responsibility for ensuring that all access to Sensitive Institutional Data is authorized, appropriate, and complies with relevant legal requirements;  the responsibility does not transfer to designees.

Access to Sensitive Institutional Data by external parties shall be governed by individual contractual agreement or memoranda of understanding if the third party is a governmental organization. Such

contractual agreements shall be approved by the Information Technology department and by the appropriate QC designated Data Steward.

Violations

Violation of this policy may incur the same types of disciplinary measures and consequences as violations of other College policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.

Violation of this policy may also result in termination of contracts or commitments to vendors and other affiliates. Legal action may be pursued where appropriate.

Data Classification and Protection Standard

Data can be classified either in terms of its need for protection (e.g. Sensitive Data) or its need for availability (e.g. Critical Data). Use the information below to classify data in terms of its need for protection or its availability. The four categories are Public, Internal, Sensitive, and Restricted.

Public Data

Data can be disclosed without restriction. Examples - Directories, Maps, Syllabi and Course Materials, de-identified data sets, etc.

Internal Data

Confidentiality of data is preferred, but information contained in data may be subject to open records  disclosure. Examples - email correspondence, budget plans, etc.

Sensitive Data

Data confidentiality required by law, policy, or contractual obligation. Loss of confidentiality or integrity will cause significant damage to QC's reputation or could cause harm to QC stakeholders. Sensitive information is typically redacted from open records disclosures (e.g. Student ID numbers, student records, etc.).

Restricted Data

Restricted data requires privacy and security protections. Special authorization may be required for use  and collection. Examples - data sets with individual Social Security Numbers (or last four of SSN), credit card transaction or cardholder data, patient health data, financial data, etc.

Protection of information is mandated by law or required by private contracts. Loss of confidentiality or integrity will cause significant damage to QC’s reputation or could cause harm to QC stakeholders.

Records with restricted information are typically not open for public inspection.

Supportive Data

Supportive data is necessary for day-to-day operations, but is not critical to QC’s or to a Department/Unit’s mission or core functions. Examples - course materials, meeting minutes, workstation images, etc.

High-priority Data

Availability of data is necessary for departmental function. Destruction or temporary loss of data may have an adverse effect on college or departmental mission, but would not affect university-wide function.

Critical Data

Critical data have the highest need for availability. If the information is not available due to system downtime, modification, destruction, etc., the College's functions and mission would be impacted. Availability of this information must be rigorously protected.

See the table below for minimum standard protection requirements for each category of data when being used or handled in a specific context (e.g. Sensitive Data sent in an email message). Please note that the below protection standards are not intended to supersede any regulatory or contractual requirements for handling data. Some specific data sets, such as student records data, credit/debit card  data, healthcare data, and financial account data, may have stricter requirements in addition to the minimum standard requirements listed below.

 Public DataInternal DataSensitive DataRestricted Data
                      Collection and Use                      No protection requirements                      No protection requirementsLimited to authorized  users.Limited to authorized users.
Departments that collect and/or use Sensitive data should report these records to the Information Technology Department.Departments that collect and/or use Restricted data should report these records to the Information Technology Department.
Quincy College web pages that are used to collect sensitive data must include a link to the Privacy Policy.  Quincy College web pages that are used to collect restricted data must include a link to the Privacy Policy.
  SSNs may not be used to identify members of Quincy College if there is a reasonable alternative.
  SSNs shall not be used as a username or password.
  SSNs shall not collected on unauthenticated individuals.
    Granting Access or Sharing    No protection requirementsReasonable methods shall be used to ensure internal data is accessed by or shared with authorized individuals  or individuals with a legitimate need to know.Access shall be limited to authorized college officials or agents with a legitimate  academic or business interest.Access shall be limited to authorized college officials or agents with a legitimate academic or business interest and a need to know security level.
All access shall be approved by an appropriate data owner and documented in a manner sufficient to auditable.All access shall be approved by an appropriate data owner and documented in a manner sufficient to auditable.
   
Before granting access to external third parties, contractual agreements which outline responsibilities for security of the data must be approved.Before granting access to external third parties, contractual agreements which outline responsibilities for security of the data shall be approved.
        Disclosure, Public Posting, etc.          No protection requirements    Reasonable methods shall be used to ensure internal data is only disclosed to authorized individuals  or individuals with a legitimate need to know.Sensitive data shall not be disclosed without consent.          Not permitted unless required by law.
Sensitive data may not be posted publicly.
Directory information can be disclosed without consent. However, per FERPA, individual students can opt out of directory information disclosure.
      Electronic Display      No protection requirementsReasonable methods shall be used to ensure internal data is only displayed to authorized individuals or individuals with a legitimate need to know.      Only to authorized and authenticated users of a system.Restricted data shall be displayed only to authorized and authenticated users of a system.
Identifying numbers or account number shall be, at least partially, masked or redacted.
          Open Records Requests  Data can be readily provided upon request. However, individuals who receive a request must coordinate with the Student Records or Institutional Research offices before providing data.      Individuals who receive a request must coordinate with  the with the Student Records or Institutional Research  offices.Sensitive data is typically  not subject to open records disclosure. However, some open records requests can be fulfilled by redacting sensitive portions of records. Individuals who receive a request must coordinate with the Student Records or Institutional Research offices.  Restricted data is typically not subject to open records disclosure. However, some open records requests can be fulfilled by redacting sensitive portions of records. Individuals who receive a request must coordinate with the Student Records or Institutional Research offices.
Exchanging with Third Parties, Service Providers, Cloud Services, etc.  No protection requirementsReasonable methods shall be used to ensure that the third party's responsibilities for confidentiality /privacy of the data  are defined and documented.A contractual agreement outlining security responsibilities shall be in place and approved by the Information Technology department before exchanging data with the third party / service provider.A contractual agreement outlining security responsibilities shall be in place and approved by the Information Technology department before exchanging data with the third party / service provider.
Storing or Processing: Server EnvironmentServers that connect  to the QC Network shall comply with necessary security protocols.Servers that connect  to the QC Network shall comply with necessary security protocols.  Servers shall comply with security requirements.Servers shall comply with security requirements.
Storing Credit/Debit card data is not permitted.
  Storing or Processing: Endpoint Environment (e.g. laptop, phone, desktop, tablet, etc.)    Systems that connect to the QC Network shall comply with necessary security protocols.    Systems that connect  to the QC Network shall comply with necessary security protocols.      Systems shall comply with security requirements.Systems shall comply with  security requirements.
Storing Credit/Debit card PAN data is not permitted.
Storing restricted data on personally-owned devices is not permitted.
      Storing on Removable Media (e.g. thumb drives, CDs, tape, etc.)          No protection requirements          No protection requirements      Sensitive data shall only be stored on removable media in an encrypted file format or within an encrypted volume.Not permitted unless required by law.
If required by law, data stored on removable media shall be encrypted and the media shall be stored in a physically secured environment. Storing restricted data on personally-owned media is not permitted.
  Electronic Transmission  No protection requirements  No protection requirementsData shall be transmitted in either an encrypted file format or over a secure protocol or connection.Secure, authenticated connections or secure protocols shall be used for transmission of restricted data.
      Email and other electronic messaging        No protection requirementsReasonable methods shall be used to ensure internal data is only included in messages to authorized individuals  or individuals with a legitimate need to know.Sensitive data shall only be included in messages within an encrypted file attachment.  Not permitted unless required by law.
Messages shall only be sent to authorized individuals or other individuals with a legitimate need to know.  If required by law, data shall include in an encrypted file that attached to the message.
  Printing, mailing, fax, etc.  No protection requirementsReasonable methods shall be used to ensure that printed materials are only distributed or available toPrinted materials that include sensitive data shall  only be distributed or available to authorized individuals or individuals with a legitimate need to know.Printed materials that include restricted data shall only be distributed or available to authorized individuals or individuals with a legitimate need to know.
  authorized individuals or individuals with a legitimate need to know.
Access to any area where printed records with sensitive data are stored shall be limited by the use  of controls (e.g. locks, doors, monitoring, etc.) sufficient to prevent unauthorized entry.Access to any area where printed records with restricted data are stored shall be limited by the use  of controls (e.g. locks, doors, monitoring, etc.) sufficient to prevent unauthorized entry.
 Social Security Numbers shall not be printed on any  card required to access services.
 New processes requiring the printing of SSN on mailed materials shall not be established unless required by another state agency or a federal agency.
          Disposal        No protection requirements        No protection requirements.Data shall be deleted and unrecoverable (e.g. eraser, zero-fiil, DoD multipass, etc.).Data shall be deleted and unrecoverable (e.g. eraser, zero-fiil, DoD multipass, etc.).
Physical media (e.g. paper, CD, tape, etc.) should be destroyed so that data on the media cannot be recovered or reconstructed.  Physical media (e.g. paper, CD, tape, etc.) should be destroyed so that data on the media cannot be recovered or reconstructed.

Original: January 2017