1. Policy Statement

Quincy College is committed to ensuring the proper management of data to protect its integrity, confidentiality, and availability. This policy outlines the procedures for handling data sensitivity, ownership, retention, and disposal to comply with legal and regulatory requirements and mitigate risks such as unauthorized access, data breaches, and non-compliance.

2. Objectives

  • Establish a formalized, defined, and circulated Data Management Policy.
  • Ensure proper handling, retention, and disposal of data to protect against unauthorized access and data breaches.
  • Comply with legal and regulatory requirements for data management.
  • Minimize risks associated with data mishandling and retention beyond necessary limits.

3. Scope

  • This policy applies to all data collected, processed, stored, and disposed of by Quincy College, including both physical and electronic data.

4. Roles and Responsibilities

  • Vice President of Mission Support: Leads the policy implementation team, coordinates efforts, and ensures compliance with policy requirements.
  • Vice President of Finance: Ensures that financial aspects of data management, including budget considerations and financial risks, are managed effectively.
  • IT Manager: Manages the technical aspects of data management, including data storage, access controls, and security measures.
  • IT Analyst: Supports the IT Manager in conducting data assessments, monitoring data activities, and ensuring compliance with data management practices.

5. Data Classification and Sensitivity

  • Classify data based on its sensitivity, value, and criticality to the college.
  • Implement appropriate security measures for each data classification level to ensure its protection.

6. Data Ownership and Accountability

  • Assign data ownership responsibilities to specific departments or individuals to ensure accountability.
  • Data owners are responsible for the data's accuracy, integrity, and security throughout its lifecycle.

7. Data Handling Procedures

  • Establish clear procedures for data handling, including collection, processing, storage, and transmission.
  • Ensure that all data handling activities comply with legal and regulatory requirements.

8. Data Retention and Disposal

  • Define data retention periods based on legal, regulatory, and business requirements.
  • Implement secure data disposal procedures to ensure that data is irretrievably deleted when it is no longer needed.
  • Regularly review and update data retention and disposal procedures to remain compliant with current standards.

9. Access Control

  • Implement strict access controls to ensure that only authorized personnel have access to sensitive data.
  • Use multi-factor authentication and regular access reviews to maintain data security.

10. Monitoring and Auditing

  • Conduct regular audits of data management practices to ensure compliance with the Data Management Policy.
  • Monitor data activities for signs of unauthorized access, misuse, or data breaches.

11. Incident Response

  • Establish procedures for responding to data incidents. See Incident Response (IR) Policy for detailed procedures.
  • Ensure staff are aware of their responsibilities in the event of a data incident, including timely reporting and cooperation with the incident response team.

12. Training and Awareness

  • Provide training for all stakeholders involved in data management, including the IT Manager, IT Analyst, and department heads.
  • Regularly update training materials to reflect changes in the policy and regulatory requirements.

13. Review and Updates

  • Conduct an annual review of the Data Management Policy to ensure it remains current and effective.
  • Update the policy as necessary to address emerging threats, changes in regulatory requirements, and lessons learned from incidents.

 

Original: July 2024