好色导航

好色导航
好色导航

Information Technology

Data Classification and Handling Policy

好色导航 faculty, staff, and student employees have varying access to electronic information that is sensitive and confidential. 好色导航 considers the protection of such information and its electronic infrastructure from unauthorized use to be a key responsibility of all faculty, staff, and student employees. Failure to act in accordance with College guidelines may result in disciplinary and/or legal action.

Sensitive information must be stewarded in an ethical, professional, and legal manner at all times. All institutional electronic data, regardless of how they are stored, remain the property of the College and are governed by this policy.

By law, certain institutional data may only be released with proper authorization, in compliance with applicable federal and state laws concerning storage, retention, use, release, and destruction of data. Users are encouraged to seek guidance from an appropriate supervisor, senior officer, or the chief information officer if it is unclear whether or not specific information is sensitive.

Sensitive data shall be used only as required in the performance of College duties, and may not be inspected, copied, altered, deleted, shared, granted access to, or used in any other manner, except as required in the performance of those job duties.

Reed community members are responsible for the security, privacy, and control of data in their care, access privileges entrusted to them, and their username/password. If there is reason to believe that the user's username/password is known by or has been used by another person, the user must immediately notify an appropriate supervisor, senior officer, or the chief information officer. Reed community members must take every reasonable precaution to prevent unauthorized access to sensitive data. Such data shall not be presented or shared inside or outside the College without prior approval from the appropriate supervisor or senior officer of the College. Sensitive data should never be left on any device to which access is not controlled.

When using the institution's electronic information systems, care must be exercised to protect data from unauthorized use, disclosure, alteration, or destruction. Users must understand the definition of sensitive information in the context of their job responsibilities and take steps to ensure that co-workers, staff, and student employees understand existing statutes and policies (such as FERPA, HIPAA, Donor Bill of Rights, Digital Millennium Copyright Act, GLBA, GDPR, etc., and College departmental guidelines that may supplement this agreement). Before granting access to sensitive information, users should be satisfied that a "need to know" is clearly demonstrated. Users should seek guidance from an appropriate supervisor, senior officer, or the chief information officer when the appropriate use of, or the granting of access to, such information is unclear.

It is a violation of College policy, and may be a crime, for individuals to attempt to gain access to College electronic data that they do not need in the performance of their job or to which they are not authorized to have access.

Data in the Moderate, High, and Restricted classifications are all considered “sensitive.” Sensitive college data should only be collected, stored, and shared when there is a specific business need and must be handled in a way that's consistent with its level of risk.

Restricted (sensitive)

Definition

  • Access and use is subject to special regulatory requirements.
  • Unauthorized access has significant legal or financial consequences and may result in mandatory notification, credit monitoring services, or other obligatory measures.
  • Systems may be in place to log and audit access.

Examples

  • Social security numbers, bank account numbers, passport, and visa numbers, Personally Identifiable Information, date of birth (Oregon ID Theft Act)
  • Credit cardholder data (PCI)
  • Financial aid "customer information" (GLBA)

Guidance

  • Never store or transmit unless encrypted.
  • May not be stored in Google or on personally-owned devices.
  • No removable media (thumb drive, DVD, hard drive) unless the files are encrypted.
  • Departments are responsible for developing policies, procedures, and training that ensures compliance by employees and volunteers who handle restricted data.

High (sensitive)

Definition

  • Access and use is restricted by laws, regulations, contractual agreements, or college policy.
  • Unauthorized access or use may have serious legal and financial consequences, as well as damage to reputation.

Examples

  • Staff and faculty employment records
  • Student transcripts
  • Disciplinary records
  • Personal health information
  • IT security documentation
  • Financial and health insurance accounts, and other personal information (OCIPA)
  • Personal information (GDPR)

Guidance

  • May be stored in the cloud if protected by contractual agreement (e.g., Crashplan, Google, Handshake).
  • Do not store on personally-owned devices.
  • No removable media (thumb drive, DVD, hard drive) unless the files are encrypted.
  • Reed Google Drive is secure but Shared Drive or file encryption is required to prevent accidental oversharing.

Moderate (sensitive)

Definition

  • Unauthorized access or use poses moderate risk of damage to the individual and/or the college.

Examples

  • Reed ID
  • Student education record, or directory information if student has opted out (FERPA)
  • Letters of recommendation
  • College correspondence
  • Meeting minutes
  • Unpublished research data
  • Computer sales, bookstore, and food service transaction records (excluding payment data)
  • Library borrowing history
  • Donor data
  • Maps of campus utilities and infrastructure
  • Law enforcement records (ARMS data)
  • Disability services data (AIM, etc.)
  • Contracts not covered by special NDA provisions

Guidance

  • Data should only be shared with individuals who have a specific business need.
  • Can be transmitted via Gmail between Reed email addresses.
  • Can be shared in Reed Google Drive (only share with specific individuals or defined teams).
  • May publish to the web or store in Moodle, with authentication.
  • May store on personally-owned devices if encrypted.

Low

Definition

  • Access has low to no risk to individuals or the college.

Examples

  • Published information and data
  • Course syllabi
  • Directory information
  • Username
  • Campus map

Guidance

  • Information may be shared publicly though, in some cases, individuals may opt out.