Information Technology, Documents, & Records

College Data on Mobile Devices

Scope

This policy governs the use of mobile devices to conduct college business or to access college data. Accessing college email and calendaring is considered to be conducting college business, and is therefore included in this policy. Carleton College has adopted this policy to safeguard the college’s investments and data and to comply with various regulations. This policy applies to both college-owned and personally-owned mobile devices which connect to the Carleton network.

Mobile devices include any portable device that allows access to college information and data. These include but are not limited to laptops, mp3 players, smart phones, and iPads. The college data covered by this policy includes:

  • Protected Data (any data protected by state or federal guidelines)
  • Sensitive Data (any data that the college has determined to be confidential)

The college data not covered by this policy includes:

  • General College Data (any data pertaining to the operation of the college and use is not considered protected or sensitive)

For further details regarding the types of college data, see the Data Management and Access Guidelines.

Policy

Employees must configure college and personally-owned mobile devices to safeguard college protected and sensitive data. Such data should only be stored on or accessed from mobile devices for the duration required for work purposes. If you are directly accessing college systems, such as Workday, Slate, and Advance, you must use the identified secure connection method for that system, e.g. Citrix. If you are unsure of the appropriate connection type, consult with the ITS staff responsible for the system. Employees must also keep mobile devices physically secure, especially when left unattended.

College and personally-owned mobile devices must be configured with the following security measures:

  •  Protected by a PIN of at least 4 digits
  •  Screen must auto-lock after not more than 15 minutes of inactivity
  •  Device must accept remote wipe commands
  •  Device must be encrypted if protected data is stored on the device

If you are accessing Carleton email on your mobile device, it must be accessed directly and not forwarded to a personal email account.

To protect college data, the college reserves the right to remote wipe any college-owned mobile devices, or any personally-owned devices that have accessed college systems or data, including email servers. See the Information Security Plan (http://apps.carleton.edu/campus/its/policies) for further instructions regarding the protection of college data.

Procedures

Securing your device 

ITS maintains a document (https://wiki.carleton.edu/dashboard.action) outlining the methods to secure your mobile device. If you will potentially be accessing data covered by this policy, you must adhere to these guidelines.

Lost Devices

A lost or stolen device must be reported to Campus Security as well as local law enforcement in the area where the device was lost.

Device Disposal

At the end of its life, a college-owned mobile device must be returned to and disposed by IT. Personally-owned mobile devices should be wiped of any protected data. See the Device Disposal Guidelines (https://wiki.carleton.edu/dashboard.action) for information on proper disposal.

Notifications for Breach of Security

Minnesota’s Security Breach law (Statute: § 325E.61) requires that “Any person or business that conducts business in [Minnesota] and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay . . . .”

If you believe that college data containing personally identifiable information, or any other college protected or confidential data, may have been breached, the following steps should be taken immediately:

  1. The individual who discovers the breach should immediately notify Campus Security.
  2. Campus Security will contact the VP for Finance and Treasurer and the Director of Information and Technologies.
  3. Campus Security, the VP for Finance and Treasurer, and the Director of IT will determine if a breach of security of data has occurred, and the appropriate action to take.

Campus Security, the VP for Finance and Treasurer, and the Director of IT may utilize guidance for dealing with a data breach and sample notification letter formats that can be found on the Federal Trade Commission website.

Last Revised: June 1, 2012

Technology Priorities and Planning Committee (TPPC)

For: Faculty, Staff

Last Reviewed: July 20, 2015

Maintained by: Information Technology Services