Data captured and maintained at Carleton College by the various administrative offices constitutes a College-wide resource. Although it may reside in different applications, spreadsheets, databases, etc., this data may be viewed collectively as a single logical resource—one to which an integrated set of guidelines needs to be applied. The purpose of this document is to outline these guidelines, articulate common principles, lay the groundwork for optimal use of the College’s data, and address commonly asked questions. It is imperative that employees who access data understand these issues.
Whose data is it, anyway?
The value of Carleton’s data lies in its usability. Data that lies unused due to bad or missing documentation, errors, poor technical support, or unnecessary access restrictions has little value. In order to provide maximum value to the institution, therefore, our data must be well documented and supported, accurate, accessible, and as lightly encumbered as we can legally, reasonably, and ethically make it. Where appropriate and feasible, it must also be centrally accessible to employees using standard software tools and methods. Data may be stored in different systems and maintained by various offices, but the data is ultimately a resource owned by the College.
How should we maximize data access?
Data access can be broken down into three parts: obtaining authorization to use a data system, entering and maintaining data, and extracting data out of a system.
The task of granting access to enter and maintain data in administrative systems typically falls to the office responsible for the relevant business process. For example, since the Business Office maintains invoices, it is responsible for deciding who can enter and maintain this data in the system of record. ITS or other system support people may set up security at the system level, but their job is to implement the decisions of the responsible office. If, therefore, you feel that you need access to information, you should contact the office responsible for the relevant business process.
Similarly, the task of granting access to take data out of a system, whether in the form of a report or a data extract, typically falls to the office responsible for the business process in question. For example, if an employee wants a file of information on current employees, that employee should contact Human Resources. It is the responsibility of everyone who accesses data to check with the primary owner to ensure that the data is interpreted, compiled, and distributed properly.
What is protected Data? Sensitive data? Public data?
Protected data consists of paper and/or electronic data that contains personally identifiable information concerning any individual and is therefore typically regulated by local, state, or federal privacy regulations and/or voluntary College standards. Any paper or electronic data that contain this information must be classified as protected data by default.
Examples include but are not limited to:
- Social Security numbers
- Credit card and debit card numbers
- User names with passwords
- Medical information
Sensitive data is any paper and/or electronic data that is not classified as protected data but should not be distributed to the general public according to College practice. It is often acceptable to share sensitive data within the College in cases where there is a legitimate educational purpose or specific business need. The department responsible for stewarding the data makes this classification.
Examples of sensitive data include but are not limited to:
- Student educational records
- Admission files such as ACT, SAT, and TOEFL scores, high school and college transcripts, and other scholastic records
- Student account data and loan information
- Financial assistance application files, student work-study information, and scholarship and loan information not considered protected financial information
- Budgets and salary information
- Alumni information such as philanthropy, wealth, contact, and giving data
- Tenure review
- Disciplinary records
- Bank account numbers and routing information
- Database primary ID numbers
Be aware that any information classified as a student record requires special attention. Access to student records is governed by a variety of privacy laws such as the Federal Educational Rights and Privacy Act (FERPA). Those who work with student records should be very familiar with the policy on student records in the online Carleton Student Handbook. In particular, a student’s directory information may be released under certain circumstances, but not if the student has invoked his or her FERPA rights to suppress the release of this information. All questions about such FERPA issues and about the release of directory information should be addressed to the registrar. All employees are expected to take FERPA training as a condition of employment.
Public data is any paper and/or electronic data that the College is comfortable distributing to the general public. For department-specific data, this classification is determined by the responsible department. If more than one department is charged with stewarding the data, all involved departments should jointly classify the data; if they are unable to come to consensus, the data must be classified as sensitive data. Examples of public data are:
- Faculty and staff
- Department Web and mailing addresses
- Press releases
- Unauthenticated College Web site content
Any College data that does not contain personally identifiable information and has not been classified as protected data or sensitive data is classified as public data.
How do I send data off campus?
Employees may occasionally field requests to send data to Carleton employees currently located off campus. The guidelines outlined in this document should apply to all such requests. Employees may also field requests to send data to parties not affiliated with Carleton College. If it is deemed appropriate for the data to be sent (e.g., if the party has a legitimate business or legal need to see this information), it is critical to ensure that the data is communicated securely and that, once communicated, is housed in a secure fashion.
For example, any electronic transmission of protected or sensitive data must be encrypted. Public data need not be encrypted during transmission, nor while at rest on a storage device. Please call the ITS Helpdesk (x5999) if further guidance is required.
How do I store and share data on campus?
Protected data may only be stored and shared by designated servers and applications. In general, protected data may not be stored on your workstation hard drive or on unprotected external storage devices (USB thumb drives or external hard drives, for example). Google Drive and Dropbox are both sanctioned for the storage of protected data, provided that it is shared cautiously and that no public links to that data are created. Protected data must not be sent via e-mail unless the transmission is encrypted. For cases where secure electronic transmission is not practical, ITS will provide the means to encrypt portable media or assist you in using Dropbox or Google Drive to securely share the relevant files.
Sensitive data may be stored on general-purpose file and Web servers with appropriate access controls. The use of e-mail to send sensitive data is permitted, subject to the following caveats: staff members must be extremely careful to address messages properly; and staff members must be mindful that once sent via e-mail, information could be intercepted or forwarded beyond their control. Sensitive data stored on portable media must be encrypted, even if it is never intended to leave campus. This encryption requirement includes any laptop used to store sensitive data; by ITS policy, all PC laptops at Carleton use full-drive encryption via Bitlocker.
Public data, by definition, has no confidentiality requirement. However, it should be posted on supported servers to help maintain data integrity, availability, and cost effectiveness.
Are employees required to sign forms before gaining access to data?
Employees at Carleton are required to sign a system request form in order to gain access to administrative systems. This form includes text regarding the confidentiality of data.
What must be done with protected or sensitive data that is no longer needed?
Printed matter containing protected or sensitive data must be shredded. CDs and DVDs must be physically destroyed. Departments that regularly handle protected and sensitive data must obtain equipment and develop procedures sufficient to handle the volumes of material they generate.
Electronic devices, including computer hard drives, USB flash drives, and mobile phones can be difficult to wipe securely. It is important to understand that simply emptying a computer’s recycle bin does not actually delete file data. All devices containing protected or sensitive data—including computers and USB flash drives—must be brought to ITS to be encrypted and/or securely wiped before they are transferred to another employee with a different organizational role or before they are retired/resold/donated/recycled.
Who decides how long to retain data?
Proper retention and back-up of records is essential to conduct the business of the College; to protect the legal interests of the College, students, and employees; to preserve the College’s history; and to comply with applicable state and federal laws and regulations. In addition, the College is obligated to preserve records in certain cases, such as when litigation is threatened or pending. To ensure efficiency and effective management of physical and digital storage resources, it is also important that unneeded records be disposed of in a timely manner. This practice applies to all departments, divisions, offices, and employees of the College.
It is the responsibility of each department to destroy the data that it originates or receives when the data is no longer needed. All departments that maintain College data are responsible for establishing appropriate data management procedures and practices.
What do I do if I discover a breach of data security or other related incident?
If you become aware of any acts that breach these guidelines, you should contact the ITS Helpdesk (x5999) immediately.
If you suspect that a work computer containing protected or sensitive data has been compromised by a virus or other attack:
- Immediately stop using the computer. Do not close open files. Do not log out.
- Disconnect from the network. Physically disconnect the Ethernet cable and switch off wireless, if applicable.
- Call the ITS Helpdesk (x5999).
- Do not run antivirus scans or allow the ITS Helpdesk to run antivirus scans until the likelihood of data breach has been established.
If I work from home or travel for work, how can I securely take data off campus?
All laptops, USB flash drives, or other portable devices that contain or are used to access sensitive or protected data must be encrypted. Protected data must not be stored on general-purpose servers such as Collab or on Carleton’s e-mail servers. Before an employee plans to leave campus with sensitive or protected data, he or she should ensure that devices that contain or will likely contain such data are encrypted and have VPN access to any required on-campus servers. Employees must not transfer such data to their home computers or storage devices, except under special circumstances determined by ITS. Contact the ITS Helpdesk (x5999) for assistance.
If a computer or storage device containing College data is lost or stolen, contact the ITS Helpdesk (x5999) immediately.
If I’m considering purchasing a system that will store Carleton data, what questions should I ask?
There are sometimes good reasons to purchase new software systems that store or access data rather than use an existing enterprise system. Departments considering such purchase should always contact ITS to discuss the purchase and decide whether or not the new system has potential data security issues. If it is decided that a purchase will be made, data will either be stored locally at Carleton in a database, or off-site at a vendor database. If the data is to be stored off-campus, information will need to be gathered from the vendor regarding its security standards and practices. Typical questions that should be asked include, “Have you done any security audits?” and “Can you tell us who in your company can access our protected or sensitive data and/or who has in fact accessed that data?” Please call the ITS Helpdesk (x5999) to get in touch with the ITS person who can help you with the process of going through these questions and collecting and assessing responses from the vendor.
- Document Retention and Destruction policy
- FTC Information Security Plan
- FTC Identity Theft Prevention Plan
- Vital Records Analysis
- IRB policy on Secondary Analysis of Existing Datasets