Wesleyan Data Security & Privacy Protection Policy

APPLICATION: This policy applies to all individuals who collect, use, or share university information. Those individuals include, but are not limited to, staff, faculty, those working on behalf of the university, and individuals authorized by affiliated institutions and organizations.
ISSUED: 05/21/2018
DATA PROTECTION OFFICER: Chief Information Security Officer

Purpose

Policy Statement

Scope

This policy governs information that the university or authorized agents collect, use electronically or physically, and share with others. 

The collection, retention and release of some information may be covered by law or regulation, including but not limited to the Family Educational Rights and Privacy Act (“FERPA”), the Health Insurance Portability and Accountability Act (“HIPAA”), and the European Union General Data Protection Regulation (“EU GDPR”), and this policy is not meant to supersede requirements related thereto.

For the sake of this policy, personally identifiable information (“PII”) is any non-public information that can identify or provide information about an individual.  

Data Classifications 

Public

This is defined as information that is generally available to anyone within or outside of the University. Access to this data is unrestricted, may already be available, and can be distributed as needed. Public data includes, but is not limited to: fundraising materials, admission recruiting materials, information posted on public web pages, and directory information.  This data can be used and stored on any university managed system without additional safeguards in places.

Confidential

This is information that may be considered damaging if released.  Confidential data examples include financial records and all PII not considered Restricted.  Confidential data can only be collected, used, or stored in approved systems or encrypted workstations.  This data cannot be shared outside the university without approval of the general counsel and DPO. 

Restricted

This is defined as highly sensitive data, which if leaked, has a moderate to high risk on privacy, safety, or financial situation.  Restricted data includes, but is not limited to: grades, social security numbers, HIPAA data, credit card data, and controlled unclassified information.  Restricted data can only be collected, used, or stored in systems approved by the DPO.  This data cannot be shared with new people inside the organization or outside the organization without approval of the general counsel and DPO.

Data Collection

Data Sharing

Protection of Confidential and Restricted Data

• Management is responsible for ensuring that their direct reports understand the scope and implications of this policy.
• HR is responsible for ensuring that all employees acknowledge receipt of this policy.
• Individuals contracting with third parties must ensure that appropriate provisions exist in agreements to maintain the confidentiality and integrity of the data in compliance with applicable laws and regulations.
• Personal account passwords should never be shared.  Individuals are held accountable for all activity performed with their accounts in accordance with our Computer Use Policy.
• Any authorized party who collects or generates new data must classify that data according to the criteria outlined above and notify the DPO to ensure appropriate tracking and protection.
• Confidential and Restricted data protection should be based on the following security principles
  • Risk Assessment – appropriate protections should be defined based on the perceived risk to the data and possible harm due to unauthorized disclosure.
  • Least Privilege – individuals should only be given the access that they need to complete their assigned duties
  • Need to know – individuals should only be aware of information that they must know to complete assigned their duties
• Any person in possession of Confidential and Restricted data shall safeguard the data to the best of their ability and shall destroy, erase or make unreadable such data in whatever form it exists prior to disposal in accordance with Wesleyan’s Record Retention Policy.
• Confidential and Restricted data cannot be saved to personal equipment.
• Confidential and Restricted data in paper or physical form shall be kept in closed, secured cabinets or rooms.
• Any constituent who discovers possible evidence of a violation of this policy or possible breach or release of Confidential and Restricted data shall immediately notify the DPO and take care to preserve any and all evidence of such incident.  Upon confirmation of a breach or unauthorized disclosure of confidential or restricted data, the DPO shall initiate a security incident in adherence with the information security incident response procedure.
• All university managed systems will be scanned for confidential and restricted data to help ensure compliance with the standards set above.  If confidential or restricted data are found on a system, the user must delete the data if no longer necessary, or move the data to an approved location. (e.g., encrypted hard drive or file share)
• Information security and privacy staff will monitor for unauthorized activity and update requirements where appropriate.

Additional Information

For additional guidance specific to GDPR, please refer to Exhibit A:  Wesleyan University European Union General Protection Regulations (EU GDPR) Policy.

For additional details about our data collection, usage, and sharing, please refer to Exhibit B: Wesleyan University Data Collection, Usage & Sharing

Policy Enforcement

Staff, faculty, or students found in violation of this policy may be adjudicated per their respective handbooks.

Questions, comments, or concerns regarding this policy or the protection of data should be directed to the Data Protection Officer at DPO@wesleyan.edu.