Sensitive Information in Electronic and Paper-based Systems

From TechHelp@MCLA
Jump to: navigation, search

MCLA Sensitive Information in Electronic and Paper-based Systems - Policy Statement

Principle

Massachusetts College of Liberal Arts has a responsibility for securing sensitive information against intentional or unintentional disclosure, alteration or loss of availability.

Purpose

The purpose of this policy is to minimize the risk that sensitive MCLA information is compromised or disclosed inappropriately.

Resources covered

All electronic and paper information systems including (but not limited to) the central administrative systems (financial, HR/payroll, student); department administrative systems (including "shadow" financial systems and vendor-managed systems); file servers; email servers; web servers; desktop and mobile computers; and all paper-based information storage and retrieval systems.

Groups covered

MCLA faculty, staff, and students, and anyone else accessing, using, or storing sensitive MCLA information.

Definitions

Personal identity information (PII): includes Social Security Numbers, credit card numbers, bank and credit union account numbers, health insurance plan identification numbers, drivers license numbers, dates of birth, and other similar information associated with an individual student or employee that, misused, might enable assumption of that individual's identity ("identity theft") to compromise that person's personal or financial security.

Protected health information (PHI): includes health information that is associated with at least one of eighteen identifiers that make the information “individually identifiable.” The eighteen identifiers include name, address, SSN, date of birth, date of health care, and other elements. Health information about groups of people (population data, mean and median data, aggregate data, etc.) that cannot be related to individuals is not PHI.

Student educational record information: includes records that are based on student status and maintained by the College or a party acting for the College. Access to student records is governed by the MCLA Student Records Policy and the Family Educational Rights and Privacy Act (FERPA). Sole possession records, medical or psychological records, alumni records, employment records, and law enforcement records are not considered student educational records and not subject to FERPA.

Other sensitive information: includes any information that has been designated by the College to be non-public information but is not protected by law or regulation. Examples include personnel records (including performance appraisal information and records of disciplinary action); information about MCLA security systems; computer passwords; and information about the configuration of MCLA electronic systems.

Exemptions

This policy applies to everyone at all campuses and sites of Massachusetts College of Liberal Arts. There are no exemptions.

I. Guidelines for Handling Sensitive Information

When working with sensitive information, you should always:

  • Access and use sensitive data appropriately. MCLA expressly forbids the access and use of sensitive data for any purpose other than the conduct of College business.
  • Utilize MCLA’s existing central administrative systems (Banner Student Administration, Human Resources/Payroll, Banner or Great Plains Financials and Canvas LMS. These systems are always the preferred systems for storing sensitive information.
  • Restrict access rights. Access to sensitive information, in both electronic and paper format, should follow the “minimum necessary” principle: an individual should have access only to the sensitive information necessary to accomplish his or her work. If Employee A needs Social Security Numbers and Employee B needs dates of birth, do not create a spreadsheet with names, SSNs, and DOBs and distribute it to both employees.
  • Avoid the use of “convenience repositories”. Copies of sensitive information stored in the central administrative systems should not be maintained outside of those systems unless the frequency of use of the information is such that disabling the repository would severely impact the ability of the department to conduct its business. If you believe you have a compelling rationale for maintaining such a repository, please contact the Chief Information Officer to discuss.
  • Dispose of sensitive information properly. If you are authorized to collect or retain sensitive information, you are obligated to discard it when the information no longer has a legitimate business use. Printed or other physical materials containing sensitive information must be shredded. Computers and other electronic equipment that contain sensitive information or that have been certified by Information Security must be disposed of as outlined in MCLA’s Computer Equipment Disposal Policy.
  • Protect documents containing sensitive information. Documents (e.g., spreadsheets, databases, word-processing documents) containing sensitive information must be password-protected and should be stored on network drives (“H or S drives” ) rather than personal computer drives (“C drives”). If you do not know how to password-protect a document, or if you are uncertain which drive is your network drive, call the MCLA Computer Help Desk.

In addition, if you cannot avoid storing documents containing sensitive information on your personal computer drives (“c drives”), then the personal computer must be “certified”. Contact the information technology office for information about personal computer certification. Physical access to paper documents containing sensitive information should be restricted to those who need the information to perform their responsibilities. Appropriate physical security, including door and cabinet locks, must be implemented.

  • Report any accidental disclosure or suspected misuse of sensitive electronic data immediately to Information Security. Report any accidental disclosure or suspected misuse of sensitive information in paper format to your supervisor.

When working with sensitive information, you should never:

  • Store documents containing sensitive information on laptop or notebook computers unless the computer is certified and the information is encrypted. Call the MCLA Computer Help Desk for information about personal computer certification and encrypting data.
  • Store documents containing sensitive information on other mobile devices such as Personal Data Assistants (PDAs, Mobile Phones, Tablets, BlackBerries) unless such storage is approved by your department and the PDA is password-protected.
  • Store sensitive information on small portable storage devices such as floppy drives, flash memory drives (keychain drives, flash drives, USB memory keys), CDs, or DVDs unless the information is encrypted.
  • Store sensitive College information on a home computer or any other computer not certified by the College.
  • Provide an outside entity with any type of sensitive information without the informed consent of your department chair or superior. Be aggressive in seeking clarification and confirmation that including the sensitive information is essential. While this may seem obvious in the case of (for example) patient information, it applies equally to a spreadsheet containing employee names and dates of birth or SSNs.
  • Send any form of sensitive information off-campus via any other email system except MCLA’s Secure Email System. For information on the Secure Email System, please visit the secure email website.
  • Post any form of sensitive information on a web server.
  • Store sensitive information in third-party online application services such as Office 365, unless a College contract with that vendor is in place which protects sensitive information.
  • Store documents containing sensitive information on third-party online storage services such as OneDrive, SharePoint, Google Drive, Dropbox, etc, unless a College contract with that vendor is in place which protects sensitive information.

II. Guidelines for Identifying Individuals in Electronic Systems

The Employee/student Identification Number (“A” number) generated by the Banner system is the preferred unique identifier for all MCLA employees including affiliated groups not paid from state sources (Trust fund , Foundation). Affiliated groups will be put into the Human Resources/Payroll system as appropriate in order to create an Employee Identification Number (and, thus, to facilitate identity-driven processes such as account creation and termination, portal access, and library access). The Banner or Commonwealth Human Resources/Payroll system is the authoritative source of employee Social Security Numbers and the only system in which an individual employee's name, Employee Identification Number , and SSN should be associated. The “A” number Banner ID is the preferred unique identifier for all MCLA students. The Banner Student Administration System is the authoritative source of student Social Security Numbers and the only system in which an individual student's name, Employee Identification Number, and SSN should be associated. No new information systems that use the SSN for personal identification will be acquired, developed, or implemented unless that use is mandated by federal or state regulation. Existing information systems reliant on the Social Security Number for personal identification will be modified or replaced in the context of a logical system of priorities and resource availability. The SSN should be removed from all College online and paper forms and reports except where required by federal or state regulation.

Enforcement

Suspected or known violations of this policy will be reported to the appropriate College officials, and may result in:

  • Loss of individual computing privileges.
  • Accountability for conduct under any applicable College or campus policies, procedures, or collective bargaining agreements, including disciplinary action.
  • Disconnection of non-compliant systems from the MCLA network

Suspected or known violations of College regulations and/or State and Federal law will be processed by the appropriate College authorities and/or law enforcement agencies.

Updated on 07/06/2016 Curt King