Data Security Policy
POLICY TITLE: DATA SECURITY POLICY
POLICY NUMBER: 8.2
POLICY SECTION: INFORMATION TECHNOLOGY
EFFECTIVE: January 1, 2006
REVISED: October 23, 2007
This policy defines the guidelines for the security and confidentiality of data maintained by the Community College of Rhode Island (CCRI), both in paper and electronic form. This policy also informs each person who is entrusted to access student, employee and/or institutional data of their responsibilities with regard to confidentiality and safeguarding CCRI data.
All custodians and guardians of administrative data are expected to mange, access, and utilize the data in a manner that maintains and protects the security and confidentiality of that information.
There are two primary categories of data-handling and access defined in this policy.
- Data Custodian
- Data Guardian
- Data Custodians
Data custodians function as gatekeepers for the data that is collected and maintained by individuals in their divisions. Custodians are responsible for establishing access procedures for the administrative data available in their area and for approving access requests for that data. The table below indicates the administrative areas that maintain the college’s primary data stores and the respective data custodians.
|Administrative Area||Data Custodian|
|Alumni and Development Data||President|
|Financial Data||Vice President, Business Affairs|
|Financial Aid Data||Vice President, Student Affairs|
|Human Resources Data||Vice President, Business Affairs|
|Information Technology Data||Vice President, Business Affairs|
|Student Services Data||Vice President, Student Affairs|
- Data Guardian
A data guardian is defined as anyone who, as a function of their position at CCRI, possesses or has access to CCRI administrative data, either electronic or otherwise. Guardianship and its associated responsibilities apply to individuals who dispense or receive data.
Department heads are responsible for signing off on data access requests for employees under their supervision.
College employees, or others who are associated with the college, who request, use, possess, or have access to college administrative data must agree to adhere to the protocols outlined above. In addition, guardians, custodians and data users are prohibited from:
- Changing data about themselves or others except as required to fulfill one’s assigned college duties or as authorized by a supervisor. (This does not apply to self-service applications that are designed to permit you to change one’s own data.
- Using information to enable actions by which other individuals might profit.
- Disclosing information about individuals without prior authorization by a supervisor.
- Engaging in what might be termed “administrative voyeurism” (reviewing information not required by job duties) unless authorized to conduct such analyses. Examples include tracking the pattern of salary raises, viewing a colleague’s personal information and looking up someone else’s grades.
- Circumventing the level of data access given to others by providing access that is broader than that available to them, unless authorized. For example, providing an extract file of employee salaries to someone who does not have security access to salary data is prohibited by this policy.
- Allowing unauthorized access to CCRI’s administrative systems or data by sharing an individual’s username and password.
- Engaging in any other act that violates the letter and spirit of the policy, either purposefully or accidentally.
In assuming responsibility for the interpretation and use of college administrative data, guardians are expected to recognize the potential serious consequences of their improper guardianship. Improper maintenance, disposal, or release of college administrative data exposes the college to significant risk, including lawsuits, loss of employee and student trust, and loss of funding.
Guardians who are found in violation of this policy will be subject to CCRI disciplinary processes and procedures including, but not limited to, those outlined in the Student Handbook, the CCRI Employee Handbook, and any applicable bargaining unit contracts. Illegal acts may also subject users to prosecution by local, state, and/or federal authorities.
POLICY APPLIES TO:
College employees, or others who are associated with the college, who request, use, possess, or have access to college administrative data
This policy does not prevent the release of institutional data to external organizations or governmental agencies as required by legislation, Regulation, or other legal vehicle.
Questions regarding this policy or the application of this policy to a specific situation should be referred to the Executive Director & Chief Information Officer, Information Technology. Changes to this policy will be authorized by the approval of the CCRI Institutional Technology Advisory Committee and the President’s Council.