DATA PROTECTION
Educational institutions generate, handle, and store large amounts of data, including student, employee, educational, research, and financial data. These data need to be protected from “corruption, misapplication, compromise, misuse, and loss.” Data protection focuses on “how to apply the three critical information security imperatives: confidentiality, integrity, and availability” (EDUCAUSE Center for Analysis and Research, Data Protection Primer for Higher Education, ECAR Working Group Paper, June 20, 2016).
PURPOSE
The purpose of this policy is to establish a data classification scheme and set of protocols to ensure that Massasoit Community College remains in compliance with pertinent federal and Massachusetts state laws; to protect Massasoit students, faculty, and staff from unauthorized disclosure of confidential information; and to protect the College and its employees from financial and reputational harm.
SCOPE
This policy applies to all college employees, contractors, and individuals who have access to MCC data and information. Data protected under this policy can reside on or in a variety of media (e.g., electronic files, paper documents, shred bins, physical servers, virtual servers, databases, file servers, personal computers, USB drives, and mobile devices) and can move through a variety of methods (human, network, wireless, etc.).
POLICY
All Massasoit employees and affiliated individuals with access to non-public data and information that are produced, stored, or managed by the College will be informed of the data security classification levels outlined in this document (page 2) and must adhere to the specific protocols established for each classification level (pages 3-4).
TRAINING
The effectiveness of this policy depends upon increasing awareness of information security responsibilities. Informational materials will be distributed to all current employees, and all new employees will be provided with policy information during their onboarding. Specific objectives include ensuring that Massasoit employees and affiliates:
- Are aware of the need to protect data and information in accordance with federal and state laws.
- Are informed of the data classification scheme and understand the different security measures required for each classification level.
- Are knowledgeable about the College’s information security policies and practices.
- Clearly understand their responsibilities for protecting non-public data and information.
ENFORCEMENT
Any employee found to have violated, intentionally or unintentionally, this policy may be subject to disciplinary action, up to and including termination of employment.
DATA CLASSIFICATION
Data classification, in the context of information security, is the classification of data based on their level of sensitivity and the impact on the College should that data be disclosed, altered, or destroyed without authorization. Classification of data aids in determining baseline security controls for the protection of the data. This policy hereby formalizes the classification of all institutional data into one of four sensitivity levels (tiers), or classifications:
|
Classification
|
Examples
|
Access
|
Security
|
|
Tier 1: Restricted Data
Data whose access is restricted by law or non-disclosure agreements. Restricted data are specific types of confidential data requiring an extra level of security.
|
- Social Security numbers
- Credit Card numbers
- Student grades
- Employee or student medical information
- Proprietary information shared by a 3rd party under a non-disclosure agreement
*See “Types of Restricted Data” in the next section.
|
Limited to individuals in roles requiring access for fulfillment of professional responsibilities, and who have been authorized access by the area VP.
|
Highest
See section on “Storage and Handling of Restricted Data.”
|
|
Tier 2: Confidential Data
Data whose unauthorized disclosure could constitute an invasion of privacy, or cause financial loss or damage to the college’s reputation and the loss of community confidence
|
- Student information that is not an official part of the record covered by FERPA
- Employee personnel files
- Performance evaluations
- Student evaluation forms
- Budget data
|
Limited to individuals in roles requiring access for fulfillment of professional responsibilities, and who have been authorized access by a manager at or above Director level.
|
High
Store in a secure server or locked file cabinet.
Share files with authorized users via authorized file sharing applications.
Do not email unless encrypted.
|
|
Tier 3: Internal/Private Data
Data whose unauthorized disclosure, alteration or destruction could result in a moderate risk to the college and its affiliates.
|
- Information contained in Massasoit’s internal portal
- Students’ academic work
- Faculty academic work
- MCC statistics and performance metrics
- Student survey data
- Any information that has not been explicitly classified as either public, confidential, or restricted
|
Limited to the Massasoit community on a “need to know basis.” Access is granted by the data owner/manager.
Students, as owners of their academic work, must grant access before faculty or others may use it for purposes other than assessing student learning in a course.
Access may be extended to community groups by permission settings on authorized file sharing applications.
|
Moderate
Apply professional judgment on a case-by-case basis regarding data storage and transmission.
|
|
Tier 4: Public Data
Data that is accessible to the public by law, or whose disclosure presents little or no risk to the College and its affiliates.
|
- Information contained on Massasoit’s public website
- Data reported to, and made public by, the U.S. Department of Education (IPEDS, etc.) and MA Department of Higher Education
|
Access is unrestricted; Data and information are available to the public.
|
Low
No security to access, but precautions taken to protect the integrity of the data.
|
TYPES OF RESTRICTED DATA
“Restricted data” are defined as ‘any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transmission.’ Restricted data include, but is not necessarily limited to:
- Personally Identifiable Information (PII) – Described below
- Private Educational Records protected under FERPA – Described below
- Payment Card Information (PCI) – Described below
- Electronic Protected Health Information (ePHI) protected by Federal HIPAA legislation or Massachusetts medical privacy laws
- Information whose confidentiality is legally protected by a contract or non-disclosure agreement
- Other information whose unauthorized access or disclosure could have a high degree of adverse effect on individuals or the College
Personally Identifiable Information (PII)
Protected under state law – MA 201 CMR 17.00
Unencrypted electronic information that includes an individual’s first name or first initial and last name, in combination with any one or more of the following:
- Social security number
- Driver’s license or state-issued ID number (does not include a Massasoit ID or V#)
- Financial account number, credit card number, or debit card number with or without any security code, access code, or password
Payment Card Information (PCI)
Per widely accepted Data Security Standards (PCI DSS) issued by the Payment Card Industry Security Standards Council
Credit card account number with any of the following:
- Cardholder name
- Service code
- Expiration date
Private Educational Record
Protected under federal law - FERPA
The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law protecting the privacy of student records. An ‘education record’ is any record maintained by the College or its employees in which a student can be personally identified. FERPA applies to any and all student data unless specifically exempted as ‘directory information’ that may be made public unless a student requests that it remain confidential. (The allowable directory exemptions are listed in the Massasoit Student Handbook.)
Examples of student data restricted by FERPA.
Unencrypted electronic information that includes an individual’s name, student ID or any other personal identifier, in combination with any one or more of the following:
- Address
- Birth date
- Gender
- Citizenship
- Marital status
- Disciplinary status
- Financial aid, tuition, payments, account balances
- Grades, exam scores, or GPA
- Applications and admissions information
- Evaluations, forms, memos, or correspondence to and about the student
STORAGE AND HANDLING OF RESTRICTED DATA
For each restricted data type, the data handling requirements and restrictions are defined to appropriately safeguard the information. Authorization to access restricted data will be based on an employee’s position and job responsibilities and granted by the area Vice President, in consultation with the Chief Information Officer and Associate Dean of Institutional Research. All employees must adhere to the following requirements and restrictions regarding the storage and handling of unencrypted restricted data
|
Technologies Used
|
PCI/
HIPAA
|
PII
|
FERPA
|
|
On-premises storage device (MCC network shared drive)
|
No
|
Yes – With access limited to authorized persons only
|
Yes – With access limited to authorized persons only
|
|
Authorized cloud storage provider
(Massasoit OneDrive
Google Drive)
|
No
|
Yes – With access limited to authorized persons only
|
Yes – With access limited to authorized persons only
|
|
Workstation (on-campus college owned and managed computer)
|
No
|
Data on server should not be stored on workstation hard drive/internal memory except in rare cases, and only with authorization.
|
Data on server should not be stored on workstation hard drive/internal memory except in rare cases, and only with authorization.
|
|
Copying/printing
|
No
|
Should only be printed for legitimate need. Print should not be left unattended on a
printer/fax or in a public area.
Must be sent via
confidential envelope.
|
Should only be printed for legitimate need. Print should not be left unattended on a
printer/fax or in a public area.
Must be sent via
confidential envelope.
|
|
Mobile computing devices
(College-owned laptops, tablets, smart phones)
|
No
|
Requires authorization and should be rare.
Requires password protection.
|
Requires authorization and should be rare. Requires password protection.
|
|
Removable media
(CDs, USB drives)
|
No
|
Requires authorization and should be rare.
Requires password protection and encryption.
|
Requires authorization. Requires password protection and encryption.
|
|
Electronic file transfer
|
No
|
Requires secure file transfer protocol (SFTP)
|
Requires secure file transfer protocol (SFTP)
|
|
College-provided email
|
No
|
Only Name, College ID, and Directory Information are permitted
|
Only Name, College ID, and Directory Information are permitted
|
|
Personal email
|
No
|
No
|
No
|
|
Personally managed computer (home computer or personal laptop)
|
No
|
No
|
No
|
|
Personal smart phone
|
No
|
No
|
No
|
ROLES AND RESPONSIBILITIES
|
ROLE
|
RESPONSIBILITY
|
|
Chief Information Officer
|
Responsible for managing the Information Security and Data Protection training and awareness initiative regarding storage and transmission of data.
|
|
Associate Dean of Institutional Research
|
Responsible for assigning data classifications in consultation with senior administrators and data stewards, and for educating administrators and data stewards about access restrictions.
|
|
All Managers
|
Responsible for ensuring that all employees are appropriately trained and understand their roles in adhering to the Information Security and Data Protection Policy.
|
|
All College Employees
|
Encouraged to complete IT security training. Review and understand all MCC “Information Security Policies and Guidelines”
|