Data Handling Policy
This policy states the guiding principles for information stewardship and a framework for classifying and handling confidential information and applies to all members of the Bryn Mawr College community.
The College and its individual community members are expected to responsibly manage, handle, and use institutional information or data for instruction, research, service, and administration. While such information or data may be accessed from, or stored on, a College-owned, personally-owned, or third-party computer or device, this expectation of responsibility remains in force.
- Institutional data consists of all information that is created, collected, licensed, maintained, recorded, used, or managed by the College, its employees, or any person or agent working on behalf of the College, regardless of the ownership or origin of the information.
- An institutional (or College-owned) system is any server, computer, mobile device, network, or storage media owned, rented, or licensed by the College to store and access institutional data.
This College policy is intended to ensure the integrity, availability, and protection of institutional data without impeding legitimate, authorized access to, and use of, institutional data and systems.
Members of the Bryn Mawr community working with or using institutional data or systems in any manner must comply with the Bryn Mawr College Acceptable Use Policy.
Because of the nature of the College’s mission and activities, every department and faculty member has some degree of access to confidential information during the normal course of work. Each person and office is expected to:
- Understand the nature of confidential information in their care
- Manage that data with safeguards proportional to the degree of confidentiality
- Understand the consequences that might result from improper handling or unauthorized access
|Data Classification||Description||Examples (each community member or department will have its own data list)||Consequences of Improper Handling or Unauthorized Access|
Regulated and Other Sensitive Data
Personally Identifiable Information (PII) and information protected by law, regulation, contract, binding agreement, or industry requirements. Information intended for very limited distribution on a need-to-know basis within the Bryn Mawr community.
May include legal sanctions, fines, and penalties for the College; violations of personal privacy; financial and/or reputational loss; potential lawsuits; for research data, loss of access to critical data sources or funding; violation of personal privacy
Internal Data (Administrative and Community Data)
Information limited to distribution to members of the Bryn Mawr community who need the data to support their work. Information intended for the Bryn Mawr community. Information at this level will not contain regulated information, but may be restricted to some or all members of the Bryn Mawr community.
For documents which contain no level 1 data
May include financial and reputational loss; loss of productivity; loss of access to resources; violation of agreements
Information intended for the public. Information at this level will not contain regulated or confidential information.
Publicly posted information must not pose any significant harm to the College, checking materials for accuracy and civil discourse is important to avoid reputational loss
College employees, particularly those who use or access confidential information (Level 1), must have training which includes an overview of applicable laws; recommendations on how to avoid or address known risks, password security and encryption; appropriate methods of record storage and backup; proper methods of record disposal; and College policies and guidelines related to data security and stewardship.
Supervisors should direct employees to appropriate training resources, and LITS is available to consult.
Confidential College information must be maintained in the safest environment consistent with educational, research, service, or operational needs. Store confidential data in properly secured locations—see the Data Handling Storage Guidelines. If you use a mobile device to access College data, the device must be properly secured with a passcode or biometric access control, and with encryption. Use print-release functionality when printing confidential documents to shared printers/copiers. Departments and individuals are responsible for ensuring data is backed up to protect against loss due to equipment or technical failures. Consult with LITS if you have questions about how to back up data. Access to the information and/or the information storage equipment or areas must be limited to those with an appropriate business reason for such access. Supervisors will ensure that authorizations for access to confidential information are up to date for their departments as employees are hired, change roles, or depart.
While this policy focuses mainly on handling of data in electronic formats, handling of data in print formats is equally important.
- Staff must ensure the confidentiality and security of files, reports, and any other printed documents. Such documents must not be left unattended in public places or common areas.
- Storage areas, file rooms, and file cabinets with confidential information must be locked at the end of the day or whenever the area will be unattended.
- When printing confidential documents on shared printers, use secure print release.
- All printed documentation containing confidential information must be shredded when discarded or no longer needed.
Access to electronic information must be protected by strong passwords. Passwords must never be shared with anyone. Refer to the College’s Acceptable Use Policy.
Security Updates and Patches
The College is responsible for updating core systems, servers, and network infrastructure and will do so as per the System Maintenance Policy.
Employees and students are responsible for applying recommended software updates and patches on a timely basis and keeping up-to-date software installed on all College-owned and personal devices and computers that connect to the Bryn Mawr network. They must install updates or patches that software vendors deem critical for security as soon as reasonably possible after release.
The College supports and maintains antivirus software for all College desktop devices. Employees must ensure they are using current antivirus protection software on any device they use for College business; contact LITS for College-recommended options.
Personally Owned Devices
Use a properly secured device to gain remote access to confidential College data. Do not use devices shared with others for accessing confidential College information. Avoid downloading confidential information to personal devices and avoid transmitting such data over the internet (e.g., forwarding via email).
Secure Data Deletion
Information no longer necessary for educational, research, service, or operational needs and not necessary to retain by law or College policy must be securely deleted as a regular business process or once discovered.
For community members with email accounts, all official College electronic correspondence will come to you via your Bryn Mawr email address. Each individual is responsible for promptly receiving official correspondence by accessing their Bryn Mawr email.
Faculty and Staff: Faculty and staff may not systematically forward email to external accounts. Any faculty or staff member who is also an alumna/us or who holds other status must remove any forwarding in the email system and any alumnae/i forwarding in Bionic for the time that they are employed. Forwarding email increases the risk of exposing sensitive data.
Shared (or departmental) email addresses being used for official College purposes may not be forwarded outside brynmawr.edu.
Students: Students who prefer to use another account are responsible for forwarding email and configuring outside accounts to accommodate Bryn Mawr College email. Bryn Mawr cannot guarantee delivery or recovery of emails forwarded to outside accounts (see http://techdocs.blogs.brynmawr.edu/1800). Students who forward their Bryn Mawr email to an external account are responsible for regularly checking their Bryn Mawr email via that personal account. Graduate and undergraduate students holding campus positions that involve access to privileged information may be required to remove email forwards.
Please note that popular personal email accounts such as Gmail, Outlook.com, etc. are not offered under the same terms of service as your institutional email account and do not promise confidentiality or compliance with any standard; use caution and read terms of service carefully.
Members of the Bryn Mawr community who either intentionally or unintentionally violate this policy and/or the Acceptable Use Policy risk loss of access to some or all College information resources and may be subject to other penalties and disciplinary action, both within and outside of the College. The College may refer suspected violations of applicable law to appropriate law enforcement agencies.