Many individuals in the Lafayette community have access to information during the course of their work or studies that must be protected.
Such information includes, but is not limited to:
- Personal information (e.g., social security numbers, dates of birth, student records, and financial aid data).
- Proprietary information (e.g., College financial data and donor information).
- Regulated information, the disclosure of which is subject to regulatory compliance (including HIPAA, FERPA and GLBA).
This policy establishes specific requirements for handling sensitive digital information at Lafayette College. As with other College policies, violation of the Data Stewardship Policy can result in disciplinary action up to and including termination.
Scope
This policy applies to all employees and students of Lafayette College, as well as temporary workers, consultants, vendors, and any other parties that have a relationship with the College.
Policy
It is the obligation of everyone to protect the confidentiality of sensitive information, all of which may be released only when properly authorized. The following guidelines apply specifically to sensitive information in digital format:
- Storage. Whenever technically feasible, sensitive information should be stored on institutionally-provided systems with appropriate access control and not on an office computer or a removable storage device (e.g., USB drive). If a computer must be used to store sensitive information, it must be in a secure location, and each individual authorized to use the computer should have a unique log on with a strong password. Sensitive information should not be stored on a laptop unless absolutely necessary, nor should it be stored in third-party cloud services not supported by the College (e.g., Dropbox).
- Backup. All sensitive information should be backed up, and backups should be stored on institutionally-provided systems.
- Mobile Devices. Special care must be taken when traveling with sensitive information on a portable device. Access to your laptop or other mobile device requires a strong password where supported. Sensitive information should only be stored on mobile devices temporarily, and should be deleted when no longer needed.
- Transmission. Sensitive information must be transferred only over secure media. If a medium is not secure (e.g., the Internet), mechanisms to secure the data must be used (e.g., unencrypted files transferred over a Virtual Private Network or encrypted files transferred over an insecure network).
- Passwords. Users with access to sensitive information should use strong passwords for their Lafayette NetID and Banner accounts, and change these passwords regularly.