Many individuals in the Lafayette community have access to information during the course of their work that must be protected.

Such information includes, but is not limited to:

  • Personal information (e.g., social security numbers, dates of birth, student records, and financial aid data).
  • Proprietary information (e.g., College financial data and donor information).
  • Regulated information, the disclosure of which is subject to regulatory compliance (including FERPA and GLBA).

This policy establishes specific requirements for handling sensitive digital information at Lafayette College. As with other College policies, violation of the Data Stewardship Policy can result in disciplinary action.

Scope

This policy applies to all employees and students of Lafayette College, as well as temporary workers, consultants, vendors, and any other parties that have a relationship with the College.

Policy

It is the obligation of everyone to protect the confidentiality of sensitive information, all of which may be released only when properly authorized. The following guidelines apply specifically to sensitive information in digital format:

  • Storage. Whenever technically feasible, sensitive information should be stored on network file space in restricted directories, not on an office computer or a removable storage device (e.g., USB key, CD, or DVD). If a computer must be used to store sensitive information, it must be in a secure location, and each individual authorized to use the computer should have a unique logon with a strong password. Sensitive information should not be stored on a laptop unless absolutely necessary. It should also not be stored in the Cloud using Google Docs, Dropbox, or any other service. For more guidance on how to use different storage options, see the article Options for Storing Data.
  • Backup. All sensitive information should be backed up, and backups should be stored on the network.
  • Mobile Devices. Special care must be taken when traveling with sensitive information on a portable device. Access to your laptop, PDA, or other mobile device should require a strong password where supported. Sensitive information should only be stored on mobile devices temporarily, and should be deleted when no longer needed.
  • Transmission. Sensitive information must be transferred only over secure media. If a medium is not secure (e.g., the Internet), mechanisms to secure the data must be used (e.g., unencrypted files transferred over a Virtual Private Network or encrypted files transferred over an insecure network).
  • Passwords. Users with access to sensitive information should use strong passwords for their Network IDs and Banner accounts, and change these passwords regularly.