Every employee and volunteer who has access to personal, confidential, and sensitive information has a duty to protect that information from unauthorized access. Managers are obligated to ensure that employees and volunteers are aware of this policy and advised on how to perform their work within the boundaries of this policy.
- Confidential information is data whose loss, corruption or unauthorized disclosure would violate federal or state laws or institutional contracts, impair the academic, research or business functions of the college, or result in any business, financial, or legal loss. Examples:Any data explicitly identified as protected under law, data protected by contract or grant authority such as grant funded research data, copyrighted information, medical information, personnel information, and account or financial information of the college.
- Personal information, a subset of confidential information, is defined by Massachusetts General Law 93H as a person’s first name and last name or first initial and last name in combination with any one of the following: Social Security number, or driver’s license number, or state-issued identification card number, or financial account number, or credit card number, or debit card number.
- Sensitive information is data whose unauthorized disclosure is not a violation of law, does not impair business or result in a financial loss but may be damaging to our students, employees, or alumnae or to the college’s reputation and thus require a higher degree of security than other information. Examples: A list of donors’ names and contributions, a list of employees names and salaries, detailed building plans for buildings that contain secure locations, data network maps, Board of Trustees notebooks, or class exams.
Therefore, the college expects employees and volunteers to comply with the following data security standards:
- Always password protect your computer on startup and when waking from sleep or screen-saver mode; Always activate sleep or the screen saver, or log out when leaving your computer unattended.
- Never share confidential data, including personal information, with another employee unless the employee has been authorized by the data custodian (typically the head of the department that collects and maintains the data).
- Strictly limit the amount of confidential data, including personal information, stored on desktop/laptop computers and network drives to that which is necessary to accomplish the legitimate purpose for which it was collected or extracted from institutional databases and to remove confidential data from the desktop/laptop computers and network drives upon completion of the work.
- Never store confidential data, including personal information, on portable storage devices such as portable hard drives, USB flash drives, CDs, DVDs, mobile phones, and personal digital assistants.
- Never store confidential data, including personal information, on a laptop unless there is a legitimate business purpose and the data is encrypted on the laptop.
- Avoid sending confidential data and never send personal information in an electronic mail message; Password protect or encrypt email attachments that contain confidential or sensitive data.
- Never transmit confidential data, including personal information to third-party service providers unless all of the following conditions are met: there is a legitimate business purpose, the data is encrypted during transmission (such as using a secure website or secure file transfer protocol), and the recipient encrypts or stores the data on a secured host or in a secured location.
Violations of college policies are addressed according to procedures outlined in the Staff Handbook and may result in the removal of computer access privileges and/or more serious sanctions. Some offenses are punishable under state and federal laws.
Information about acceptable practices in transmitting files securely is available on the ITS website at: https://www.smith.edu/its/tara/software/file_transfer.html
Questions regarding the Employee Information Security Policy should be directed to the Vice President for Information Technology.
Approved by ITCC, May 18, 2010