Data Handling Policy

Policy Statement

This policy states the guiding principles for information stewardship and a framework for classifying and handling confidential information and applies to all members of the Bryn Mawr College community.

学院及其个人社区成员应负责任地管理, handle, 并使用机构信息或数据进行指导, research, service, and administration.  虽然这些信息或数据可从, or stored on, a College-owned, personally-owned, or third-party computer or device, 这种对责任的期望仍然有效.

  • Institutional data 包含创建的所有信息, collected, licensed, maintained, recorded, used, or managed by the College, its employees, 或任何代表学院工作的个人或代理人, 无论信息的所有权或来源如何.
  • An 机构(或学院所有)系统 is any server, computer, mobile device, network, or storage media owned, rented, 或获学院许可储存及查阅院校资料.

本学院政策旨在确保诚信, availability, 在不妨碍合法的情况下保护机构数据, authorized access to, and use of, institutional data and systems.

Members of the Bryn Mawr community working with or using institutional data or systems in any manner must comply with the Bryn Mawr College Acceptable Use Policy.

Data Classification

因为学院的使命和活动的性质, every department and faculty member has some degree of access to confidential information during the normal course of work. 每个人和办公室都应:

  • 了解他们所关心的机密信息的性质
  • 使用与保密程度相称的安全措施来管理这些数据
  • 了解不当处理或未经授权访问可能导致的后果
Data Classification Description 示例(每个社区成员或部门都有自己的数据列表) 不当处理或未经授权访问的后果

Level 1:

Regulated and Other Sensitive Data

个人身份信息(PII)和受法律保护的信息, regulation, contract, binding agreement, or industry requirements. Information intended for very limited distribution on a need-to-know basis within the Bryn Mawr community.
  • Social security numbers, birth dates, bank information or any personal, 可用于窃取身份或财务资源的财务或特定信息
  • Student records governed by FERPA
  • 由HIPAA管理的医疗保健信息
  • 由PCI标准管理的信用卡信息
  • 与学院签订的正式协议或合同所涵盖的研究数据
  • Tenure and promotion files
  • Personnel files
  • Accounts payable records
  • Compensation data
  • Special review and audit reports
  • Contracted research
  • 图书馆用户和借阅记录

May include legal sanctions,  fines, and penalties for the College; violations of personal privacy; financial and/or reputational loss; potential lawsuits; for research data, loss of access to critical data sources or funding; violation of personal privacy

Level 2:

内部数据(行政及社区数据)

Information limited to distribution to members of the Bryn Mawr community who need the data to support their work. 针对布林茅尔社区的信息. 此级别的信息不包含受管制的信息, 但可能仅限于布林茅尔社区的部分或全部成员.

对于不包含1级数据的文档

  • Internal memos and emails
  • Planning documents
  • Meeting minutes
  • Licensed library resources

May include financial and reputational loss; loss of productivity; loss of access to resources; violation of agreements

Level 3:

Public Data

面向公众的信息. 此级别的信息不包含受管制的或机密的信息.
  • Press releases and publications
  • 在公开网站和社交媒体上发布的信息

公开发布的信息不得对学院造成任何重大损害, 检查材料的准确性和文明话语对于避免声誉损失很重要

Best Practices

Employee Training

College employees, 特别是使用或访问机密信息的人员(第1级), must have training which includes an overview of applicable laws; recommendations on how to avoid or address known risks, password security and encryption; appropriate methods of record storage and backup; proper methods of record disposal; and College policies and guidelines related to data security and stewardship.

主管应指导员工使用适当的培训资源, and LITS is available to consult.

Data Protection

Confidential College information must be maintained in the safest environment consistent with educational, research, service, or operational needs. 将机密数据存储在适当安全的位置(参见 Data Handling Storage Guidelines.  如果您使用移动设备访问大学数据, 设备必须使用密码或生物识别访问控制进行妥善保护, and with encryption. Use print-release functionality when printing confidential documents to shared printers/copiers. Departments and individuals are responsible for ensuring data is backed up to protect against loss due to equipment or technical failures. 如果您对如何备份数据有疑问,请咨询LITS. Access to the information and/or the information storage equipment or areas must be limited to those with an appropriate business reason for such access. Supervisors will ensure that authorizations for access to confidential information are up to date for their departments as employees are hired, change roles, or depart.

虽然该政策主要侧重于以电子格式处理数据, 处理打印格式的数据同样重要.

  • 员工必须确保文件的机密性和安全性, reports, and any other printed documents. 这些文件不得在公共场所或公共区域无人看管. 
  • Storage areas, file rooms, and file cabinets with confidential information must be locked at the end of the day or whenever the area will be unattended.
  • 在共享打印机上打印机密文件时,请使用安全打印释放. 
  • All printed documentation containing confidential information must be shredded when discarded or no longer needed.

Passwords

访问电子信息必须有强密码保护. 密码绝对不能与任何人共享. Refer to the College’s Acceptable Use Policy.

Security Updates and Patches

学院负责更新核心系统, servers, 和网络基础设施,并将按照 System Maintenance Policy.

Employees and students are responsible for applying recommended software updates and patches on a timely basis and keeping up-to-date software installed on all College-owned and personal devices and computers that connect to the Bryn Mawr network. They must install updates or patches that software vendors deem critical for security as soon as reasonably possible after release.

Antivirus Protection

学院支持并维护所有学院桌面设备的防病毒软件. Employees must ensure they are using current antivirus protection software on any device they use for College business; contact LITS for College-recommended options.

Personally Owned Devices

使用适当的安全设备远程访问机密的大学数据. 不要使用与他人共享的设备访问学校的机密信息. Avoid downloading confidential information to personal devices and avoid transmitting such data over the internet (e.g., forwarding via email).

Secure Data Deletion

信息不再需要教育, research, service, or operational needs and not necessary to retain by law or College policy must be securely deleted as a regular business process or once discovered.

Email Forwarding

适用于拥有电子邮件帐户的社区成员, all official College electronic correspondence will come to you via your Bryn Mawr email address.  Each individual is responsible for promptly receiving official correspondence by accessing their Bryn Mawr email.

Faculty and Staff教职员工可能不会系统地将电子邮件转发到外部帐户. Any faculty or staff member who is also an alumna/us or who holds other status must remove any forwarding in the email system and any alumnae/i forwarding in Bionic for the time that they are employed. 转发电子邮件增加了暴露敏感数据的风险.

Shared (or departmental) email addresses being used for official College purposes may not be forwarded outside basilinfracon.com.

Students: Students who prefer to use another account are responsible for forwarding email and configuring outside accounts to accommodate Bryn Mawr College email. Bryn Mawr不能保证发送或恢复转发到外部帐户的电子邮件(见 http://techdocs.blogs.basilinfracon.com/1800).  Students who forward their Bryn Mawr email to an external account are responsible for regularly checking their Bryn Mawr email via that personal account. Graduate and undergraduate students holding campus positions that involve access to privileged information may be required to remove email forwards.

请注意,流行的个人电子邮件帐户如Gmail、Outlook.com, etc. are not offered under the same terms of service as your institutional email account and do not promise confidentiality or compliance with any standard; use caution and read terms of service carefully.

Storage 

See Data Handling Storage Guidelines.

Policy Violation

Members of the Bryn Mawr community who either intentionally or unintentionally violate this policy and/or the Acceptable Use Policy risk loss of access to some or all College information resources and may be subject to other penalties and disciplinary action, 包括学院内外. The College may refer suspected violations of applicable law to appropriate law enforcement agencies.

Related Policies

Today's Hours


 

View all hours

Canaday Library in the snow.

Contact Us

图书馆及资讯科技服务

Canaday Library
101 N Merion Ave
Bryn Mawr, Pennsylvania 19010

Office of the CIO:
610-526-5271