841.00 Data Access and Security

  1. PURPOSE
    Access to institutional data by faculty, staff, and other employees is essential to support college functions. In turn, faculty, staff, and others with access are obliged to appropriately use and effectively protect college data, including digital and paper records.
    College data covered by this policy include items of information that are created, collected, maintained, and utilized by the college community for the purpose of carrying out institutional functions including teaching, advising, business functions, and research, limited by any overriding contractual or statutory regulations. Research data, scholarly work of members of the faculty, staff, or student body, and intellectual property are beyond the scope of this policy. Authorization to access college data carries with it the responsibility to use the data as intended and not for personal gain or other inappropriate purposes. This data usage policy is intended to ensure that college data is used appropriately.
  2. DATA ACCESS POLICY STATEMENT
    College data shall be accessible for inquiry and/or download by authorized employees in support of college functions appropriate to the role/duties of the authorized individual. Access to data will be as broad as possible, consistent with the classification of the data, role(s) and responsibilities of the user, and level of training. Data will be classified according to its sensitivity to unauthorized exposure as per the standards defined in this document. All individuals who require access to student data – other than public data as defined below – will complete training in data security and protection of confidential data.
  3. DATA ACCESS AUTHORIZATION
    Access to college data for inquiry and/or download purposes (through centrally or departmentally supported applications software, user-written software, or other means) will be authorized on the basis of data inquiry access categories and the individual’s roles/duties. An individual’s access to his/her own student or employment information, however, is governed by law and is not constrained by these categories.
    Data reporting required for grants may be subject to review by the Salish Kootenai College Institutional Review Board (See SKC Policy 1000.0).
    Data is classified according to the following categories:
    1. Public Data:  Data which are of interest to the general public and for which there is no business need or legal reason to limit access. Public data may be made available to the general public in printed or electronic format. Anyone in the general public may view these data using such public sources such as institutional web pages or printed materials. Examples include student data identified as ‘directory information’ and aggregated data provided in institutional or departmental facts books.
    2. Non-Public Data:  All data held by the college for operational, educational, and/or other purposes which are not appropriate or available for general public use. Non-public data shall be made available to authorized college employees for inquiry/download only in support of the performance of their assigned roles/duties. Non-public data may be released to individuals or groups outside of the College community only with approval as required by law, approval through the Salish Kootenai College Institutional Review Board, or approval by the appropriate data steward(s) as listed below. Examples of non-public data include records subject to disclosure under law including college business transactions, employee records, and student records including student grades.
    3. Non-public College data shall be stored or transported on portable devices/media (laptops/tablets, USB drives, CD-ROM, DVD, etc.) only as required to conduct College business functions. Where necessary to store or transport such data on a portable device/medium, they should be protected from disclosure in the event of device/media loss using commercially reasonable business practices such as device locks or data encryption.
      1. Further distribution of non-public data or use of non-public data for a purpose other than that for which it was requested is a violation of college policy.
    4. Confidential Data:  Data to which access is restricted for legal or other college business reasons including personal information. Examples of confidential data include a person’s name together with social security number or bank account number or driver’s license number, a student’s SKC ID together with its password, SKC ID together with name, certain personnel records, certain student records, etc.
      All members of the college community are responsible to access confidential data only for legitimate purposes of college business. Each member of the college community with authorization to access confidential college data must document with a signed statement that he/she understands and will comply with College policies and procedures applicable to that data.
      All confidential data connected with an individual’s name shall be stored securely on physically secured storage devices or media and displayed in an encrypted or otherwise obscured manner.
      Confidential data – including student grades or other academic records, college business records, etc. – should never be stored on an unsecured device such as a laptop computer or USB drive unless the data is nonidentifiable as pertaining to any particular individual(s), and should be stored in password protected files. Highly confidential data shall not be collected or stored outside the designated central system of record.
  4. DELETING DATA
    Data should be stored and archived in accordance with the legal requirements for that particular type of data. For example, financial records are required to be archived for a specific period of time. The steward of any particular data along with IT Services and Institutional Research will determine when archived data can be appropriately deleted.
  5. DATA USAGE
    Non-public and confidential college data shall be used only in the performance of assigned roles/duties within the college.
  6. DATA USAGE RESPONSIBILITY
    Each individual with access to college data has the responsibility to use those data and any information derived from them appropriately. Individuals will be held responsible for any use made of college data under their user IDs and passwords.
    Use of college data must comply with all applicable federal laws and college policies, including FERPA, HIPAA, and SKC antidiscrimination policies. College data must not be used to promote or condone any type of harassment, copyright infringement, political activity, personal business interests, or any activity that is unlawful and/or precluded by college policies.
    Willful misuse of college data or other breaches of this policy can result in termination of access privileges, disciplinary action which may include termination of employment, and/or civil and criminal penalties.
  7. ACCOUNT AND PASSWORD RESPONSIBILITIES
    Every individual at SKC has several accounts allowing access to various systems at SKC, many that allow access to private and confidential data. It is the individual’s responsibility to keep the user IDs and passwords of these accounts private and treat the information as confidential data. User IDs and password shall not be written down and shall not be kept in an easily visible location. See Good Security Practices in the SKC Procedures Manual for information on how to properly keep your account information confidential.
    Systems and accounts that are found to be in violation of this policy may be removed from the SKC network, disabled, etc. as appropriate until the systems or accounts can comply with this policy.

History:

Adopted 04/15/15
Revised: 4/27/18
Reviewed: 3/2017, 8/2020

Theme: Overlay by Kaira
Salish Kootenai College is accredited by the Northwest Commission on Colleges and Universities. Salish Kootenai College | PO Box 70 | 58138 US Highway 93 | Pablo, MT 59855 | 406.275.4800.