Purpose
College Data is a valuable asset to all constituencies at Emerson College (students, faculty, staff, etc.) and requires the coordinated use of significant resources (funds, space, technology, etc.) involving all operations of the College. College Data enables the institution to assess the needs of the College community and to manage and modify its services and operations accordingly. It is vital not only in the day-to-day operations of the College but to short-term and long-term planning, and it serves as the basis for internal and external reports.
Appropriate and timely access to College Data is critical for the efficient and effective operation of the College. Controlling access to College Data and keeping data confidential is also important to protect the College from accidental loss or destruction of data, liability, and acts of malice.
The objectives of this policy are to:
- Detail responsibilities for managing College Data.
- Establish a framework for standards and guidelines to be followed in the creation of data storage, destruction, and access mechanisms.
Scope
This policy is applicable to all individuals accessing College Data (Users of College Data).
Nothing in this policy precludes or addresses the release of College Data to external organizations, governmental agencies, or authorized individuals as may be required by legislation, regulation, or other legal obligation.
Definitions
For purposes of this policy, the following definitions apply:
Access: The ability to read, copy, modify, delete, or query data.
College Data: Data that is created, acquired or maintained by the College. College Data includes, but is not limited to, data that is: (a) acquired and/or maintained by College employees in the performance of administrative job duties; (b) relevant to planning, managing, operating, or auditing a major function at the College; or (c) referenced or required for use by more than one organizational unit. College Data may reside on College-owned systems or systems owned by third parties.
Confidential Data: College Data classified as High Risk or Moderate Risk whose unauthorized access, loss, or corruption would pose a significant financial, legal, or identity risk to the College or its constituents, and is therefore not available to the general public.
Users of College Data: Any person granted access and use privileges to College Data. This includes students, faculty, visiting faculty, staff, volunteers, alumni, persons hired or retained to perform work for the College, and any other person granted access and use privileges by the College under contractual agreements or otherwise.
Data Custodians: College officials and their staff who have operational-level responsibility for data capture, data maintenance, and data dissemination.
Data Stewards: College officials who have policy-level responsibility for managing a segment of College Data.
Personal Information: Per the Massachusetts regulation for Personal Information and Breach of Security, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security Number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number ("PIN"), or password that would permit access to a resident's financial account. The term "personal information" does not include that information which is lawfully obtained from publicly available information (such as addresses or birthdays), or from federal, state, or local government records lawfully made available to the general public.
Health Information: Health data created, received, stored, or transmitted in relation to the provision of healthcare, healthcare operations, and payment for healthcare services.
Statement of Policy
Regulations, Statutes, and Policies
Responsibility for and access to College Data is governed by the following policies and legal statutes:
- Massachusetts Data Protection Law
- Family Educational Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm Leach Bliley Act (GLBA)
- European Union General Data Protection Regulation (GDPR)
- Payment Card Industry (PCI) Data Security Standard
- Emerson College Written Information Security Policy
- Emerson College Records Management Policy
- Emerson College Conflict of Interest Policy
Data Stewardship and Custodianship
The College as an organization owns its data (or in some cases, such as with Social Security numbers or other personal data, is the custodian of data), and specific departments and positions in the roles of Data Stewards are responsible for different segments of that data. These departments and Data Stewards shall define how the assigned data is managed within the scope of the legal and regulatory obligations.
Data Stewards are responsible for:
- Assigning Data Custodians in their respective area(s).
- Enforcing the requirements of this policy.
- Setting additional/internal standards, procedures, and expectations for how Data Custodians handle College Data. Data Stewards are empowered to determine if their data was handled appropriately by their designated Data Custodians.
Data Custodians will authorize access to College Data only on a need-to-know-basis. Individuals seeking access will submit a request for approval to the appropriate Data Custodian that has responsibility for the data at issue.
Data Custodians will grant access to College Data for legitimate College purposes according to the classification of the data being requested and the internal expectations set by their Data Steward. The method of transmittal of any College Data must be in compliance with the College's Data Classification Guideline.
Data Handling and Collection
Users of College Data shall respect the confidentiality and privacy of individuals whose records they may access, and shall abide by applicable laws and College policies (listed in this policy) with respect to access, use, protection, proper disposal, and disclosure of data.
To the extent that the law permits, as determined by the Office of General Counsel, Data Stewards reserve the right to deny access to any person or organization to College Data for any reason.
No person or party may collect College Data (i.e., through online or paper forms, solicitations, etc.) without authorization from the appropriate Data Custodian.
See the Records Management Policy for data retention requirements, schedules, and practices.
Compliance
The Assistant Vice President, IT Security & Infrastructure shall ensure compliance with this policy. Data Stewards and Data Custodians shall implement the policy as described above. Violations of this policy may result in disciplinary action, in accordance with Emerson College's Human Resources and/or Student Conduct policies and any additional collective bargaining agreements. Please review HR's Service Center for details regarding Emerson College's disciplinary process, and the Code of Community Standards.
Effective Date
This policy is effective as of April 2nd, 2020.
Exhibits
Exhibit 1: Data Stewards and Areas of Responsibility
The following vice presidents are Data Stewards and are the highest authority for their respective data domains. They are responsible for making and owning decisions regarding data access, policies, and application purchases for their areas. Data Stewards should collaborate with IT to balance data access control with cross-functional needs, adhering to the Principle of Least Privilege.
- Alexandra Socarides, Vice President, Academic Affairs and Provost: Oversees data related to all academic programs, curriculum, faculty resources, student academic records, and institutional research.
- Allison Dawson, Vice President, Institutional Advancement: Manages data related to donors, fundraising, and alumni engagement.
- Brian Basgen, Vice President, Digital and Physical Infrastructure: Responsible for data concerning information technology systems, infrastructure, and security across the College.
- Carolina Avellaneda, Vice President and General Counsel: Oversees data related to legal cases, compliance, and campus safety.
- Christie Anglade, Vice President, Student Affairs: Governs data for student housing, counseling services, student conduct, and wellness programs.
- Jamie Montgomery-Hyde, Interim Vice President, Human Resources & CHRO: Responsible for all human resources data, including compensation, benefits, performance, recruitment, and policies.
- Kelly Devers-Franklin, Vice President, Marketing and Communications: Responsible for data concerning College marketing, public relations, and communications.
- Matt Boyce, Vice President, Enrollment Management: Governs data related to student admissions, financial aid, student accounts, and demographic information.
- Richard Madonna, Vice President, Finance and Chief Financial Officer: Responsible for data concerning College finances, budgets, procurement, and administrative services.
- Shaya Gregory Poku, Vice President, Community, Culture, & Belonging: Oversees data related to institutional efforts to strengthen the Emerson experience and advance the College’s values.
Exhibit 2: Data Custodians and Functional Areas
Data Custodians are College officials and their staff who have operational-level responsibility for data capture, data maintenance, and data dissemination. Data Stewards designate Data Custodians by functional area and data area. New designees must be submitted in writing to the Assistant Vice President, IT Security & Infrastructure, who is the Responsible Officer for this Policy, and must specify the Data Custodian by title and describe the functional and data areas for which the Data Custodian is responsible.
| Data Custodians | Data Area with Description | Data Custodian | |
|---|---|---|---|
| Alexandra Socarides, Vice President, Academic Affairs and Provost | Advising Data: Student academic advising records, including advisor assignments, notes and recommendations. | Assistant Vice President for Academic Affairs | |
| Curriculum Data: Information related to academic programs, course catalogs, and degree requirements. | Assistant Vice President for Academic Affairs | ||
| External Programs Data: Information related to study abroad, international exchange programs, and external partnerships. | Vice Provost, Global Engagement and Programs | ||
| Faculty Resources Data: Records pertaining to faculty hiring, appointments, reviews, and professional development. | Dean of the Faculty & Associate Provost | ||
| Faculty Union Data: Information related to collective bargaining agreements, union membership, and related labor relations within the faculty. | Dean of the Faculty & Associate Provost | ||
| Graduate and Professional Studies Data: Student records and program information specific to graduate and professional studies students. | Associate Vice President, Executive Education | ||
| Learning Management System Data: All content and records from the College's learning management systems, such as Canvas, including student submissions, grades, and course materials. | Director, Instructional Technology Group | ||
| Professional Studies Data: Records related to continuing education, professional certificates, and non-degree programs. | Interim Dean, Graduate and Professional Studies | ||
| Program Data: Academic and student data for the Liberal Arts and Interdisciplinary Studies programs. | Dean of the School of Arts & Interdisciplinary Studies | ||
| Registrar Data: Official student records, including course registration, grades, enrollment verification, and degrees awarded. | Registrar | ||
| Student Immigration and Visa Data: Records and documentation for international students related to visa status and immigration compliance. | Vice Provost, Global Engagement and Programs | ||
| Jamie Montgomery-Hyde, Interim Vice President, Human Resources & CHRO | Absence Data: Hours worked and work schedules. | Director, Human Resources | |
| Compensation and Benefits: Data related to employee compensation and benefits. | Director, Compensation & Benefits | ||
| Job Descriptions and Performance: Job descriptions, performance management files and plans, and department organization. | Director, Human Resources | ||
| Staff Organization Data: Reporting structures, staff headcount, department makeup | Director, Human Resources | ||
| Staff Union Data: Information related to collective bargaining agreements, union membership, and related labor relations within the faculty. | Director, Human Resources | ||
| Christie Anglade, Vice President, Student Affairs | Athletics Operations Data: Information related to the day-to-day management of athletic facilities, team schedules, and event logistics. | Associate Dean, Campus Life & Director of Athletics | |
| Counseling Data: Medical records related to student mental health and counseling services. | Assistant Vice President, Campus Health and Wellness & Director, Emerson Wellness | ||
| Housing Data: Information related to student housing assignments, residential life programs, and housing-related incidents. | Director, Housing & Residential Education | ||
| NCAA Student Athlete Data: Student-athlete information required for compliance with National Collegiate Athletic Association (NCAA) regulations, including eligibility, health records, and academic progress. | Associate Dean, Campus Life & Director of Athletics | ||
| New Student Orientation Data: Records related to incoming student orientation programs, including registration information, family contact details, and program participation. | Associate Director, Student Transitions | ||
| Recreation Services Data: Data concerning campus recreation programs, facility usage, and student participation. | Associate Dean, Campus Life & Director of Athletics | ||
| Student Communications Data: Records of official communications sent to students regarding campus events, announcements, and policies. | Vice President, Student Affairs | ||
| Student Conduct Records: Records of student disciplinary actions, behavioral incidents, and conduct outcomes. | Associate Vice President & Dean of Students | ||
| Student Health and Wellness Data: Medical records, immunization status, and other health data managed by the College's health services. | Assistant Vice President, Campus Health and Wellness & Director, Emerson Wellness | ||
| Carolina Avellaneda, Vice President and General Counsel | Case Files: Legal documents, correspondence, advice, communications, and other information related to active or past legal cases. | Vice President and General Counsel | |
| CLERY Data: Crime statistics and security-related information required by the Clery Act. | Chief, Police Department | ||
| Data Produced Pursuant to Legal Requests or eDiscovery: Information compiled in response to legal requests, subpoenas, or eDiscovery. | Vice President and General Counsel | ||
| Enforcement Data: Records of campus rule enforcement, including citations and policy violations. | Chief, Police Department | ||
| Government & Community Relations Data: Information related to the College's relationships with government officials, community organizations, and local stakeholders. | Executive Director, Government & Community Affairs | ||
| Internal Affairs Data: Records of investigations into police and security personnel. | Chief, Police Department | ||
| Investigations and Enforcement Data: Records and evidence from investigations conducted by the police department, as well as records of campus rule enforcement, including citations and policy violations. | Chief, Police Department | ||
| Services Data: Data related to security services provided, such as keycard access and event security. | Chief, Police Department | ||
| Title IX Investigation Data: Records of investigations related to Title IX complaints. | Vice President, Community, Culture, & Belonging | ||
| Brian Basgen, Vice President, Digital and Physical Infrastructure | Architecture, Engineering, and Construction Data: Blueprints, schematics, and project plans for campus buildings and infrastructure. | Associate Vice President, Facilities & Campus Services | |
| Business Services Data: Information related to vendor contracts, service level agreements, and business operations. | Associate Vice President, Facilities & Campus Services | ||
| Facilities/Management Space Data: Records of campus buildings, room usage, and space allocation. | Associate Vice President, Facilities & Campus Services | ||
| Information Technology Data: All data related to the College's IT infrastructure, including system logs, network configurations, and security audit reports. | Assistant Vice President, IT Security & Infrastructure | ||
| Real Estate Data: Information regarding College-owned properties, leases, and real estate transactions. | Associate Vice President, Facilities & Campus Services | ||
| Matt Boyce, Vice President, Enrollment Management | Biographic/Demographic Data: Personally identifiable information about undergraduate and graduate students, including contact details, used for recruiting, admissions, reporting, and strategic planning. | Associate Vice President, Enrollment & Dean of Admissions | |
| Financial Aid Data: Student information related to financial aid applications, awards, and disbursements. | Assistant Vice President, Student Financial Services | ||
| Student Admission Records: Student academic performance as it relates to admission and student finances, including transcripts, grades, and graduation information. | Associate Vice President, Enrollment & Dean of Admissions | ||
| Student Accounting Data: Financial information related to student tuition, fees, billing, and payment history. | Assistant Vice President, Student Financial Services | ||
| Allison Dawson, Vice President, Institutional Advancement | College Donor and Prospect Data: Information on current and prospective donors, including giving history and philanthropic interests. | Vice President, Institutional Advancement | |
| Data Supporting Charitable Gift Trusts and Annuities: Legal and financial information related to planned giving and charitable trusts. | Vice President, Institutional Advancement | ||
| Kelly Devers-Franklin, Vice President, Marketing and Communications | Communications and Marketing Data: Information related to the College's public relations, branding, and marketing campaigns, including media contacts and audience analytics. | Vice President, Marketing and Communications | |
| Richard Madonna, Vice President, Finance and Chief Financial Officer | Accounts Receivable Data: Records of outstanding invoices, payments due to the College, and related financial data. | Controller | |
| Capital Assets Data: Information on the College's long-term assets, such as buildings and equipment, including acquisition and depreciation records. | Controller | ||
| Comprehensive College Budget Data: Financial data for the entire College, including operational budgets, capital expenditures, and planning. | Director, Budget and Planning | ||
| Debt Issuance Data: Records of the College's debt obligations and related financial transactions. | Director, Treasury Services and Risk Management | ||
| General Ledger Data: The College's primary financial accounting records, including all financial transactions. | Controller | ||
| Payroll Data: Employee compensation, tax, and benefits information. | Director, Payroll | ||
| Purchasing Data: Records of procurement, purchase orders, and vendor invoices. | Senior Director, Procurement | ||
| Time Tracking Data: Employee work hours and other time-related records. | Director, Payroll | ||
| Training Compliance Records: Records of employee training on mandatory topics such as security and harassment prevention. | Director, Treasury Services and Risk Management | ||
| Treasury Services Data: Highly sensitive financial records, including bank accounts, tax filings, and investment information. | Director, Treasury Services and Risk Management | ||
| Shaya Gregory Poku, Vice President, Community, Culture, & Belonging | Climate and Culture Data: Emerson 360 survey and climate data. | Executive Director, HIVE & Community & Culture |
Exhibit 3: Data Classification Guideline and Data Transmittal and Storage Requirements
The table below lists the categories of data and examples. Any data that falls into multiple categories should be considered of the higher security category for protection purposes. If you have questions about a data classification, contact your Department Records Officer or the Director of Information Security and IT Infrastructure.
| Data Classification | Risk Level | Description | Examples |
|---|---|---|---|
| High Risk (GLBA, PCI, and Health Information) | High | Data whose loss, corruption, or unauthorized access would pose an extreme identity or financial risk to the College, a school partner, or the public, and may require notification of a governmental regulator and/or affected users. | Social Security Number, credit/debit card number, bank/financial account numbers, medical records, passwords or biometric data, driver's license or state ID number, FERPA records. |
| Moderate Risk | Medium | Data whose loss, corruption, or unauthorized access would impair the academic, research, or business functions of the College or is not available to the general public. | Student ID, employee ID, HR documents, College proprietary data or intellectual property, copyrighted College or student material, board meeting minutes, expense reports, litigation materials, software license numbers, College infrastructure plans, system configuration/log files, training data. |
| Low Risk | Low to None | Data to which the general public has access | Any data found publicly on emerson.edu, policies, publications, academic calendar, campus maps. |
Data Transmittal and Storage
All members of the Emerson College community and its working partners are responsible for the proper handling, transmittal, and storage of College Data. All individuals and departments must follow the policies and procedures of the College to ensure that data is protected and used properly. Any partner, consultant, or vendor that needs access to or shares any non-public College Data must sign a Third Party Data Security Agreement.
| Data Classification | Data Transmission | Data Storage |
|---|---|---|
| High Risk (GLBA, PCI, and Health Information) | Emerson College IT Dept. approved encryption is REQUIRED when transmitting any information over a network. Third-party email or file transfer services are prohibited when transmitting High Risk information. High Risk numbers/data may be redacted instead of encrypted. | High Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment. All High Risk data should be stored and/or transmitted via Emerson College's approved file storage system (Google Drive), encrypted Emerson Email, approved contractual partners, or IT maintained databases. If given approval for local storage, Emerson College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Emerson College-owned equipment. Data stored by external partners MUST be encrypted at all times. Printing of High Risk data is strongly discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access. All high-risk data, whether printed or electronic, must be securely destroyed when no longer in use or required for retention by the College. |
| Moderate Risk | Emerson College IT Department approved encryption is REQUIRED when transmitting any information over a network. Third-party email or file transfer services are prohibited when transmitting Moderate Risk information. Moderate Risk numbers/data may be redacted instead of encrypted. | Moderate Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment. All Moderate Risk data should be stored and/or transmitted via Emerson College's approved file storage system (Google Drive), encrypted Emerson Email, approved contractual partners, or IT maintained databases. If given approval for local storage, Emerson College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Emerson College-owned equipment. Data stored by external partners MUST be encrypted at all times. Printing of Moderate Risk data is discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access. All moderate risk data, whether printed or electronic, must be securely destroyed when no longer in use or required for retention by the College. |