College Data is a valuable asset to all constituencies at Emerson College. (students, faculty, staff, etc.) and requires the coordinated use of significant resources (funds, space, technology, etc.) involving all operations of the College. College Data enables the institution to assess the needs of the College community and to manage and modify its services and operations accordingly. It is vital not only in the day-to-day operations of the College but to short-term and long-term planning, and it serves as the basis for internal and external reports.
Appropriate and timely access to College Data is critical for the efficient and effective operation of the College. Controlling access to College Data and keeping data confidential is also important to protect the College from accidental loss or destruction of data, liability, and acts of malice.
The objectives of this policy are to:
- Detail responsibilities for managing College Data;
- Establish a framework for standards and guidelines to be followed in the creation of data storage, destruction, and access mechanisms.
This policy is applicable to all individuals accessing College Data (Users of College Data).
Nothing in this policy precludes or addresses the release of College Data to external organizations, governmental agencies, or authorized individuals as may be required by legislation, regulation, or other legal obligation.
For purposes of this policy, the following definitions apply:
- Access – the ability to read, copy, modify, delete, or query data.
- College Data – Data that is created, acquired or maintained by the College. College Data includes, but is not limited to, Data that is: (a) acquired and/or maintained by College employees in the performance of administrative job duties; (b) relevant to planning, managing, operating, or auditing a major function at the College; or (c) referenced or required for use by more than one organizational unit. College Data may reside on College-owned systems or systems owned by third parties.
- Users of College Data - any person extended access and use privileges to College Data. Includes students, faculty, visiting faculty, staff, volunteers, alumni, persons hired or retained to perform work for the College, and any other person extended access and use privileges by the College under contractual agreements or otherwise.
- Data Custodians – College officials and their staff who have operational-level responsibility for data capture, data maintenance, and data dissemination.
- Data Stewards – College officials who have policy-level responsibility for managing a segment of College Data.
- Personal Information – Per the Massachusetts regulation for Personal Information and Breach of Security, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security Number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number (“PIN”), or password that would permit access to a resident’s financial account. The term “personal information” does not include that information which is lawfully obtained from publicly available information (such as addresses or birthdays), or from federal, state, or local government records lawfully made available to the general public.
- Health Information – health data created, received, stored, or transmitted in relation to the provision of healthcare, healthcare operations and payment for healthcare services.
Statement of Policy
Regulations, Statutes, and Policies
Responsibility for and access to College Data is governed by the following policies and legal statutes:
- Massachusetts Data Protection Law
- Family Educational Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm Leach Bliley Act (GLBA)
- European Union General Data Protection Regulation (GDPR)
- Payment Card Industry (PCI) Data Security Standard
- Emerson College Written Information Security Policy
- Emerson College Records Management Policy
- Emerson College Conflict of Interest Policy
- The College as an organization owns its data (or in some cases, such as with Social Security numbers or other personal data, is the custodian of data), and specific departments and positions in the roles of Data Stewards are responsible for different segments of that data. Those departments and Data Stewards shall define how the assigned data is managed within the scope of the legal and regulatory obligations.
- Data Stewards are responsible for:
- Assigning Data Custodians in their respective area(s), the current status of which is documented in Exhibit 2.
- Enforcing the requirements of this policy.
- Setting additional/internal standards, procedures, and expectations for how Data Custodians handle College Data. Data Stewards are empowered to determine if their data was handled appropriately by their designated Data Custodians.
- Data Custodians will authorize access to College Data only on a need-to-know-basis. Individuals seeking access will submit a request for approval to the appropriate Data Custodian that has responsibility for the data at issue.
- Data Custodians will grant access to College Data for legitimate College purposes according to the classification of the data being requested and the internal expectations set by their Data Steward. The method of transmittal of any College Data must be in compliance with the College's Data Classification Guideline (Exhibit 3).
- Users of College Data shall respect the confidentiality and privacy of individuals whose records they may access, and shall abide by applicable laws and College policies (listed in Section 4) with respect to access, use, protection, proper disposal, and disclosure of data.
- To the extent that the law permits, as determined by the Office of General Counsel, Data Stewards reserve the right to deny access to any person or organization to College Data for any reason.
- See the Records Management Policy for data retention requirements, schedules, and practices.
The Senior Associate Vice President for Information Technology shall ensure compliance with this policy. Data Stewards and Data Custodians shall implement the policy as described above.
Violations of this policy may result in disciplinary action, in accordance with Emerson College's Human Resources and/or Student Conduct policies and any additional collective bargaining agreements. Please review HR's Service Center for details regarding Emerson College's disciplinary process, and the Code of Community Standards.
This policy is effective as of April 2nd, 2020.
- Exhibit 1: Data Stewards
- Exhibit 2: Data Custodians
- Exhibit 3: Data Classification Guideline and Data Transmittal and Storage Requirements
Exhibit 1: Data Stewards
Data Stewards are College officials who have policy-level responsibility for managing a segment of the College's data. Data Stewards designate (or in some cases, act as) Data Custodians by functional area and data area.
The College has designated the following Data Stewards (by title):
- Vice President and Special Assistant to the President
- Provost and Vice President for Academic Affairs
- Vice President for Administration and Finance
- Vice President for Enrollment
- Vice President for Institutional Advancement
- Senior Associate Vice President for Information Technology
- Vice President and General Counsel
- Vice President of Enrollment
- Vice President & Dean of Campus Life
- Vice President for Office of the Arts
- Vice President for Government and Community Relations
Exhibit 2: Data Custodians and Functional Areas
Data Custodians are College officials and their staff who have operational-level responsibility for data capture, data maintenance, and data dissemination. Data Stewards designate Data Custodians by functional area and data area. New designees must be submitted in writing to the Senior Associate Vice President for Information Technology, who is the Responsible Officer for this Policy, and must specify the Data Custodian by title and describe the functional and data areas for which the Data Custodian is responsible. It is recommended, but not required, that responsibilities as Data Custodian be added to the official position description of that Designee.
The following positions have been designated as Data Custodians. Note that to the extent that there are overlaps or gaps, please interpret this list as illustrative and not exhaustive.
|Functional Area and Data Areas||Data Custodians|
Academic Affairs budget data
Academic Affairs compensation data
|Assistant Vice President Academic Administration & Finance
Faculty resources data
Faculty union data
|Assistant Vice President for Academic Affairs
Learning management system data
|Director, Instructional Technology Group
Athletics operations data
NCAA student athlete data
Recreation services data
|Director of Athletics
|Board of Trustees
Board of Trustees data
|Vice President and Special Assistant to the President
College budget data
|Director, Budget and Planning
New Student Orientation data
Student conduct records
Student communications data
Student health and wellness data
|Vice President and Dean of Campus Life
|Communications and Marketing
Communications and marketing data
|Associate Vice President, Communication and Marketing
Student diversity data
Student academic records
Student accounting data
Student immigration and visa data
Undergraduate biographic/demographic data
|Assistant Vice President, Enrollment Technology and Data
Architecture, engineering, and construction data
Business Services data
Facilities/management space data
Parking operations data
Real estate data
|Interim AVP of Facilities Management
Emergency response and communication plans
Insurance plans and claims
Training compliance records
Debt issuance data
Treasury services data (banking and tax data)
|Director, Treasury Services and Risk Management
Capital assets data
General ledger data
Accounts receivable data
|Financial Business Services
Time tracking and absence data
|Associate Vice President, Financial Business Services
Data produced pursuant to legal requests or eDiscovery
Miscellaneous legal advice and communications
|Vice President and General Counsel
|Graduate and Professional Studies
Graduate Studies data
Professional Studies data
|Dean, Graduate and Professional Studies
|Health and Wellness
Protected Health Information
|Associate Dean & Director of Counseling, Health, & Wellness
Employee biographic/demographic data
Employee personnel data
Labor relations data
|Senior Associate Vice President, Human Resources
Information Technology data
|Senior Associate Vice President, Information Technology
College donor and prospect data
Data supporting charitable gift trusts and annuities
|Vice President for Institutional Advancement
|Internationalization and Global Engagement
External Programs data
|Associate Vice President for Academic Affairs - Internationalization & Global Engagement
|Kasteel Well, The Netherlands
European Center staff and program data
|Executive Director, European Center
|Institute of Liberal Arts and Interdisciplinary Studies
|Dean of Liberal Arts and Interdisciplinary Studies
Los Angeles program data
|Associate Dean for Student Life & Administration, Emerson College Los Angeles
Internal affairs data
|Chief of Police
|School of the Arts
School of the Arts data
|Dean, School of the Arts
|School of Communication
School of Communication data
|Dean, School of Communication
Social Justice Center
|Vice President of Enrollment
|Student Financial Services
Financial aid data
|Director, Financial Aid
Exhibit 3: Data Classification Guideline and Data Transmittal and Storage Requirements
The table below lists the categories of data and examples. Any data that falls into multiple categories should be considered of the higher security category for protection purposes. If you have questions about a classification of data, contact your Department Records Officer or the Director of Information Security and IT Infrastructure.
|Data Classification||Risk Level||Description||Examples|
|High Risk (PII, GLBA, PCI, and PHI Data)||High||Data whose loss, corruption, or unauthorized access would pose an extreme identity or financial risk to the College, a school partner, or the public and may require notification of a governmental regulator and/or affected users.||
|Moderate Risk||Medium||Data whose loss, corruption, or unauthorized access would impair the academic, research, or business functions of the College or is not available to the general public.||
|Low Risk||Low to None||Data to which the general public has access||
Data Transmittal and Storage
All members of the Emerson College community and its working partners are responsible for the proper handling, transmittal and storage of College Data. All individuals and departments must follow the policies and procedures of the College to ensure that data is protected and used properly. Any partner, consultant, or vendor that needs access to or shares any non-public College Data must sign a Third Party Data Security Agreement.
Below is the Data Transmission and Storage Table by which all members of the Emerson College community, all working partners, vendors and consultants must abide when transmitting and storing College Data.
|Data Classification||Data Transmission||Data Storage|
|High Risk (PII, GLBA, PCI, and PHI Data)||
Emerson College IT Dept. approved encryption is REQUIRED when transmitting any information over a network. Third party email or file transfer services are prohibited when transmitting High Risk information. High Risk numbers/data may be redacted instead of encrypted.
High Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment. All High Risk data should be stored and/or transmitted via Emerson College's approved file storage system (Box), encrypted Emerson Email, approved contractual partners, or IT maintained databases. If given approval for local storage, Emerson College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Emerson College owned equipment. Data stored by external partners MUST be encrypted at all times. Printing of High Risk data is strongly discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access. All high risk data, whether printed or electronic, must be securely destroyed when no longer in use or required for retention by the College.
Emerson College IT Department approved encryption is REQUIRED when transmitting any information over a network. Third party email or file transfer services are prohibited when transmitting Moderate Risk information. Moderate Risk numbers/data may be redacted instead of encrypted.
Moderate Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment. All Moderate Risk data should be stored and/or transmitted via Emerson College's approved file storage system (Box), encrypted Emerson Email, approved contractual partners, or IT maintained databases. If given approval for local storage, Emerson College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Emerson College owned equipment. Data stored by external partners MUST be encrypted at all times. Printing of Moderate Risk data is discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access. All moderate risk data, whether printed or electronic, must be securely destroyed when no longer in use or required for retention by the College.