POLICY TITLE: DATA SECURITY POLICY
POLICY NUMBER: 8.2
POLICY SECTION: INFORMATION TECHNOLOGY
EFFECTIVE: January 1, 2006
REVISED: October 23, 2007
This policy defines the guidelines for the security and confidentiality of data maintained by the Community College of Rhode Island (CCRI), both in paper and electronic form. This policy also informs each person who is entrusted to access student, employee and/or institutional data of their responsibilities with regard to confidentiality and safeguarding CCRI data.
All custodians and guardians of administrative data are expected to mange, access, and utilize the data in a manner that maintains and protects the security and confidentiality of that information.
There are two primary categories of data-handling and access defined in this policy.
Data custodians function as gatekeepers for the data that is collected and maintained by individuals in their divisions. Custodians are responsible for establishing access procedures for the administrative data available in their area and for approving access requests for that data. The table below indicates the administrative areas that maintain the college’s primary data stores and the respective data custodians.
|Administrative Area||Data Custodian|
|Alumni and Development Data||President|
|Financial Data||Vice President, Finance and Strategy|
|Financial Aid Data||Vice President, Student Affairs|
|Human Resources Data||Vice President, Finance and Strategy|
|Information Technology Data||Vice President, Finance and Strategy|
|Student Services Data||Vice President, Student Affairs|
A data guardian is defined as anyone who, as a function of their position at CCRI, possesses or has access to CCRI administrative data, either electronic or otherwise. Guardianship and its associated responsibilities apply to individuals who dispense or receive data.
Department heads are responsible for signing off on data access requests for employees under their supervision.
College employees, or others who are associated with the college, who request, use, possess, or have access to college administrative data must agree to adhere to the protocols outlined above. In addition, guardians, custodians and data users are prohibited from:
In assuming responsibility for the interpretation and use of college administrative
data, guardians are expected to recognize the potential serious consequences of their
improper guardianship. Improper maintenance, disposal, or release of college administrative
data exposes the college to significant risk, including lawsuits, loss of employee
and student trust, and loss of funding.
Guardians who are found in violation of this policy will be subject to CCRI disciplinary processes and procedures including, but not limited to, those outlined in the Student Handbook, the CCRI Employee Handbook, and any applicable bargaining unit contracts. Illegal acts may also subject users to prosecution by local, state, and/or federal authorities.
College employees, or others who are associated with the college, who request, use, possess, or have access to college administrative data
This policy does not prevent the release of institutional data to external organizations or governmental agencies as required by legislation, Regulation, or other legal vehicle.
Questions regarding this policy or the application of this policy to a specific situation should be referred to the Executive Director & Chief Information Officer, Information Technology. Changes to this policy will be authorized by the approval of the CCRI Institutional Technology Advisory Committee and the President’s Council.