Office of Origin: Information Technologies
Date Adopted: 10-22-2013
Last Date Modified & Approved:
Institutional data is defined as all data created, collected, maintained, recorded or managed by Lake Michigan College (the College), its staff, and agents working on its behalf. The College collects a wide variety of institutional data for multiple purposes, including data used for planning, managing, operating, controlling, or auditing College functions, and data used for compliance reporting. Institutional data also includes research data that contains personallyidentifiable subject information and proprietary College information and trade secrets.
Institutional data is considered to be an organizational asset and is therefore owned and managed by the College. The purpose of this policy and its accompanying procedures is to help ensure the protection of the College’s institutional data from accidental or intentional unauthorized access, damage, alteration or disclosure while preserving the ability of authorized users to access and use institutional data for appropriate purposes and to set guidelines for publishing hypothesis derived from institutional data.
1) College administration is responsible for identifying authorized users and may limit the distribution of institutional data at its discretion.
2) The College will establish appropriate procedures to collect, maintain, and protect institutional data. These procedures are intended to protect the privacy of its students, faculty, staff, and patrons to the greatest extent possible, as well as to advance the mission of the College using institutional data.
3) College employees working with or using institutional data in any manner must comply with all federal, Michigan, and other applicable laws. Examples include the federal Family Education Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA), and the College’s Policy on Responsible Use of Computing Resources.
4) College employees are responsible for ascertaining, understanding, and complying with all laws, rules, policies, standards, contracts and licenses applicable to their own and their subordinates' specific uses of institutional data.
5) All published findings or hypothesis shared with external parties must be approved in advanced by the Office of Institutional Research.
6) Data will at all times be used in an ethical manner that represents the best interest of the student and the mission of the College.
7) All institutional data must be managed and maintained in accordance with the College’s Records Retention policy.
8) All requests for institutional data received under the Freedom of Information Act must be directed to the Vice President of Administrative Services for action.
Data Use Classifications:
College employees authorized to use institutional data must understand and fulfill the responsibilities associated with their assigned level of access to institutional data. These responsibilities are assigned roles as follows:
a) Data Trustee – a senior College administrator with management and policy responsibilities.
b) Data Steward – a College employee with direct operational responsibility for the collection, storage, retrieval, and protection of any type of institutional data.
c) Data Custodian – a College unit or employee responsible for the operation and management of systems and servers which collect, manage, and provide access to institutional data.
d) Data User – a College unit or employee using institutional data in the authorized conduct of College business.
Data roles are indicated in each individual job description. Within one year of the date of approval of this policy, all employee job descriptions will identify the associated Data Use Classification. All new positions created after the date of approval of this policy must have a Data Use Classification assigned prior to hire.
The College’s institutional data is classified as one of the following categories. The Data Classifications are assigned by the College’s Data Security Team and approved by the President.
a. Public - Data intended for broad distribution in support of the College's mission and/or freely available to any person or organization with no restrictions.
b. Limited Access - Data available without restriction but whose integrity must be carefully maintained.
c. Restricted - Data protected or regulated by law or data that is sensitive to College operations including personal identifying information such as social security numbers, credit card numbers, personally identifiable healthcare data and student records, proprietary information, and trade secrets.
All data roles are responsible for classifying institutional data under their stewardship and managing it accordingly. This responsibility includes assessing the level of security required for confidential or sensitive information, controlling access to data appropriately, and informing those under their supervision if their responsibility to protect data to which individual employees are authorized to view, access, maintain, or distribute such.
Restricted Data Requirements:
While all institutional data should be protected, Restricted Data must be given the utmost protection. To help ensure this, at a minimum, Restricted Data must:
be encrypted if stored or used on portable devices, if removed from a College location, or if electronically transmitted. At a minimum, 128-bit encryption must be used with using a nontrivial password.
never be stored on a personally-owned computer or storage device.
not be stored or used by a non-employee without a contractual agreement to provide appropriate protection to the same standards used by the College.
Breaches, losses, or unauthorized exposures of Restricted Data must be immediately reported to the Executive Director of Information Technology, who will inform the Vice President of Finance for action.
Other Data Requirements:
Data Trustees, Data Stewards, Data Custodians, or specific College units may have additional policies covering institutional data within their areas of operational or administrative control. Consult your supervisor, unit management, or the appropriate data trustee, data steward, or data custodian if further information is needed.
College employees must report actual or suspected criminal activity associated with any institutional data to the Executive Director of Information Technology, who will inform the Vice President of Finance for action and coordination, if required, with law enforcement agencies. In a perceived emergency situation, College administration may take immediate steps, including denial of access to the College’s network and institutional data as well as seizure and quarantine of College-owned data processing and storage assets, to ensure the integrity of College data and systems and to protect the College from liability.
College employees or non-employees acting on behalf of the College who violate this policy may be denied access to institutional data and may be subject to other penalties and disciplinary actions, up to and including termination.
Responsibility: Executive Director, Information Technology
References: Red Flag; Social Security Numbers; Acceptable Use Policy