Institutional Data Management

Office of Origin: Institutional Research
Office of Origin: Institutional Research
Responsibility: Chief Information Officer
Original Date Adopted: 10-22-13
Dates Reviewed: 9-18-18, 5-21-24, 2-24-26
Last Date Board Approved: 2-24-26

Institutional data is defined as all data created, collected, maintained, recorded or managed by Lake Michigan College (the College). The College collects institutional data for multiple purposes, including data used for planning, managing, operating, controlling, or auditing College functions, and compliance reporting. Institutional data also includes research data that contains personally identifiable subject information and proprietary College information and trade secrets. Institutional data is an organizational asset and therefore owned and managed by the College.

This policy and accompanying procedures articulate the protection of institutional data from accidental or intentional unauthorized access, damage, alteration or disclosure while preserving the ability of authorized users to access and use institutional data for appropriate purposes and setting guidelines for publishing and reporting institutional data.

  1. Cabinet is responsible for identifying authorized users and may limit the distribution of institutional data at its discretion.
  2. The College will establish appropriate procedures to collect, maintain, and protect institutional data. These procedures are intended to protect the privacy of its students, faculty, staff, and patrons to the greatest extent possible, as well as to advance the mission of the College using institutional data.
  3. Employees working with or using institutional data in any manner must comply with all federal, Michigan, and other applicable laws. See reference section for examples.
  4. Employees are responsible for determining, understanding, and complying with all laws, rules, policies, standards, contracts, and licenses applicable to their own and their subordinates' specific uses of institutional data.
  5. All data shared with anyone outside of the College must be approved by the supervisor.
  6. All published findings or hypothesis shared with outside organizations, not including federal, state, or local agencies, must be approved in advance by the Institutional Review Board. 
  7. Data will at all times be used in an ethical manner that represents the best interest of the students, employees, and the College.
  8. All institutional data must be managed and maintained in accordance with the Record Retention policy.
  9. All employees are responsible for understanding the types of institutional data under their stewardship and managing it accordingly. This responsibility includes assessing the level of security required, controlling access to data appropriately, and informing those under their supervision or their responsibility to protect data to which individual employees are authorized to view, access, maintain, or distribute. 

Restricted Data Requirements

While all institutional data should be protected, restricted data must be given the utmost protection. 

  • Restricted Data is a category of institutional data that, if improperly accessed, disclosed, altered, or destroyed, could result in significant risk to the College, its students, employees, or partners. It specifically includes (but is not limited to):
  • Personally Identifiable Information (PII), such as Social Security Numbers, driver’s license numbers, passport numbers, etc.
  • Protected Health Information (PHI), as defined by HIPAA.
  • Student education records that are protected under FERPA.
  • Payment card information (PCI), such as credit or debit card numbers.
  • Authentication information, such as usernames, passwords, PINs, and answers to security questions.
  • Research data containing identifiable subject information.
  • Confidential College Information, which is that not subject to Freedom of Information Act (FOIA); see the Freedom of Information Act policy.

To ensure this, at a minimum, restricted data must be:

  • a.    Stored and shared on a protected College internal drive or intranet site (e.g., Employee Portal – aka SharePoint, MS Teams, etc.) and available only to those that have a need to know.
  • b.    Encrypted if placed, stored, or used on portable devices (such as a flash/thumb drive or external hard drive) or if electronically or otherwise transmitted. 
  • c.    Never stored on a personally owned electronic device (such as computer, tablet, phone, flash drive, external drive, etc.)
  • d.    Never provided to or stored or used by a non-employee or College contracted worker without a signed non-disclosure agreement to provide protection to the same standards as College employees.
  • e.    Kept in locked cabinets or secure storage rooms with access limited to only authorized personnel if the restricted data exists as hard copy paper files. Paper files must not be left unattended on desks, printers, or other unsecured areas. 
  • f.    Destroyed using shredding or secure document destruction services when no longer required in accordance with the Record Retention policy.

Breaches, losses, or unauthorized exposures of restricted data must be immediately reported to IT.

Other Data Requirements

Specific College units may have additional policies covering institutional data within their areas of operational or administrative control. Consult your supervisor or the unit’s management if further information is needed.

Employees must report actual or suspected criminal activity associated with any institutional data to the HR and IT for action and coordination, if required, with law enforcement agencies. In a perceived emergency situation, College administration may take immediate steps, including denial of access to the College network and institutional data as well as seizure and quarantine of College-owned data processing and storage assets, to ensure the integrity of data and systems and to protect the College from liability.

Enforcement

Employees or non-employees acting on behalf of the College who violate this policy may be denied access to institutional data and may be subject to other penalties and disciplinary actions, up to and including termination.

References:

Acceptable Use of Technology 
Conflict of Interest – Employee policy
Employee Compliance with Requirements of External Organizations policy
Family Education Rights to Privacy Act (FERPA) policy
Freedom of Information Act policy
Health Insurance Portability and Accountability Act (HIPAA) policy
Identity Theft Prevention and Red Flag Rules policy
Protection of Human Subjects in Research policy
Record Retention policy
Social Security Number policy