Policy on the Protection of Confidential and Sensitive Information
Institutional information is stored in a variety of formats, including printed reports, paper documents and in electronic information systems. This networked environment also poses significant risk to the security of information. This policy covers the protection of information maintained by the College related to the business of the College and accessed by members of the College community.
This policy applies to all employees and students of Hamilton College.
Policy Revision History
Last revised, January 2016.
- Information maintained by Hamilton College is categorized into three levels: High (Confidential), Moderate (Sensitive) and Low (Public). High and moderate information must be protected from inappropriate use and disclosure.
- Employee and student information (other than directory information as published in the Hamilton College Directory) is High or Moderate and is protected by state and federal legislation and Hamilton College policies.
- Alumni directory and giving information is High or Moderate, and is protected by state and federal legislation and Hamilton College policies.
- Every employee (including student employees) accessing electronic information must use their assigned account and password. Passwords must NEVER be shared for any reason!
- Designated department employees (called data owners) are responsible for authorizing and monitoring access to confidential and sensitive data in their respective areas. Data owners work with LITS to promote this policy and assist users in their area with understanding the appropriate use of information resources.
- Printed reports containing High or Moderate data must be secured and appropriately disposed of when are no longer needed.
Institutional information is stored in a variety of formats, including printed reports, paper documents and in electronic information systems. Electronic information at Hamilton College is stored on central servers and on individual desktop or laptop computers. This networked environment poses significant risk to the security of information. Protecting this College resource is a shared responsibility between Library and Information Technology Services (LITS) and the individual users of that information. This policy covers the protection of information maintained by the College related to the business of the College and accessed by members of the College community.
Access to information will be authorized by the data owner or designee and centrally assigned by System Administrators in LITS. Access to institutional information will be assigned based on job responsibilities and on a ‘need to know’ basis.
Employees, including students, granted access to institutional data may do so only to conduct College business. In this regard, employees must:
- Respect the privacy of individuals whose records they access
- Observe ethical restrictions that apply to the data to which they have access
- Abide by applicable laws or policies with respect to access, use, or disclosure of information
Employees, including students, may not:
- Disclose data to others, except as required by their job responsibilities
- Use data for their own personal gain, nor for the gain or profit of others
- Access data to satisfy their personal curiosity
Employees and students who violate this policy are subject to the investigative and disciplinary procedures of the College.
Institutional information is any data related to the business of the College including, but not limited to, financial, personnel, student, alumni, communication, and physical resources. It includes data maintained at the department level as well as centrally, regardless of the media on which they reside.
The College recognizes institutional information as a College resource requiring proper management in order to permit effective planning and decision-making and to conduct business in a timely and effective manner. Employees are charged with safeguarding the integrity, accuracy, and sensitivity of this information as part of the condition of employment.
Access to institutional information is granted based on the employee’s need to use specific data, as defined by job duties, and subject to appropriate approval. As such, this access cannot be shared, transferred or delegated. Failure to protect these resources may result in disciplinary measures being taken against the employee, up to and including termination.
Requests for release of institutional information must be referred to the office responsible for maintaining those data. The College retains ownership of all institutional information created or modified by its employees as part of their job functions.
Institutional information is categorized as follows:
- HIGH - Information assets whose loss, corruption, or unauthorized disclosure would have SEVERE IMPACT to the Campus' reputation, cause financial loss or would result in regulatory or government sanctions such as violations of federal or state laws or security breaches that result in the compromise of customer or associate private information. Common examples include but are not limited to, banking and health information, credit card holder data, SSN’s, faculty and staff personnel records, and information systems’ authentication data.
- MODERATE - Information assets whose loss, corruption, or unauthorized disclosure would have LIMITED IMPACT to business functions but is otherwise private. Examples include contracts and legal information and institutional research data.
- LOW- Information assets whose loss, corruption, or unauthorized disclosure would have MINIMAL or NO IMPACT to business functions. Examples include sales and marketing strategies, web site content, building plans and promotional information, student directory information as prescribed by FERPA.
- Unclassified - Information assets that have not yet been classified. All information assets default to this state prior to classification.
- PROHIBITED - Information assets whose creation, storage, processing or transmission are not permitted.
Personal, business and giving information for alumni that resides in Hamilton databases and on the password protected “Alumni Directory” is confidential or sensitive. It is not to be communicated to anyone outside those employees of Hamilton College who have a “need to know” or use it for work related purposes or an authorized volunteer for the College who is cognizant of the fact that this information is confidential or sensitive and has agreed to protect it as such.
Directory information for faculty and staff as published in the Hamilton College Directory is public. Directory information will include the following: Name, department, position title, campus address, campus phone, email address. More extensive information will be available to Hamilton employees using their campus username and password, including: Name, home address, home telephone, department, position title, campus address, campus phone, email address, cell phone number and spouse/partner name. Employees may request that home address, home telephone, cell phone, spouse/partner information, and photo remain sensitive and not appear in any directory.
All other employee related data, especially that which is available to users outside Human Resources, such as social security number and birth date, must be safeguarded and treated as confidential or sensitive.
Public directory information as defined by the College includes: student’s name, campus address, class year, e-mail address, telephone listing, and photograph. Directory information is available for public consumption unless the student specifically directs that it be withheld by contacting the Office of the Registrar.
Data owners, or their designees, are responsible for authorizing access to sensitive information by employees. In the case of electronic information systems system administrators (also known as data custodians) in LITS will assign that access. Annually, data owners or their designees will be required to review a complete list of all system privileges assigned in their area.
Employees also have responsibility for securing data both while it is in use by authorized users and when it is stored (on or offline), printed, faxed or archived. Reports containing sensitive data must be secured within the office. Reports should not be left on the printer or desktop in open view. Any report that is no longer needed which contains sensitive data must be shredded or stored securely until it can be shredded.
Last updated: March 23, 2018