Trinity College Data Security and Privacy Protection Policy

APPLICATION: This policy applies to all individuals who collect, use, or share college information. Those individuals include, but are not limited to, staff, faculty, those working on behalf of the college, and individuals authorized by affiliated institutions and organizations.

ISSUED: 5/23/2018

DATA PROTECTION OFFICER: Chief Information Security Officer

Purpose

Trinity College seeks to ensure that its treatment and use of personally identifiable information and other sensitive information complies with all applicable statutes and regulations while demonstrating the college’s commitment to maintaining its confidentiality and integrity.

Policy Statement

Scope

This policy governs information that the college or authorized agents collect, use electronically or physically, and share with others.

The collection, retention and release of some information may be covered by law or regulation, including but not limited to the Family Educational Rights and Privacy Act (“FERPA”), the Health Insurance Portability and Accountability Act (“HIPAA”), and the European Union General Data Protection Regulation (“EU GDPR”), and this policy is not meant to supersede requirements related thereto.

For the sake of this policy, personally identifiable information (“PII”) is any non-public information that can identify or provide information about an individual.

Data Classifications

Public
This is defined as information that is generally available to anyone within or outside of the College. Access to this data is unrestricted, may already be available, and can be distributed as needed. Public data includes, but is not limited to: fundraising materials, admission recruiting materials, information posted on public web pages, and directory information. This data can be used and stored on any college managed system without additional safeguards in places.

Confidential
This is information that may be considered damaging if released. Confidential data examples include financial records and all PII not considered Restricted. Confidential data can only be collected, used, or stored in approved systems or encrypted workstations. This data cannot be shared outside the college without approval of the DPO and notification to the General Counsel.

Restricted
This is defined as highly sensitive data, which if leaked, has a moderate to high risk on privacy, safety, or financial situation. Restricted data includes, but is not limited to: social security numbers, HIPAA data, credit card data, and controlled unclassified information. Restricted data can only be collected, used, or stored in systems approved by the DPO. This data cannot be shared with new people inside the organization or outside the organization without approval of the DPO and notification to the General Counsel.

Data Collection

Confidential and Restricted information may only be collected by authorized personnel where it is specifically needed for a legitimate college business requirement or to meet a statutory or regulatory requirement. The college strongly discourages the collection or retention of this information except where absolutely necessary and no other alternative exists.

Data Sharing

Confidential and Restricted data may only be released or provided to others on a need to know basis in compliance with the required approvals above. As a condition to receiving such information, all recipients must agree to the terms of this policy. (e.g., vendors)

Protection of Confidential and Restricted Data

  • Management is responsible for ensuring that their direct reports understand the scope and implications of this policy.
  • HR is responsible for ensuring that all employees acknowledge receipt of this policy.
  • Individuals contracting with third parties must ensure that appropriate provisions exist in agreements to maintain the confidentiality and integrity of the data in compliance with applicable laws and regulations.
  • Personal account passwords should never be shared. Individuals are held accountable for all activity performed with their accounts in accordance with our Computer Use Policy.
  • Any authorized party who collects or generates new data must classify that data according to the criteria outlined above and notify the DPO to ensure appropriate tracking and protection.
  • Confidential and Restricted data protection should be based on the following security principles
    • Risk Assessment – appropriate protections should be defined based on the perceived risk to the data and possible harm due to unauthorized disclosure.
    • Least Privilege – individuals should only be given the access that they need to complete their assigned duties
    • Need to know – individuals should only be aware of information that they must know to complete assigned their duties

  • Any person in possession of Confidential and Restricted data shall safeguard the data to the best of their ability and shall destroy, erase or make unreadable such data in whatever form it exists prior to disposal in accordance with Trinity’s Record Retention Policy.
  • Confidential and Restricted data cannot be saved to personal equipment.
  • Confidential and Restricted data in paper or physical form shall be kept in closed, secured cabinets or rooms.
  • Any constituent who discovers possible evidence of a violation of this policy or possible breach or release of Confidential and Restricted data shall immediately notify the DPO and take care to preserve any and all evidence of such incident. Upon confirmation of a breach or unauthorized disclosure of confidential or restricted data, the DPO shall initiate a security incident in adherence with the information security incident response procedure.
  • All college managed systems will be scanned for confidential and restricted data to help ensure compliance with the standards set above. If confidential or restricted data are found on a system, the user must delete the data if no longer necessary, or move the data to an approved location. (e.g., encrypted hard drive or file share)
  • Information security and privacy staff will monitor for unauthorized activity and update requirements where appropriate.

European Union General Data Protection Regulation (EU GDPR)

For additional guidance specific to GDPR, please refer to Exhibit A: Trinity College European Union General Protection Regulations (EU GDPR) Policy.

Policy Enforcement

Staff, faculty, or students found in violation of this policy may be adjudicated per their respective handbooks.

Questions, comments, or concerns regarding this policy or the protection of data should be directed to the Data Protection Officer at DPO@trincoll.edu.