Data Security Policy

Background

Davidson College has adopted this Data Classification and Security Policy to (i) identify certain categories of data that Davidson owns, hosts, stores, processes, or is otherwise responsible for protecting and (ii) set expectations and restrictions for the storage, dissemination and protection of data by category.

Purpose

This policy regulates a wide range of data (“Davidson data”), including but not limited to:

Administrative data include data that supports the functions, business and operations of the college, and is non-instructional in nature. This includes financial, personnel, facilities, advancement and related records.
Education records include data that pertain to a student’s academic performance or progress or to many aspects of their residential life on campus. It also includes admissions-related information and financial information, including financial aid and tuition billing information.
Research data includes data relevant to funded or unfunded research activities where Davidson has an explicit or implicit requirement to ensure that data remain confidential and protected.

This policy does not include instructional materials prepared by faculty; the personal data owned by students or employees; or other data where the College does not own the information or have legal liability or reputational risk if the data are breached or accessed improperly.

Policy

Davidson data are intended solely for the authorized use by employees to conduct Davidson business.

Some Davidson information is protected by law, regulation, contract, or Davidson policy in ways that restrict its use, access, download and sharing.
Davidson manages data in accordance with its data classification, described below. Legal Services or the information security program manager can advise employees and departments as to the appropriate classification of data.
All employees are responsible for ensuring they are accessing, using and storing data in accordance with Davidson policy. This includes only using systems, services, devices and other technology appropriate to the security requirements of certain data classifications.
This policy designates employees with access to Davidson data as members of one of several roles as defined by the Data Governance Committee: data consumers, managers, stewards, or trustees. These roles are defined in the appendix of this policy.
Employees are responsible for immediately notifying their supervisor and the Technology & Innovation Support Center if they believe any Davidson data (including devices or systems containing such data) have been lost, stolen, altered/destroyed, or made available for unauthorized access. (If a device has been lost/stolen, employees must also report this to Public Safety.)

All Davidson data meet one of four classifications, each with more stringent requirements for the storage, use and protection of such data:

Public: Any data that is permitted to be shared freely with all members of the campus and the general public.
Internal: Data that Davidson chooses to restrict to internal access, but where disclosure would not violate state or federal laws or cause reputational harm. Internal data always require a Davidson login to access, but are typically shared widely such as with all community members, all employees, all staff in a division, etc.
Restricted: Data that must be shared only with specific individuals who have a business need to access, and where breach or inadvertent disclosure would impact Davidson’s reputation or violate educational privacy requirements (FERPA).
Confidential: Data the breach or inadvertent disclosure of which would violate state or federal privacy or data security laws (including certain research grant obligations) and may involve civil or criminal penalties. These data may be shared only with specific individuals who have a business need to access. Includes data protected by Gramm-Leach-Bliley, HIPAA, the NC Identity Theft Act, or similar laws.

For more details on the classifications, please see the sections below.

Administration of Policy

Public Data

Definition	Any data that is permitted to be shared with all members of the campus and the general public.
Examples	Material authorized for public websites (www.davidson.edu or Davidson Domains), Library government documents, public event calendar.
Where Data May be Stored and Processed	Any Davidson-approved technology service.
Shareable with External Users or Vendors?	Yes
Storable on Davidson-Managed Laptops, Desktops and Devices?	Yes
Storable on Employee-Owned Laptops, Desktops and Devices or Cloud Services?	Yes

Internal Data

Definition	Data that Davidson chooses to restrict to internal access, but where disclosure would not violate state or federal laws or cause reputational harm. These data require a Davidson login to access but are often shared with broad groups of campus users (such as all students and/or all employees, or specific divisions, departments or committees.)
Examples	Building floor plans, internal policies, licensed Library databases, public computer workstations, internal campus-only event calendar.
Where Data May be Stored and Processed	Any Davidson-approved technology service requiring a Davidson login.
Shareable with External Users or Vendors?	With permission of manager/supervisor.
Storable on Davidson-Managed Laptops, Desktops and Devices?	Yes
Storable on Employee-Owned Laptops, Desktops and Devices or Cloud Services?	Yes

Restricted Data

Definition	Data that may be shared only with specific individuals who have a business need to access, and where breach or inadvertent disclosure would impact Davidson’s reputation or violate educational privacy requirements (FERPA).
Examples	Most educational records (FERPA), personnel records, alumni/donor records, departmental budgets, employee salaries, most research data (varies by grant requirements). excluding Confidential data elements
Where Data May be Stored and Processed	Google Drive, Moodle, Banner, OnBase, Blackbaud CRM, Office 365 email (use caution), and any other Davidson IT service authorized for Restricted data.
Shareable with External Users or Vendors?	With permission of data steward.
Storable on Davidson-Managed Laptops, Desktops and Devices?	Yes; whole drive encryption preferred.
Storable on Employee-Owned Laptops, Desktops and Devices or Cloud Services?	Phones/mobile devices: Yes, if encrypted and passcode or biometric login enabled. Home computers: Minimize use and never store data here.

Confidential Data

Definition	Data whose breach or inadvertent disclosure would violate state or federal privacy or data security laws (including certain research grant obligations) and may involve civil or criminal penalties. These data must be shared only with specific individuals who have a need to access. Includes data protected by Gramm-Leach-Bliley, HIPAA, the NC Identity Theft Act, or similar laws.
Examples	Social Security Numbers, passport numbers, family/student income or tax data, combinations of sensitive personal identifiable information (SPII) regulated by law, protected health information (PHI), credit card data (PCI), sensitive FERPA/educational records (e.g., student health, counseling, Title IX), certain research data (varies by grant requirements).
Where Data May be Stored and Processed	Banner, OnBase, Blackbaud CRM, approved campus file servers, specially-requested Google Drive shared drives with special access rights not synced to workstations.
Shareable with External Users or Vendors?	Authorization of data steward and data trustee (usually VP/Division Head) required. Consult T&I Information Security.
Storable on Davidson-Managed Laptops, Desktops and Devices?	Not recommended (must discuss with T&I Information Security); device must have Davidson-managed whole-drive encryption enabled.
Storable on Employee-Owned Laptops, Desktops and Devices or Cloud Services?	Never

The CIO shall oversee this policy and review it at least once every two years. Changes to this policy shall be made in accordance with the college’s Policy on Policies.

Last Revised: April 2022

Appendix: Data Roles and Responsibilities

Program Manager, Information Security

The information security program manager implements policies and procedures to comply with the Family Education Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and others governing the treatment of individually identifiable information.

Data Trustees

Data Trustees are senior college staff members who have planning, policy-level and management responsibility for data within their functional areas. Data Trustee responsibilities include:

Assigning and overseeing Data Stewards and Managers
Remaining aware of the legal and regulatory requirements for data in their areas
Ensuring that data policies are established, and kept up to date, in their areas and if appropriate, delegating such responsibility
Promoting appropriate use, data integrity, and data quality

Data Stewards

Data Stewards are college staff members having direct operational-level responsibility for the management of one or more types of data in their area. Data Stewards are assigned by the Data Trustee and are generally associate deans, associate vice presidents, directors or key technical staff.

Data Steward responsibilities include:

The application of policies to the systems, data, and other information resources under their care or control
Overseeing the establishment of data policies in their areas
Understanding legal and regulatory requirements for data in their areas
Classifying data using the College's data classification system
Identifying safeguards for Restricted and Confidential data
Promoting appropriate use, data integrity, and data quality
Attend the data governance committee operational meetings or send an appropriate data manager delegate

In some cases Data Stewards will also be responsible for Data Manager tasks. In areas with more staff Data Managers may work alongside Data Stewards with responsibility over the same data set.

Data Managers

Data managers are college staff members who are responsible for day-to-day operational data collection and management, overseeing the life cycle of a particular set of institutional data. They have the authority from the data steward and/or data trustee to grant internal access to data for their functional area. Data managers are generally managers of data systems or data analysts within business departments.

Data Manager responsibilities include:

Implementing the established data policies in their areas
Developing data definitions and standards for data elements in their functional area
Regularly striving to improve the way data is defined, produced, and used in their functional area
Resolving data quality issues pertaining to data in their functional area
Safeguarding data by ensuring appropriate access, following established authorization procedures, and maintaining physical and system security appropriate to the classification level of the data in their custody
Following data handling and protection policies and procedures established by Data Stewards and information security
Communicating and providing education on the required minimum safeguards for protected data to authorized data users
Supporting access by providing appropriate documentation and training to data consumers
Promoting appropriate use, data integrity, and data quality
Attend Data Governance Committee operational meetings as requested by the committee and/or Data Steward

Data Consumers

Data Consumers are the individual college community members who have been granted access to college data in order to perform assigned duties or in fulfillment of assigned roles or functions at the college. This access is granted solely for the conduct of college business.

Data Consumer responsibilities include:

Following the policies and procedures established by the relevant Data Steward and information security team
Complying with federal and state laws, regulations, and policies associated with the college data used
Applying safeguards prescribed by appropriate data steward for Restricted and Confidential data
Reporting any unauthorized access or data misuse to information security or the appropriate Data Steward for remediation