Purpose

College Data is a valuable asset to all constituencies at Emerson College. (students, faculty, staff, etc.) and requires the coordinated use of significant resources (funds, space, technology, etc.) involving all  operations of the College. College Data enables the institution to assess the needs of the College community and to manage and modify its services and operations accordingly. It is vital not only in the day-to-day operations of the College but to short-term and long-term planning, and it serves as the basis for internal and external reports.

Appropriate and timely access to College Data is critical for the efficient and effective operation of the College. Controlling access to College Data and keeping data confidential is also important to protect the College from accidental loss or destruction of data, liability, and acts of malice.

The objectives of this policy are to:

  • Detail responsibilities for managing College Data;
  • Establish a framework for standards and guidelines to be followed in the creation of data storage, destruction, and access mechanisms.

Scope

This policy is applicable to all individuals accessing College Data (Users of College Data).

Nothing in this policy precludes or addresses the release of College Data to external organizations, governmental agencies, or authorized individuals as may be required by legislation, regulation, or other legal obligation.

Definitions

For purposes of this policy, the following definitions apply:

  • Access – the ability to read, copy, modify, delete, or query data.
  • College Data – Data that is created, acquired or maintained by the College. College Data includes, but is not limited to, Data that is: (a) acquired and/or maintained by College employees in the performance of administrative job duties; (b) relevant to planning, managing, operating, or auditing a major function at the College; or (c) referenced or required for use by more than one organizational unit. College Data may reside on College-owned systems or systems owned by third parties.
  • Users of College Data - any person extended access and use privileges to College Data. Includes students, faculty, visiting faculty, staff, volunteers, alumni, persons hired or retained to perform work for the College, and any other person extended access and use privileges by the College under contractual agreements or otherwise.
  • Data Custodians – College officials and their staff who have operational-level responsibility for data capture, data maintenance, and data dissemination.
  • Data Stewards – College officials who have policy-level responsibility for managing a segment of College Data.
  • Personal Information – Per the Massachusetts regulation for Personal Information and Breach of Security, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security Number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number (“PIN”), or password that would permit access to a resident’s financial account.  The term “personal information” does not include that information which is lawfully obtained from publicly available information (such as addresses or birthdays), or from federal, state, or local government records lawfully made available to the general public.
  • Health Information – health data created, received, stored, or transmitted in relation to the provision of healthcare, healthcare operations and payment for healthcare services.

Statement of Policy

Regulations, Statutes, and Policies

Responsibility for and access to College Data is governed by the following policies and legal statutes:

Data Stewardship

  • The College as an organization owns its data (or in some cases, such as with Social Security numbers or other personal data, is the custodian of data), and specific departments and positions in the roles of Data Stewards are responsible for different segments of that data.  Those departments and Data Stewards shall define how the assigned data is managed within the scope of the legal and regulatory obligations.
  • Data Stewards are responsible for:
    • Assigning Data Custodians in their respective area(s), the current status of which is documented in Exhibit 2.
    • Enforcing the requirements of this policy.
    • Setting additional/internal standards, procedures, and expectations for how Data Custodians handle College Data. Data Stewards are empowered to determine if their data was handled appropriately by their designated Data Custodians.

Data Custodianship

  • Data Custodians will authorize access to College Data only on a need-to-know-basis. Individuals seeking access will submit a request for approval to the appropriate Data Custodian that has responsibility for the data at issue.
  • Data Custodians will grant access to College Data for legitimate College purposes according to the classification of the data being requested and the internal expectations set by their Data Steward. The method of transmittal of any College Data must be in compliance with the College's Data Classification Guideline (Exhibit 3).

Data Handling

  • Users of College Data shall respect the confidentiality and privacy of individuals whose records they may access, and shall abide by applicable laws and College policies (listed in Section 4) with respect to access, use, protection, proper disposal, and disclosure of data.
  • To the extent that the law permits, as determined by the Office of General Counsel, Data Stewards reserve the right to deny access to any person or organization to College Data for any reason.
  • See the Records Management Policy for data retention requirements, schedules, and practices.

Compliance

The Senior Associate Vice President for Information Technology shall ensure compliance with this policy. Data Stewards and Data Custodians shall implement the policy as described above.

Violations of this policy may result in disciplinary action, in accordance with Emerson College's Human Resources and/or Student Conduct policies and any additional collective bargaining agreements. Please review HR's Service Center for details regarding Emerson College's disciplinary process, and the Code of Community Standards.

Effective Date

This policy is effective as of April 2nd, 2020.

Exhibits

  • Exhibit 1: Data Stewards
  • Exhibit 2: Data Custodians
  • Exhibit 3: Data Classification Guideline and Data Transmittal and Storage Requirements

Exhibit 1: Data Stewards

Data Stewards are College officials who have policy-level responsibility for managing a segment of the College's data. Data Stewards designate (or in some cases, act as) Data Custodians by functional area and data area.

The College has designated the following Data Stewards (by title):

  • Vice President and Chief of Staff
  • Provost and Vice President for Academic Affairs
  • Vice President for Administration and Finance
  • Vice President for Enrollment
  • Vice President for Institutional Advancement
  • Chief Information Officer
  • Vice President and General Counsel
  • Vice President of Enrollment
  • Vice President & Dean of Campus Life
  • Vice President for Office of the Arts
  • Vice President for Government and Community Relations
  • Vice President for Emerson Los Angeles

Exhibit 2: Data Custodians and Functional Areas

Data Custodians are College officials and their staff who have operational-level responsibility for data capture, data maintenance, and data dissemination. Data Stewards designate Data Custodians by functional area and data area. New designees must be submitted in writing to the Senior Associate Vice President for Information Technology, who is the Responsible Officer for this Policy, and must specify the Data Custodian by title and describe the functional and data areas for which the Data Custodian is responsible. It is recommended, but not required, that responsibilities as Data Custodian be added to the official position description of that Designee.
The following positions have been designated as Data Custodians. Note that to the extent that there are overlaps or gaps, please interpret this list as illustrative and not exhaustive.

Data Custodians and Functional Areas
Functional Area and Data Areas Data Custodians
Academic Affairs
Academic Affairs budget data
Academic Affairs compensation data
Assistant Vice President Academic Administration & Finance
Patrice Ambrosia
Academic Affairs
Advising data
Curriculum data
Faculty resources data
Faculty union data
Assistant Vice President for Academic Affairs
Anne Doyle
Academic Affairs
Learning management system data
Director, Instructional Technology Group
Jennifer Stevens
Athletics
Athletics operations data
NCAA student athlete data
Recreation services data
Director of Athletics
Patricia Nicol
Board of Trustees
Board of Trustees data
Vice President and Chief of Staff
Anne Shaughnessy
Budget
College budget data
Director, Budget and Planning
John Richard
Campus Life
Housing data
Counseling data
New Student Orientation data
Student conduct records
Student communications data
Student health and wellness data
Vice President and Dean of Campus Life
James Hoppe
Communications and Marketing
Communications and marketing data
Vice President and Chief of Staff
(OPEN)
Enrollment
Student diversity data
Student academic records
Student accounting data
Student immigration and visa data
Undergraduate biographic/demographic data
Interim Vice President, Enrollment Management
Justin Sharifipour
Facilities Management
Architecture, engineering, and construction data
Business Services data
Facilities/management space data
Parking operations data
Real estate data
Associate Vice President, Facilities & Campus Services
Duncan Pollock
Finance
Emergency response and communication plans
Insurance plans and claims
Training compliance records
Debt issuance data
Treasury services data (banking and tax data)
Director, Treasury Services and Risk Management
Alan Bowers
Finance
Capital assets data
General ledger data
Accounts receivable data
Controller
Kristen Margarida Coulombe
Financial Business Services
Payroll data
Purchasing data
Time tracking and absence data
Associate Vice President, Financial Business Services
Loretta Bemis
General Counsel
Case files
Data produced pursuant to legal requests or eDiscovery
Miscellaneous legal advice and communications
Vice President and General Counsel
(OPEN)
Government & Community Relations
Government & Community Relations data
Director of Community Relations
Mary Higgins
Graduate and Professional Studies
Graduate Studies data
Professional Studies data
Interim Dean, Graduate and Professional Studies
Kimberly McLarin
Health and Wellness
Protected Health Information
Associate Dean & Director of Counseling, Health, & Wellness
Brandin Dear
Human Resources
Benefits data
Compensation data
Employee biographic/demographic data
Employee personnel data
Employment records
Labor relations data
Recruitment data
Chief Human Resources Officer
Jamie Montgomery-Hyde
Information Technology
Information Technology data
Chief Information Officer
Brian Basgen
Institutional Advancement
College donor and prospect data
Data supporting charitable gift trusts and annuities
Associate Vice President, Advancement Operations
Amy Tamburino
Internationalization and Global Engagement
External Programs data
Vice Provost, Internationalization & Equity
Anthony Pinder
Kasteel Well, The Netherlands
European Center staff and program data
Executive Director, European Center
Dulcia Meijers
Institute of Liberal Arts and Interdisciplinary Studies
Program data
Dean of Liberal Arts and Interdisciplinary Studies
Amy Ansell
Los Angeles
Los Angeles program data
Associate Dean for Student Life & Administration, Emerson College Los Angeles
Timothy Chang
Police Department
CLERY data
Enforcement data
Internal affairs data
Investigations data
Services data
Chief of Police
Robert Casagrande
Registrar
Registrar data
Registrar
Matthew Fabian
School of the Arts
School of the Arts data
Interim Dean, School of the Arts & Assistant Provost
Maria Koundoura
School of Communication
School of Communication data
Dean, School of Communication
Brent Smith
Social Justice Collaborative
Diversity & inclusion data
Title IX investigation data
Interim Vice President, Enrollment Management
Justin Sharifipour
Student Financial Services
Financial aid data
Assistant Vice President, Student Financial Services
Angela Grant

Exhibit 3: Data Classification Guideline and Data Transmittal and Storage Requirements

The table below lists the categories of data and examples. Any data that falls into multiple categories should be considered of the higher security category for protection purposes. If you have questions about a classification of data, contact your Department Records Officer or the Director of Information Security and IT Infrastructure.

Data Classification Guideline and Data Transmittal and Storage Requirements
Data Classification Risk Level Description Examples
High Risk (PII, GLBA, PCI, and PHI Data) High Data whose loss, corruption, or unauthorized access would pose an extreme identity or financial risk to the College, a school partner, or the public and may require notification of a governmental regulator and/or affected users.
  • Social Security Number
  • Credit/Debit Card Number
  • Bank/Financial Account Numbers
  • HIPAA or medical records
  • Passwords or Biometric data
  • Driver's License or State ID number
  • FERPA records
Moderate Risk Medium Data whose loss, corruption, or unauthorized access would impair the academic, research, or business functions of the College or is not available to the general public.
  • Student ID
  • Employee ID
  • HR Documents
  • College Proprietary Data or Intellectual Property
  • Copyrighted College or Student material
  • Board meeting minutes
  • Expense reports
  • Litigation materials
  • Software license numbers
  • College infrastructure plans
  • System configuration/log files
  • Training data
Low Risk Low to None Data to which the general public has access
  • Any data found publicly on emerson.edu
  • Policies
  • Publications
  • Academic Calendar
  • Campus Maps

Data Transmittal and Storage

All members of the Emerson College community and its working partners are responsible for the proper handling, transmittal and storage of College Data. All individuals and departments must follow the policies and procedures of the College to ensure that data is protected and used properly. Any partner, consultant, or vendor that needs access to or shares any non-public College Data must sign a Third Party Data Security Agreement.

Below is the Data Transmission and Storage Table by which all members of the Emerson College community, all working partners, vendors and consultants must abide when transmitting and storing College Data.

Data Transmittal and Storage
Data Classification Data Transmission Data Storage
High Risk (PII, GLBA, PCI, and PHI Data)

Emerson College IT Dept. approved encryption is REQUIRED when transmitting any information over a network. Third party email or file transfer services are prohibited when transmitting High Risk information. High Risk numbers/data may be redacted instead of encrypted.

High Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment. All High Risk data should be stored and/or transmitted via Emerson College's approved file storage system (Google Drive), encrypted Emerson Email, approved contractual partners, or IT maintained databases. If given approval for local storage, Emerson College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Emerson College owned equipment. Data stored by external partners MUST be encrypted at all times. Printing of High Risk data is strongly discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access. All high risk data, whether printed or electronic, must be securely destroyed when no longer in use or required for retention by the College.

Moderate Risk

Emerson College IT Department approved encryption is REQUIRED when transmitting any information over a network. Third party email or file transfer services are prohibited when transmitting Moderate Risk information. Moderate Risk numbers/data may be redacted instead of encrypted.

Moderate Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment. All Moderate Risk data should be stored and/or transmitted via Emerson College's approved file storage system (Google Drive), encrypted Emerson Email, approved contractual partners, or IT maintained databases. If given approval for local storage, Emerson College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Emerson College owned equipment. Data stored by external partners MUST be encrypted at all times. Printing of Moderate Risk data is discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access. All moderate risk data, whether printed or electronic, must be securely destroyed when no longer in use or required for retention by the College.