Policy: Information Access & Security
First Issued: October 30, 2002
Revised: August 9, 2006
Trinity seeks to protect the privacy of information about students, faculty and staff, as well as the confidentiality of corporate information and work papers. Trinity will take all reasonable measures to ensure the security of the informational assets of the College, both physical and intellectual, including the assignment of clear responsibility for their custodianship and creation of protocols to prevent illicit access to information or improper dissemination.
The Employee Handbook, particularly Part III on Professional Norms, addresses information security and ownership of work products and proprietary information. The Policy on Technology and Telecommunications also addresses information security. This policy statement augments those statements.
The following principles govern information access and use at Trinity.
General Operating Principles
- Only those individuals who have a legitimate business need to know certain kinds of information, or to have access to certain data, should be able to access and possess that information. All employees of Trinity College have an obligation to treat all data and information obtained through their work with Trinity with respect for the proprietary nature of the information and the privacy of individuals affected by the information.
- Deliberately seeking inappropriate access to, use of or sharing of information may be grounds for personnel action. Similarly, destruction of proprietary information in a way that is intended to impede work, destroy evidence, or sabotage information systems may also be grounds for termination and possible prosecution.
- Misuse of Trinity’s information systems and work products for personal gain or criminal purposes, e.g., fraudulent use of the financial aid system and records, alteration of transcripts, creation of fake ID cards, etc., will incur severe penalties including termination of employment, dismissal from academic standing, and potential prosecution.
- The personnel who are responsible for providing access to data through assigning passwords, keys, etc. must be held accountable for errors in assigning access that permit unauthorized access to and use of protected information. Such errors, even if unintentional, constitute a level of negligence that could result in personnel action up to and including termination.
- Even if access is granted in error, individuals who have erroneously received access to information that they should not possess are responsible to bring that error to the attention of the vice president for finance and administration, who is responsible for the administration of the information security program. An individual who uses information to which he or she has no right of access, even if access was granted in error, will also be subject to disciplinary action up to and including termination.
- In order for any individual to receive the means of access to databases, offices or proprietary materials, a protocol must exist that will ensure verification of the access and scope. This protocol should include review and approval steps that can guard against errors. The personnel who actually generate the access capacity — making a key, assigning a password — should, as a general rule, only be able to provide that access upon the written instructions of the director of human resources or vice president for finance and administration, or the president.
- In accord with Trinity’s Technology and Telecommunications Policy, Trinity reserves the right to review all electronic records, including email; to review files and data generated as part of Trinity’s work product expectations; to retain outside counsel, including investigators, to inquire into any suspected breach of information security; and to take whatever action may be necessary, through termination of employees, suspension of students, and prosecution of offenders in order to protect its computer and information systems.
- All information generated as part of employment with Trinity College is proprietary, and Trinity College owns the work product of its employees. No individual employee may share work products or proprietary information outside of the normal scope of Trinity employment without the express permission of the president or her designee.
- When an individual leaves employment with Trinity, all access to all electronic databases, email, voicemail, manual files, offices and other work spaces must be terminated. This should include eliminating passwords and usernames, changing locks as necessary, and other means.
- No individual may download and transport off-campus data of any sort from Trinity’s information systems without prior approval from an executive officer with authority for the security of the data. In particular, personally identifiable data about students, personnel, alumnae and others may not be downloaded and transported on laptops, cds or dvds, flash drives or other portable media without the specific permission of an executive officer, and that permission may only occur in circumstances in which the data is essential to the performance of duties. Similarly, paper files, printouts and other tangible materials with personally identifiable information may not be taken off-campus without explicit authorization for a particular business purpose. In all such cases, the electronic and tangible materials must be secured while off-site and the person possessing such materials is strictly liable for the security of the data and for making an accounting of the data during and after the project. Any breach of data security may result in personnel action, regardless of the original permission extended for use of the data.
- Those individual employees who have special designation to have access to Trinity’s information systems from remote sites have heightened obligations to protect the security and integrity of data and information systems to protect against theft of data, breach of system security, and other inappropriate uses of special remote access.
Information, Work Products and Assets Covered by this Memo
Data maintained on the information systems, and data and materials maintained in manual files and workpapers, are intellectual assets of Trinity and must be treated as college property. The assets generally covered by this policy include:
- all student information in electronic databases as well as manual files, lists, rosters, grade reports, transcripts, applications, grades, academic papers, directory information, surveys, registration forms, advising data, or student information and data collected and used by Trinity’s departments and offices;
- all faculty and staff personnel information in electronic databases as well as manual files, including personnel and payroll information and files;
- all financial information in electronic databases as well as work papers, printouts, budget preparation materials, and related materials;
- all alumnae and development information in electronic databases as well as manual files and workpapers;
- all work products including correspondence, memos, papers, emails, spreadsheets, presentations, materials maintained in electronic or hard copy formats, and related materials that constitute the proprietary work product of Trinity College.