Williams College is committed to maintaining appropriate protection for all confidential and sensitive information in our custody. All College employees must assist in the effort to ensure that the college complies with applicable laws and regulations regarding the protection of confidential information. In addition, beyond strict legal compliance, employees are also expected to respect confidential and sensitive data and to view and use it only as required by their jobs.
Administrative department heads are responsible for keeping current with the information security policies and procedures implemented on campus and for making sure that their employees understand the levels of confidentiality of the information they work with. Each office should have an information security contact who will assist with achieving and maintaining information security compliance. Faculty are responsible for maintaining information security on their computers and in their offices and labs.
Data Classification
Data owned, used, created or maintained by the college is classified in the following three categories:
- Legally protected
- Need to know
- Public
This information may be stored electronically or on paper.
1. Legally protected
A variety of state and Federal laws impose requirements with respect to the protection of certain types of confidential information. The following laws apply to the college. Other laws may apply as well, including those of states other than Massachusetts if victims of a data breach reside elsewhere. The following list does not include complete descriptions of any of these legal requirements, several of which are dealt with in detail in separate College policies.
a) The Massachusetts Identity Theft Law of 2007 law defines “personal information” as Name in conjunction with any of the following:
- Social Security number
- Bank Account number
- Credit Card number
- Drivers License number or other state issued ID number
This law imposes strict requirements for maintaining the confidentiality of personal information, and triggers onerous requirements in the event of a possible breach of personal information.
b) Family Education Rights and Privacy Act of 1974 (FERPA)
FERPA imposes limitations on the use of non-directory student “educational record” information, generally restricting disclosure of such information only to those faculty and staff with a legitimate need for access to it.
Examples of educational records include:
- grades / transcripts
- student schedules
- names of students’ advisors
- papers / student thesis / tests
- records of student discipline
- personal information such as social security number, age, parent’s name
- health information
c) Gramm-Leach-Bliley Act of 2000 (GLB)
GLB protects personal financial information that is not public.
Examples of financial and other accounts to which GLB protections apply include:
- Federal Perkins student loans
- Other student loans where Williams College is the lender
- The federal direct PLUS loan program
- Extension of credit for personal, family, or household loans and the servicing and collection of such loans, including the Williams College mortgage program
- Gifts of security and life income arrangements
- Financial or tax advice to prospective donors
d) Health Information Portability and Accountability Act of 1996 (HIPAA)
All personal health information of college employees is protected, including insurance policy numbers.
2.Need to Know
All Legally Protected information should be accessible to, and used by, only those College employees who need to do so in order to perform their job responsibilities and who understand the legal constraints on the use of such information. In addition to Legally Protected information, College employees have access to other sensitive information (“Need to Know” information) which should be protected from public disclosure. Need to Know information must be treated as confidential and should not be discussed or disclosed to others except as required to perform one’s College functions.
Examples of Need to Know information include:
a) Employee information: salary data, appointment data, all evaluation data (including department and program staffing reports), external scholarship reviews, student course evaluation scores, Fuqua letters, termination/disability data, non-salary related benefits, biographical information, ethnicity and grievance/harassment allegations or cases
b) Faculty Research Projects – research projects often contain confidential and sensitive information whether grant funded or not: personal information about human subjects, salaries of employees being paid by a grant, data subject to confidentiality agreements specific to a particular grant and financial data regarding use of College research funds.
c) Student and applicants data: financial aid data, student accounts receivable data, student grade data, admission application data such as scores, recommendations and personal essays, student athlete evaluations
d) Alumni and Friends data: gift and pledge data, financial data, employment data, biographical data
e) Home addresses, home phone numbers, pictures, WMS IDs (Human Resources System EMPLID)
f) Nonpublic financial information of the college
3. Public
Public information may be released to the public without the person’s consent. Examples of such information are:
a) Employees: College addresses, phone numbers, titles and departments
b) Students: Williams College identifies the following as Directory Information under FERPA, except where a student has expressly withheld consent to its release: name; permanent and College addresses; campus electronic mail address; permanent, mobile, and campus telephone numbers; date of birth; major field; extra-curricular activities; height and weight of members of athletic teams; dates of attendance; degrees, honors and awards; other schools attended.
c) Other: press releases, posted college events, college maps, newsletters and newspapers, audited financial statements
d) Data accessible through the Williams College public web site
Responsibility of Administrative Departments
Each department head is responsible for ensuring the appropriate protection of information within his or her office. These responsibilities include:
a) Ensure that everyone in the office is aware of which information is confidential and how that information should be secured.
b) Annually review who needs to use confidential information and only authorize access to information when the job responsibilities require it. Work with OIT to grant access accordingly in administrative information systems, such as PeopleSoft.
c) Maintain an inventory of all confidential information that is collected and maintained by the department, including digital storage, paper storage and workflows.
d) Securely delete or redact all confidential information that is not necessary for the department to collect, maintain or use and that is not required to be maintained by law.
e) Ensure that no legally protected personal information is on laptops or portable storage unless those devices have been encrypted. Determine if Need to Know information must be on laptops or whether sensitive information may be stored on departmental servers instead. Encrypt laptops with necessary Need to Know information.
f) Have all contracts reviewed and signed by the Vice President for Finance & Operations and Treasurer who will ensure that vendors are also compliant with our policies.
g) Instruct employees to report possible information breaches to the department head who in turn will report it to the college’s Information Security Officer.
Responsibility of Faculty
Each faculty member is responsible for ensuring the confidentiality of any information s/he collects or uses, both electronic and on paper.
a) Be aware of what information is legally protected and how such information should be secured.
b) Ensure that no legally protected information is on a laptop or other portable storage media unless it is encrypted. OIT can help determine if such information is present.
c) Securely delete or redact all confidential information that is not necessary to collect, maintain, use or archive.
d) Review all research projects, whether grant funded or not, to make sure required confidential information is secure. Store data on the college servers instead of on laptops when possible.
e) Report all possible data breaches to the college’s Information Security Officer.
Policy updated January 2010