Data Governance Policy, Emerson College

Purpose

College Data is a valuable asset to all constituencies at Emerson College. (students, faculty, staff, etc.) and requires the coordinated use of significant resources (funds, space, technology, etc.) involving all operations of the College. College Data enables the institution to assess the needs of the College community and to manage and modify its services and operations accordingly. It is vital not only in the day-to-day operations of the College but to short-term and long-term planning, and it serves as the basis for internal and external reports.

Appropriate and timely access to College Data is critical for the efficient and effective operation of the College. Controlling access to College Data and keeping data confidential is also important to protect the College from accidental loss or destruction of data, liability, and acts of malice.

The objectives of this policy are to:

Detail responsibilities for managing College Data;
Establish a framework for standards and guidelines to be followed in the creation of data storage, destruction, and access mechanisms.

Scope

This policy is applicable to all individuals accessing College Data (Users of College Data).

Nothing in this policy precludes or addresses the release of College Data to external organizations, governmental agencies, or authorized individuals as may be required by legislation, regulation, or other legal obligation.

Definitions

For purposes of this policy, the following definitions apply:

Access – the ability to read, copy, modify, delete, or query data.
College Data – Data that is created, acquired or maintained by the College. College Data includes, but is not limited to, Data that is: (a) acquired and/or maintained by College employees in the performance of administrative job duties; (b) relevant to planning, managing, operating, or auditing a major function at the College; or (c) referenced or required for use by more than one organizational unit. College Data may reside on College-owned systems or systems owned by third parties.
Users of College Data - any person extended access and use privileges to College Data. Includes students, faculty, visiting faculty, staff, volunteers, alumni, persons hired or retained to perform work for the College, and any other person extended access and use privileges by the College under contractual agreements or otherwise.
Data Custodians – College officials and their staff who have operational-level responsibility for data capture, data maintenance, and data dissemination.
Data Stewards – College officials who have policy-level responsibility for managing a segment of College Data.
Personal Information – Per the Massachusetts regulation for Personal Information and Breach of Security, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security Number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number (“PIN”), or password that would permit access to a resident’s financial account. The term “personal information” does not include that information which is lawfully obtained from publicly available information (such as addresses or birthdays), or from federal, state, or local government records lawfully made available to the general public.
Health Information – health data created, received, stored, or transmitted in relation to the provision of healthcare, healthcare operations and payment for healthcare services.

Statement of Policy

Regulations, Statutes, and Policies

Responsibility for and access to College Data is governed by the following policies and legal statutes:

Massachusetts Data Protection Law
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
Gramm Leach Bliley Act (GLBA)
European Union General Data Protection Regulation (GDPR)
Payment Card Industry (PCI) Data Security Standard
Emerson College Written Information Security Policy
Emerson College Records Management Policy
Emerson College Conflict of Interest Policy

Data Stewardship

The College as an organization owns its data (or in some cases, such as with Social Security numbers or other personal data, is the custodian of data), and specific departments and positions in the roles of Data Stewards are responsible for different segments of that data. Those departments and Data Stewards shall define how the assigned data is managed within the scope of the legal and regulatory obligations.
Data Stewards are responsible for:
- Assigning Data Custodians in their respective area(s), the current status of which is documented in Exhibit 2.
- Enforcing the requirements of this policy.
- Setting additional/internal standards, procedures, and expectations for how Data Custodians handle College Data. Data Stewards are empowered to determine if their data was handled appropriately by their designated Data Custodians.

Data Custodianship

Data Custodians will authorize access to College Data only on a need-to-know-basis. Individuals seeking access will submit a request for approval to the appropriate Data Custodian that has responsibility for the data at issue.
Data Custodians will grant access to College Data for legitimate College purposes according to the classification of the data being requested and the internal expectations set by their Data Steward. The method of transmittal of any College Data must be in compliance with the College's Data Classification Guideline (Exhibit 3).

Data Handling and Collection

Users of College Data shall respect the confidentiality and privacy of individuals whose records they may access, and shall abide by applicable laws and College policies (listed in Section 4) with respect to access, use, protection, proper disposal, and disclosure of data.
To the extent that the law permits, as determined by the Office of General Counsel, Data Stewards reserve the right to deny access to any person or organization to College Data for any reason.
No person or party may collect College Data (i.e., through online or paper forms, solicitations, etc.) without authorization from the appropriate Data Custodian.
See the Records Management Policy for data retention requirements, schedules, and practices.

Compliance

The Chief Information Officer shall ensure compliance with this policy. Data Stewards and Data Custodians shall implement the policy as described above.

Violations of this policy may result in disciplinary action, in accordance with Emerson College's Human Resources and/or Student Conduct policies and any additional collective bargaining agreements. Please review HR's Service Center for details regarding Emerson College's disciplinary process, and the Code of Community Standards.

Effective Date

This policy is effective as of April 2nd, 2020.

Exhibits

Exhibit 1: Data Stewards
Exhibit 2: Data Custodians
Exhibit 3: Data Classification Guideline and Data Transmittal and Storage Requirements

Exhibit 1: Data Stewards

Data Stewards are College officials who have policy-level responsibility for managing a segment of the College's data. Data Stewards designate (or in some cases, act as) Data Custodians by functional area and data area.

The College has designated the following Data Stewards (by title):

Vice President and Chief of Staff
Provost and Vice President for Academic Affairs
Vice President for Administration and Finance
Vice President for Enrollment
Vice President for Institutional Advancement
Chief Information Officer
Vice President and General Counsel
Vice President of Enrollment
Vice President & Dean of Campus Life
Vice President for Office of the Arts
Vice President for Government and Community Relations
Vice President for Emerson Los Angeles

Exhibit 2: Data Custodians and Functional Areas

Data Custodians are College officials and their staff who have operational-level responsibility for data capture, data maintenance, and data dissemination. Data Stewards designate Data Custodians by functional area and data area. New designees must be submitted in writing to the Senior Associate Vice President for Information Technology, who is the Responsible Officer for this Policy, and must specify the Data Custodian by title and describe the functional and data areas for which the Data Custodian is responsible. It is recommended, but not required, that responsibilities as Data Custodian be added to the official position description of that Designee.
The following positions have been designated as Data Custodians. Note that to the extent that there are overlaps or gaps, please interpret this list as illustrative and not exhaustive.

Data Custodians and Functional Areas
Functional Area and Data Areas	Data Custodians
Academic Affairs Academic Affairs budget data Academic Affairs compensation data	Assistant Vice President Academic Administration & Finance Patrice Ambrosia
Academic Affairs Advising data Curriculum data Faculty resources data Faculty union data	Assistant Vice President for Academic Affairs Anne Doyle
Academic Affairs Learning management system data	Director, Instructional Technology Group Jennifer Stevens
Athletics Athletics operations data NCAA student athlete data Recreation services data	Director of Athletics Steph Smyrl
Board of Trustees Board of Trustees data	Vice President and Chief of Staff (OPEN)
Budget College budget data	Director, Budget and Planning John Richard
Campus Life Housing data Counseling data New Student Orientation data Student conduct records Student communications data Student health and wellness data	Vice President and Dean of Campus Life Christie Anglade
Communications and Marketing Communications and marketing data	Vice President for Marketing and Communications Rebekah Carmichael
Enrollment Student diversity data Student academic records Student accounting data Student immigration and visa data Undergraduate biographic/demographic data	Associate Vice President, Enrollment & Dean of Admissions Justin Sharifipour
Facilities Management Architecture, engineering, and construction data Business Services data Facilities/management space data Parking operations data Real estate data	Associate Vice President, Facilities & Campus Services Duncan Pollock
Finance Emergency response and communication plans Insurance plans and claims Training compliance records Debt issuance data Treasury services data (banking and tax data)	Director, Treasury Services and Risk Management Alan Bowers
Finance Capital assets data General ledger data Accounts receivable data	Controller Kristen Margarida Coulombe
Financial Business Services Payroll data Purchasing data Time tracking and absence data	Associate Vice President, Financial Business Services (OPEN)
General Counsel Case files Data produced pursuant to legal requests or eDiscovery Miscellaneous legal advice and communications	Vice President and General Counsel Carolina Avellaneda
Government & Community Relations Government & Community Relations data	Director of Community Relations (OPEN)
Graduate and Professional Studies Graduate Studies data Professional Studies data	Interim Dean, Graduate and Professional Studies Kimberly McLarin
Health and Wellness Protected Health Information	Associate Dean & Director of Counseling, Health, & Wellness Brandin Dear
Human Resources Benefits data Compensation data Employee biographic/demographic data Employee personnel data Employment records Labor relations data Recruitment data	Chief Human Resources Officer Jamie Montgomery-Hyde
Information Technology Information Technology data	Chief Information Officer Brian Basgen
Institutional Advancement College donor and prospect data Data supporting charitable gift trusts and annuities	Vice President for Institutional Advancement Allison Dawson
Internationalization and Global Engagement External Programs data	Vice Provost, Internationalization & Equity Anthony Pinder
Kasteel Well, The Netherlands European Center staff and program data	Executive Director, European Center Dulcia Meijers
Institute of Liberal Arts and Interdisciplinary Studies Program data	Dean of Liberal Arts and Interdisciplinary Studies Amy Ansell
Los Angeles Los Angeles program data	Associate Dean for Student Life & Administration, Emerson College Los Angeles Timothy Chang
Police Department CLERY data Enforcement data Internal affairs data Investigations data Services data	Chief of Police Robert Casagrande
Registrar Registrar data	Registrar Matthew Fabian
School of the Arts School of the Arts data	Dean, School of the Arts & Assistant Provost Kate Eichhorn
School of Communication School of Communication data	Dean, School of Communication Brent Smith
Office of Equal Opportunity Diversity & inclusion data Title IX investigation data	Associate Vice President, Office of Equal Opportunity Sonia Jurado
Student Financial Services Financial aid data	Assistant Vice President, Student Financial Services Angela Grant

Exhibit 3: Data Classification Guideline and Data Transmittal and Storage Requirements

The table below lists the categories of data and examples. Any data that falls into multiple categories should be considered of the higher security category for protection purposes. If you have questions about a classification of data, contact your Department Records Officer or the Director of Information Security and IT Infrastructure.

Data Classification Guideline and Data Transmittal and Storage Requirements
Data Classification	Risk Level	Description	Examples
High Risk (PII, GLBA, PCI, and PHI Data)	High	Data whose loss, corruption, or unauthorized access would pose an extreme identity or financial risk to the College, a school partner, or the public and may require notification of a governmental regulator and/or affected users.	Social Security Number Credit/Debit Card Number Bank/Financial Account Numbers HIPAA or medical records Passwords or Biometric data Driver's License or State ID number FERPA records
Moderate Risk	Medium	Data whose loss, corruption, or unauthorized access would impair the academic, research, or business functions of the College or is not available to the general public.	Student ID Employee ID HR Documents College Proprietary Data or Intellectual Property Copyrighted College or Student material Board meeting minutes Expense reports Litigation materials Software license numbers College infrastructure plans System configuration/log files Training data
Low Risk	Low to None	Data to which the general public has access	Any data found publicly on emerson.edu Policies Publications Academic Calendar Campus Maps

Data Transmittal and Storage

All members of the Emerson College community and its working partners are responsible for the proper handling, transmittal and storage of College Data. All individuals and departments must follow the policies and procedures of the College to ensure that data is protected and used properly. Any partner, consultant, or vendor that needs access to or shares any non-public College Data must sign a Third Party Data Security Agreement.

Below is the Data Transmission and Storage Table by which all members of the Emerson College community, all working partners, vendors and consultants must abide when transmitting and storing College Data.

Data Transmittal and Storage
Data Classification	Data Transmission	Data Storage
High Risk (PII, GLBA, PCI, and PHI Data)	Emerson College IT Dept. approved encryption is REQUIRED when transmitting any information over a network. Third party email or file transfer services are prohibited when transmitting High Risk information. High Risk numbers/data may be redacted instead of encrypted.	High Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment. All High Risk data should be stored and/or transmitted via Emerson College's approved file storage system (Google Drive), encrypted Emerson Email, approved contractual partners, or IT maintained databases. If given approval for local storage, Emerson College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Emerson College owned equipment. Data stored by external partners MUST be encrypted at all times. Printing of High Risk data is strongly discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access. All high risk data, whether printed or electronic, must be securely destroyed when no longer in use or required for retention by the College.
Moderate Risk	Emerson College IT Department approved encryption is REQUIRED when transmitting any information over a network. Third party email or file transfer services are prohibited when transmitting Moderate Risk information. Moderate Risk numbers/data may be redacted instead of encrypted.	Moderate Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment. All Moderate Risk data should be stored and/or transmitted via Emerson College's approved file storage system (Google Drive), encrypted Emerson Email, approved contractual partners, or IT maintained databases. If given approval for local storage, Emerson College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Emerson College owned equipment. Data stored by external partners MUST be encrypted at all times. Printing of Moderate Risk data is discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access. All moderate risk data, whether printed or electronic, must be securely destroyed when no longer in use or required for retention by the College.