Information and Data Protection Policy

Responsible Unit: Technology Services | Executive lead: CIO 
Created: 2/22/2012 | Reviewed/Revised: 3/7/2018, 4/25/2023, 11/17/2023 | Effective: 12/18/23 
Compliance: FERPA, HIPAA, PC, GRAMM-Leach Billey, NWCCU 2.C.4 
Approving Body: PAC | Classification: Institution-wide 


Policy:  
Throughout its life cycle, all institutional data shall be protected in a manner that is considered reasonable and appropriate, as defined by procedures and documentation maintained by the Data Governance Committee.  Any information system that stores, processes, or transmits institutional data shall be secured in a manner considered reasonable and appropriate, as defined by procedures and documentation maintained by Technology Services. Individuals authorized to access institutional data shall adhere to the appropriate roles and responsibilities as defined by the Data Governance Committee.  

Confidential shred bins, located throughout campus, are to be used for the destruction of private or restricted-classified hardcopy documents. Any document placed in a shred bin is non-retrievable and considered the equivalent of being shredded. 

Violations of this policy may result in suspension or loss of access to information systems. Additional administrative sanctions may apply up to and including termination of employment or contractor status with the university. Civil, criminal, and equitable remedies may apply.  

Definitions: 
Institutional data is defined as any data that is owned or licensed by the University. 

Information system is defined as any electronic system that stores, processes, or transmits information, regardless of location.  

Procedures (private):  
Guidelines for Data Classification 
Information Security Roles and Responsibilities 
Incident Response Plan 
Risk Assessment Matrix 

Related documents: 
Network Acceptable Use Policy 
Data Governance Committee Charter