Effective Date: November 12, 2013 (Revised & Renamed: May 24, 2018)
Barnard College operations require the sensitive information of students, faculty, staff and others. The college has a high business dependency on this information and a robust security posture must be in place to protect the confidentiality, integrity and availability of this data but also maintain access to it as necessary. This policy is designed to codify data access expectations to private data held by the college.
Reason for the Policy
The college affirms that the mutual trust and freedom of thought and expression essential to the academic mission of a college rest on a reasonable expectation of privacy, and that the privacy of those who work, study, teach, and conduct research in a college setting will be respected. This policy is intended to highlight some general principles that should help to define the rights of the college to access private data and the expectations of privacy of those in the college community.
Who is Responsible for This Policy
Barnard's General Counsel is responsible for the maintenance of this policy and for responding to questions regarding this policy. The college reserves the right to amend this policy at any time.
Who is Governed by This Policy
This policy applies to all individuals who access, use, or control college resources. Those individuals covered include, but are not limited to, staff, faculty, students, those working on behalf of the college, guests, tenants, visitors, and individuals authorized by affiliated institutions and organizations.
The college provides computers, user accounts, email accounts, networks and other resources to faculty, staff and students for the purpose of furthering the college's academic mission and conducting college business. While incidental and occasional personal use of such systems, including e-mail and voice mail, is permissible, personal communications and files transmitted over or stored on college systems are not treated differently from college related communications.
As is the case for information in non-electronic form stored in college facilities, the college's need for information will be met in most situations by simply asking the author or custodian for it. However, the college reserves the right, consistent with this policy, to access, review and release information that is transmitted over or stored in college systems or facilities.
When access, review or release of information is required, an officer of the college may request access to a user’s resources without the consent of the assigned user when there is a reasonable basis to believe that such action:
- Is necessary to comply with legal requirements or process
- May yield information necessary for the investigation of a suspected violation of law, regulation, or college policy (e.g. alleged harassment)
- Is needed to maintain the integrity of college computing systems
- May yield information necessary to deal with an emergency
- Will yield information that is necessary for the completion of ordinary business of the college
The office of the General Counsel is responsible for obtaining the final approval of requests and for maintaining a record of the authorized searches.
Procedure to Access Private Information
Requests for access to the private information of faculty, students and staff will follow the procedure below:
- The requestor contacts the officer of the college for their administrative area or the general counsel with the request.
- The officer forwards the request to the office of the General Counsel.
- The office of the General Counsel reviews the request for compliance with this policy and contacts the president and/or her designee for approval.
- The office of the General Counsel forwards approved requests to the vice president for IT and/or her designee who will provide the data requested (if available) to the office of the General Counsel.
- The office of the general counsel reviews the data with the requestor.
Due to the sensitivity of the requests, it is crucial that the parties involved in this process do not disclose any information about the request to anyone not involved in the processing of the request.
Applicable Acts, Regulations, and Laws
Electronic resource use is subject to many laws and regulations. Suspected violations of applicable law are subject to investigation by the college and possibly law enforcement officials. Among the applicable laws are:
- Family Education Rights and Privacy Act (FERPA): a federal law that protects the privacy of student education records.
- General Data Privacy Regulation (GDPR): a European Union (EU) data privacy regulation, effective May 25, 2018, protecting the personal data of EU subjects or others physically located in the EU which is collected by the college
- Defamation: Someone may seek civil remedies if they can show that they were clearly identified as the subject of defamatory messages and suffered damages as a consequence. Truth is a defense against charges of defamation.
- Common law actions for invasion of privacy: Someone may seek civil remedies for invasion of privacy on several grounds.
- Public disclosure of private facts: the widespread disclosure of facts about a person, even when true, may be deemed harmful enough to justify a lawsuit.
- False light: a person wrongfully attributes views or characteristics to another person in ways that damage that person's reputation.
- Wrongful intrusion: the law often protects those areas of a person's life in which they can reasonably expect they will not be intruded upon.
Violations of these policies are adjudicated according to the procedures defined in the student, faculty or employee policies and procedures and may result in the removal of access to Barnard resources and/or more serious sanctions.
Data is a stored collection of information that may include symbols, words, sounds or images.
Resources include data, networks, computers, paper files, and other Resources provided by the college.
Users refer to faculty, staff, students and any other individuals that may have access to the college’s electronic Resources.
Sensitive Information is any information whose disclosure could cause harm to the college or its constituents including Personally Identifiable Information and Proprietary Information.
Personal Data is identifiable information such as name, identification number, address, online identifier, or specific details of an individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
Personally Identifiable Information is nonpublic information relating to an individual that reasonably identifies the individual and, if compromised, could cause significant harm to that individual or to the college. Examples may include, but are not limited to, Social Security numbers, credit card numbers, bank account information, student grades or disciplinary information, salary or employee performance information, donations, patient health information, information that the college has agreed to keep confidential and account passwords or encryption keys used to protect access to confidential college data.
Private Data includes information generated through the use of or with Barnard College resources, including system activity, event logs, browsing history, email/voicemail content, and documentation.
Proprietary Information is data, information, or intellectual property in which the college has an exclusive legal interest or ownership right, which, if compromised, could cause significant harm to the college. Examples may include, but are not limited to, business planning information, financial information, trade secrets, copyrighted material, research or comparable materials from a third party that the college has agreed to keep confidential.
Cross Reference to Related Policies
Policy Issued: 11/12/2013
Revised & Renamed: 05/25/2018