Information Security Policy and Procedure
State University of New York
Approved April 24, 2006
Confidentiality of Student and Employee Records and other University-Maintained Data
STATEMENT OF POLICY:
As a general principle, without reasons to the contrary, Binghamton University will make available to our employees, data that are necessary to allow them to fulfill their official University work assignments. As a result, selected staff and faculty members handle a variety of protected (proprietary and private) information concerning colleagues, students, parents, alumni, donors, and others associated with the University, as well as confidential information regarding University business. This material may include (but is not limited to) personal data such social security numbers and home addresses, donor files, student records, or University financial information. The University will adhere to all appropriate state and federal laws. The Information Security Council has been established to oversee and coordinate information security at Binghamton University. Members of the committee are:
- Information Security Officer (Chair)
- Representative from each Division (5)
- Representative from each College (6)
- Representative from Library
- Representative from Graduate School
- Associate Vice President - ITS
- Associate Vice President - Administrative Services
- Director of Human Resources
- University Registrar
- University Counsel
Data and data types should be classified by their use and releasability; categories are open, restricted, and confidential. These are defined as follows:
- Open: Public information about the University and its community releasable at the lowest department level (e.g. sports scores, public events information, announcements, faculty expertise, student accomplishments, aggregate data prepared for release).
- Restricted: Public information subject to established University protocol for release (e.g. budget information, salaries, expenditures, directory information).
- Confidential: All other information, including any personally-identifying information about employees or students. Note: Student directory information is confidential if a directory exclusion is requested by the student. It is the responsibility of all University employees to respect the highest level of privacy for their colleagues and other members of the University community. Disclosure and discussion of information obtained from University records, either during or after employment with the University, is not permissible unless such disclosure is a normal requirement of an employee’s position or has been so authorized.
University employees or persons with access to University data shall not:
- Exhibit or divulge the contents of any record or report to any outside party or other
University employee unless the latter requires the information to perform his or her
work-related duties. When in doubt, an employee receiving a request should refer the
matter as follows:
- Requests for information about individual students should be referred to the Office of the University Registrar
- Requests for information about individual employees should be referred to the Office of Human Resources
- Requests for all other information about the University should be referred to the Office of Communications & Marketing
- If additional clarification is required or in the case of broader policy questions, please refer the matter to the Chair of the Information Security Council
- Make unauthorized use of any information in files maintained, stored, or processed by Binghamton University, or permit anyone else to make unauthorized use of such information.
- Seek personal benefit or permit others to benefit personally from any information that has come to them by virtue of their work assignment.
- Knowingly include or cause to be included in any record or report a false, inaccurate, or misleading entry.
This policy applies to all members of the Binghamton University workforce, whether directly employed by the institution or serving under an alternative arrangement. It shall include, but not be limited to:
- Employees of Binghamton University, the Research Foundation, and the Binghamton Foundation (including teaching assistants, graduate assistants, and other student employees)
- Contractors and subcontractors
Binghamton University expects all employees to be familiar with:
- The need for confidentiality
- The types of information that are considered confidential
- The institution’s confidentiality policies and procedures
Binghamton University regularly reminds employees of their responsibility to protect confidential information.
Each member of the Binghamton University workforce will be expected to review and sign the University’s Agreement to Protect Confidential Information. This signed statement will be maintained in the appropriate employee personnel file.
All suspected breaches of this policy must be reported to the area/department supervisor who should immediately contact the Director of Human Resources or the Chair of the Information Security Council. Any violations of this policy may be cause for immediate termination of access to confidential information and may result in disciplinary action, including dismissal from employment.