-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update I. Middlebury Wide Policies “h-information-technology/h-3-priv…
…acy-and-security-policy”
- Loading branch information
nsteen
committed
Dec 11, 2024
1 parent
a386514
commit b89dbcb
Showing
1 changed file
with
136 additions
and
2 deletions.
There are no files selected for viewing
138 changes: 136 additions & 2 deletions
138
.../i-policies-for-all/h-information-technology/h-3-privacy-and-security-policy.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,139 @@ | ||
| --- | ||
| slug: /pages/i-policies-for-all/h-information-technology/h-3-privacy-and-security-policy | ||
| title: H.3. Privacy and Security Policy | ||
| date: 2024-10-22 | ||
| --- | ||
| date: 12/11/2024 | ||
| --- | ||
| # PURPOSE | ||
|
|
||
| Handling confidential and private information appropriately is a core Middlebury value. The Information Technology Privacy and Security policy outlines how Middlebury balances legitimate expectations for personal privacy with compelling institutional interests to ensure the safety and security of our community, compliance with various legal and regulatory requirements, and the reliable delivery and security of essential technology services and associated data. | ||
|
|
||
| # SCOPE | ||
|
|
||
| This policy applies to all students, faculty, and staff, as well as retirees, emeriti, contractors, guests, and other parties authorized to interact with Middlebury’s technology services. | ||
|
|
||
| # Definitions | ||
|
|
||
| Please refer to H.1 Information Technology - Overview for explanations of phrases and terms used throughout the Information Technology policies. | ||
|
|
||
| # Policy | ||
|
|
||
| ITS is committed to responsible behavior in its management and maintenance of technology services and makes every reasonable effort to respect personal privacy within the constraints of supporting Middlebury’s academic mission and facilitating administrative operations. | ||
|
|
||
| ## Your Rights and Responsibilities | ||
|
|
||
| ### Consent | ||
|
|
||
| By choosing to interact with Middlebury technology services, including with your personally-owned devices, you consent to Middlebury’s monitoring and management practices as described in this policy. | ||
|
|
||
| ### Protecting Privacy | ||
|
|
||
| Per Middlebury’s Information Technology Responsible Use Policy, you are obligated to protect sensitive information that you have access to and you must not abuse your privileges to access sensitive information for reasons other than fulfilling your official responsibilities. See: Information Technology Responsible Use Policy and [Banner Security Procedures.](https://www.middlebury.edu/information-technology-services/policies/information-security-policies/banner-security-procedures) | ||
|
|
||
| ### Marketing Data | ||
|
|
||
| Middlebury will not share your personal data to third-parties for marketing purposes. Data is collected for the purposes outlined below. For additional information on website analytics, including options to opt-out of website analytic tracking, please refer to the [ITS Website Privacy Policy](https://www.middlebury.edu/about/website-privacy-policy). | ||
|
|
||
| ### Preservation of Information | ||
|
|
||
| Middlebury may be compelled, either to protect its own interests, or as part of legal proceedings, to perverse information for an indefinite period. | ||
|
|
||
| If you receive a Notice of Data Preservation from the Office of General Counsel, you are required to comply. Do not destroy records that are subject to data preservation requests. | ||
|
|
||
| ## Middlebury’s Rights and Responsibilities | ||
|
|
||
| ### Data Collection | ||
|
|
||
| Middlebury collects technology service usage data to ensure the reliability, performance, and security of Middlebury technology services, as well as to comply with various legal and regulatory requirements. Data collected can typically be associated with identifiable individual account holders. Types of data collected include, but are not limited to: | ||
|
|
||
| * Internet traffic logs | ||
| * Network traffic logs | ||
| * Wireless network data | ||
| * Authentication and access records | ||
| * Technology service access log, activity logs, and audit logs | ||
| * Email communications and associated message logs | ||
| * Telephone, instant messaging, and online conferencing usage logs | ||
| * Printing logs | ||
| * File access logs | ||
| * Geographic location data, inferred from the sources above and others | ||
|
|
||
| ### Log Retention | ||
|
|
||
| Logs are retained as long as legally required or for legitimate business reasons including usage trending, performance monitoring, and cybersecurity. Logs may be preserved indefinitely if they were collected as part of a legal or conduct investigation. | ||
|
|
||
| ### Confidentiality | ||
|
|
||
| As a general matter, Middlebury does not guarantee the confidentiality of any content housed within or transmitted through its systems or networks. In certain circumstances Middlebury may need to access information for legitimate institutional purposes, an illustrative but not exhaustive list of which are described below. | ||
|
|
||
| #### Health and Safety Matters | ||
|
|
||
| In situations where the safety of any human being is seriously threatened, Middlebury reserves the right to access information to reduce the health and safety risk. | ||
|
|
||
| #### As Required By Law | ||
|
|
||
| Middlebury must comply with legal process, including lawful demands for information in government investigations, law enforcement proceedings, etc. and it has obligations to preserve and produce information that is required in connection with threatened or pending litigation. Subpoenas, court orders, or other demands for information should be directed to the Office of the General Counsel. | ||
|
|
||
| #### Investigations of Illegal Activity or Misconduct | ||
|
|
||
| Under its policies, Middlebury may and often is required to gather information to investigate a possible violation of law or a breach of Middlebury policy. Access under such circumstances is restricted under the associated Procedure for Authorization, which ensures that appropriate senior leadership, such as the Vice-President for Human Resources, or the Dean of the Faculty, is informed in order to authorize access. Senior leaders may consult with the General Counsel, as needed. | ||
|
|
||
| #### Operational Continuity | ||
|
|
||
| Middlebury may access information necessary to carry out essential business functions, which may include circumstances of unexpected absence, death or other unavailability. | ||
|
|
||
| ### Authorization to Access Information | ||
|
|
||
| #### Authorization for Access | ||
|
|
||
| Under the circumstances outlined above, ITS is authorized to access information. | ||
|
|
||
| #### Scope of Authorization | ||
|
|
||
| All information and content created or logged while using a Middlebury technology service, including location data, may be subject to discovery in these cases. | ||
|
|
||
| #### Campus Safety and Emergency Authorization | ||
|
|
||
| ITS is authorized to access information in support of campus safety investigations and in emergency situations. Examples of information relevant to campus safety investigations include location information derived from either network or authentication logs. | ||
|
|
||
| Emergency access to information needed to reduce a serious threat to a person’s health or safety may be authorized by an appropriate member of the Senior Leadership Group, the AVP of Public Safety, and/or official delegates of the above. The authorizing party is responsible for notifying appropriate offices, after the emergency is resolved, of the actions taken. Notice will ordinarily be given to an identified user within a reasonable period of time, although Middlebury may exercise discretion in such notifications. | ||
|
|
||
| #### Electronic Discovery Authorization | ||
|
|
||
| Other than in an emergency, access to identifiable electronic information in connection with a legal or conduct investigation may be authorized by individual account holder(s) subject to investigation, or the following authorities and/or their official delegates: | ||
|
|
||
| <table><tbody><tr><td>Cohort</td><td>Authorizing Senior Leader(s)</td></tr><tr><td>All community members</td><td>Dep. General Counsel<br>General Counsel<br>Chief Risk Officer<br>President</td></tr><tr><td>All staff</td><td>VP for Human Resources<br>EVP for Finance and Administration</td></tr><tr><td>College faculty</td><td>Dean of Faculty<br>VP for Academic Affairs<br>EVP for Academics and Provost</td></tr><tr><td>College students</td><td>VP for Student Affairs<br>Dean of College</td></tr><tr><td>Middlebury Institute faculty</td><td><p>Dean of the Institute</p><p>VP for Academic Affairs<br>EVP for Academics and Provost</p></td></tr><tr><td>Alumni, Parents, and Friends</td><td>VP for Advancement</td></tr><tr><td>Faculty and Students of the Schools</td><td>VP for Academic Affairs<br>Dean of the Schools</td></tr></tbody></table> | ||
|
|
||
| ITS will notify the senior leader about a pending need for authorization. The senior leader is responsible for weighing the needs of Middlebury against the privacy interests of the individual, in the context of applicable legal restrictions, and may take into consideration technological tools utilizing non-consumptive or data analytical techniques. Senior leaders may consult with the General Counsel and others as needed. Information provided under this exception will be limited to the information that is necessary to effectuate the institution’s purpose and must be maintained as confidential to the maximum extent possible. | ||
|
|
||
| ### Authorization to Preserve Information | ||
|
|
||
| Middlebury may be compelled, either to protect its own interests, or as part of legal proceedings, to perverse information for an indefinite period. | ||
|
|
||
| When so directed by the General Counsel, ITS is authorized to implement technical controls, i.e. litigation holds, to prevent the destruction of data subject to preservation requests. | ||
|
|
||
| ### Authorization for Systems Administration | ||
|
|
||
| #### Monitoring | ||
|
|
||
| ITS is authorized to monitor technology services to collect adoption and usage statistics, to monitor the availability and performance of technology services, and for cybersecurity purposes. | ||
|
|
||
| #### Systems Maintenance | ||
|
|
||
| ITS is authorized to perform system maintenance when and as needed to ensure the performance, availability, and security of Middlebury technology services. | ||
|
|
||
| #### Necessary Actions | ||
|
|
||
| ITS is authorized to take necessary actions, when required, to protect Middlebury technology services from abuse or misuse, including revoking access to services until such issues are resolved. ITS is authorized to disable technology services, if necessary, to prevent them from being abused or misused due to a cybersecurity vulnerability. Such systems will remain offline until the cybersecurity issue is resolved and the impacted systems can be safely returned to service | ||
|
|
||
| ### Authorization for Cybersecurity Operations | ||
|
|
||
| #### Analysis | ||
|
|
||
| In order to ensure the security of Middlebury’s technology services and data contained therein, the ITS Information Security team and the ITS Leadership team are authorized to analyze all information created with or by Middlebury technology services. ITS leverages trusted security partners to analyze data flows, including email, for potentially malicious activity. Automated security tools analyze email and document contents for potential security threats and accordingly, either blocking or quarantining content and messages, and raising alerts for the Information Security team to investigate. | ||
|
|
||
| #### Incident Detection and Response | ||
|
|
||
| During cybersecurity detection and response operations, Information Security team members are authorized to inspect content specific to the cybersecurity risk being investigated. The ITS Information Security team may, for example, examine the contents of any email messages related to phishing attacks, spam, or other abuses of the email system, including message contents and attached files. ITS and its security partners may also investigate files suspected of being malicious, i.e. infected with malware or containing malicious links. | ||
|
|
||
| # SUPPORT | ||
|
|
||
| Questions about this policy and its application should be directed to the Vice President for ITS and/or the Executive Vice President for Finance and Administration, or the General Counsel. |