Adopted by President’s Cabinet 4/27/21

Purpose:

The purpose of this policy is to provide guidance for the appropriate usage and security of confidential and sensitive information at East Georgia State College and is essential for compliance with federal and state law and the University System of Georgia (USG) requirements.

Background:

The EGSC Data Security and Privacy Policy was created to comply with the data security requirements defined in Section 12 of the USG Business Procedures Manual (BPM), the USG Information Technology Handbook, the US Family Educational Rights and Privacy Act (FERPA), the Payment Card Industry Standards Council, and other applicable laws, regulations and compliance requirements.

Scope:

The EGSC Data Security and Privacy Policy applies to all individual utilizing “organizational data” as defined in the USG BPM Section 12.1 as: data managed in an information system by, or on behalf of, a USG organization. Organizational Data are information that record facts, statistics or information, which is read, created, collected, reported, updated, or deleted by offices of the organization. Data may be stored electronically or physically. Organizational data may reside in an organizational information system or a third-party system.

Users, hereinafter referred to as data users, include but are not limited to students, faculty, staff, external contractors, and visitors. This includes faculty and staff while serving as researchers or principal investigators.

Exclusions or Exceptions: Due to the critical importance of protecting student and employee privacy and confidentiality, the only exceptions that will be granted to the Data Security and Privacy Policy concern legacy systems that are transitioning to the data-at-rest encryption.

Definitions and Acronyms from USG BPM

    • Unrestricted/Public Information is information maintained by a USG organization that is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws. Some level of control is required to prevent unauthorized modification or destruction of public information. Examples include EGSC website, EGSC promotional materials, etc.
    • Sensitive Information is information maintained by a USG organization that requires special precautions to protect from unauthorized use, access and disclosure guarding against improper information modification, loss or destruction. Sensitive information is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws but is not necessarily intended for public consumption. Example: departmental continuity of operations plans.
    • Confidential Information is information maintained by a USG organization that is subject to authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (44 USC Sec 3542) Confidential classified documents are exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws. Examples include non-public proprietary, confidential information and documents containing such information as Social Security number, driver’s license number, state identification card number, personal identification numbers, education records and grades.
    • Research Data is the recorded factual material commonly accepted in the scientific community as necessary to validate research findings. This includes (1) information from or regarding data sets used in research; unpublished proprietary information, preliminary analyses, drafts of scientific papers, plans for future research (2) peer reviews or communications with colleagues; personal and medical information and similar information obtained from or about participants in a research study, the disclosure of which would violate their consent to participate in the study or information that could be used to identify a particular person in a research study. Research data is exempt from public disclosure under the Georgia Open Records Act unless such data is publicly released, published, copyrighted or patented.

Policy

    1. All data users will adhere to all current IT policies and procedures required by EGSC and USG.
    2. Data users will only use confidential and/or sensitive information in support of the business EGSC has authorized the data user to perform. Data users will not use, disclose, or publish confidential and/or sensitive information for any reason other than official EGSC business. 
    3. Research data that incorporates personally identifiable or sensitive elements (such as Social Security numbers), or proprietary college information or trade secrets or includes controlled unclassified information or export controlled information, must have adequate security protections and be treated as restricted data.
    4. It is the responsibility of the Principal Investigator to properly identify the classification of their data and to provide appropriate protections, as well as any additional data security that may be specifically required under the terms of a sponsored program agreement (such those in the Federal Information Security Management Act or the Food and Drug Administration’s electronic records regulation).
    5. The data user understands that EGSC reserves the right to impose legal and/or disciplinary action against the data user in the event of unauthorized use or disclosure of confidential and/or sensitive information. 
    6. Confidential and/or sensitive information must not be transferred by any method to persons who are not authorized to access that information. Users must ensure that adequate security measures are in place at each destination when confidential and/or sensitive information is transferred from one location to another. 
    7. Confidential information must be encrypted while at rest and while in transit, consistent with the USG Information Technology Handbook, Section 5.1.2, and Georgia law. 
    8. Confidential and/or sensitive information must be stored and accessed in appropriate college provided system and only copied locally if encryption or approved security precautions have been applied to protect that information. Servers and other computers storing all college information shall have a data protection strategy in place and shall be regularly scanned for vulnerabilities and patched. 
    9. Users are prohibited from storing confidential and/or sensitive information on cloud services not provided by the college. 
    10. Users are required to store all institutional data in alignment with the USG BPM definitions and above storage rules. Questions concerning data classification and storage should be directed to EGSC’s Data Security Officer.

Violations

EGSC reserves the right, at its sole discretion and without prior notice to a data user, to temporarily or permanently rescind a data user’s access to confidential and/or sensitive information if it determines a breach of any provision of this policy has taken place. The data user understands and agrees that any unauthorized access or disclosure of confidential and/or sensitive information may subject the offender to disciplinary action by EGSC, up to and including administrative or student conduct review, termination or legal action. 

The Vice President for Information Technology reserves the right to disable a system accounts and user accounts if activity is inconsistent with applicable laws and college policy.

Review

The Vice President for Information Technology or his designee will review the Data Security Policy annually.