Data Security Policy

Purpose:

This policy defines the guidelines for the security and confidentiality of data maintained by Wentworth Institute of Technology, both in paper and electronic form. This policy also informs each person who is entrusted to access student, employee and/or institutional data of their responsibilities with regard to confidentiality and safeguarding Wentworth data.

This policy does not prevent the release of institutional data to external organizations or governmental agencies as required by legislation, regulation, or other legal vehicle.

There are two primary categories of data-handling and access defined in this policy.

  • Data Custodian
  • Data Guardian

Definitions:

Data Custodians

Data custodians function as gatekeepers for data that is collected and maintained by individuals in their divisions. Custodians are responsible for establishing access procedures for the administrative data available in their area and for approving access requests for that data. The table below indicates the administrative areas that maintain the college’s primary data stores and the respective data custodians.

Administrative Area Data Custodian
Alumni and Development Data Vice President, Institutional Advancement
Financial Data Vice President, Business Affairs
Financial Aid Data Vice President, Enrollment Management & Student Affairs
Human Resources Data Associate Vice President, Human Resources
Information Technology Data Vice President, Technology / CIO
Student Services Data Vice President, Enrollment Management & Student Affairs

Data Guardian

A data guardian is defined as anyone who, as a function of their position at Wentworth, possesses or has access to Wentworth administrative data, either electronic or otherwise. Guardianship and its associated responsibilities apply to individuals who dispense or receive data.

Department heads are responsible for signing off on data access requests for employees under their supervision.

Policy:

All custodians and guardians of administrative data are expected to manage, access, and utilize the data in a manner that maintains and protects the security and confidentiality of that information.

Procedure:

  • Institute employees, or others who are associated with Wentworth institute of Technology, who request, use, possess, or have access to college administrative data must agree to adhere to the protocols outlined above. In addition, guardians, custodians and data users are prohibited from:
  • Changing data about themselves or others except as required to fulfill one’s assigned Wentworth duties or as authorized by a supervisor. (This does not apply to self-service applications that are designed to permit you to change one’s own data.)
  • Using information to enable actions by which other individuals might profit.
  • Disclosing information about individuals without prior authorization by a supervisor.
  • Engaging in what might be termed "administrative voyeurism" (reviewing information not required by job duties) unless authorized to conduct such analyses. Examples include tracking the pattern of salary raises, viewing a colleague’s personal information and looking up someone else’s grades.
  • Circumventing the level of data access given to others by providing access that is broader than that available to them, unless authorized. For example, providing an extract file of employee salaries to someone who does not have security access to salary data is prohibited by this policy.
  • Allowing unauthorized access to Wentworth’s administrative systems or data by sharing an individual’s username and password.
  • Engaging in any other act that violates the letter and spirit of the policy, either purposefully or accidentally.

Improper Guardianship

In assuming responsibility for the interpretation and use of institute administrative data, guardians are expected to recognize the potential serious consequences of their improper guardianship. Improper maintenance, disposal, or release of Wentworth administrative data exposes the institute to significant risk, including lawsuits, loss of employee and student trust, and loss of funding.

Guardians who are found in violation of this policy will be subject to Wentworth disciplinary processes and procedures including, but not limited to, those outlined in the Student Handbook, the Wentworth Faculty & Staff Handbook and any applicable bargaining unit contracts. Illegal acts may also subject users to prosecution by local, state, and/or federal authorities.

Position Responsible:

Questions regarding this policy or the application of this policy to a specific situation should be referred to the Vice President for technology / CIO. Changes to this policy will be authorized by the approval of the Wentworth Technology Advisory Committee and the President’s Council.