109 SPEC Kit 360: Learning Analytics BOSTON COLLEGE Data Security Policy http://www.bc.edu/content/dam/files/offices/policies/pdf/policies/I/1-100-200.pdf Internal Use Only information includes information that is less sensitive than Confidential information, but that, if exposed to unauthorized parties, may have an indirect or possible adverse impact on personal interests, or on the finances, operations, or reputation of Boston College. Examples of this type of data from an institutional perspective include internal memos meant for limited circulation, or draft documents subject to internal comment prior to public release. Public information is information that is generally available to the public, or that, if it were to become available to the public, would have no material adverse effect on individual members of the University community or upon the finances, operations, or reputation of Boston College. 2. All Information Resources, whether physical documents, electronic databases, or other collections of information, are to be assigned to a security classification level according to the most sensitive content contained therein. 3. Where practicable, all data is to be explicitly classified, such that Users of any particular data derived from an Information Resource are aware of its classification. 4. In the event information is not explicitly classified, it is to be treated as follows: Any data which includes any personal information concerning a member of the University community (including any health information, financial information, academic evaluations, social security numbers or other personal identification information) shall be treated as Confidential. Other information is to be treated as Internal Use Only, unless such information appears in form accessible to the public (i.e., on a public website or a widely distributed publication) or is created for a public purpose. 5. The Data Security Committee may from time to time provide clarifications relating to the security classifications, and may, through issuance of Data Security Directives establish more detailed requirements concerning the classification of Information Resources or specific data. ROLE OF THE DATA SECURITY WORKING GROUP 1. The University has established the Data Security Working Group to aid in the development of procedures and guidelines concerning the collection, storage, and use of data by the University community, and to assist the Data Security Committee in the implementation of this policy. 2. In consultation with the Office of the General Counsel and the Director of Internal Audit, the Data Security Working Group shall: Monitor federal, state and local legislation concerning privacy and data security. Stay abreast of evolving best practices in data security and privacy in higher education, and assess whether any changes should be made to the Computer System Security Requirements. Establish data privacy and security training and awareness programs for the University community and periodically assess whether these programs are effective. Periodically reassess this policy to determine if amendments are indicated or if Data Security Directives should be proposed to the Data Security Committee. Discuss any material violations of this policy and Security Breaches, the University’s actions in response, and recommend any further actions or changes in practice or policy to the Data Security Committee.