Definitions

Data custodian

Essentially, all employees are the data custodian(s) of data stored on their individual computer or any shared or removable media.

More specifically, Data Custodian(s) are the individual(s) responsible for making decisions about the sensitivity and criticality of specific University systems and data stored in these systems; determining the classification of data under their control; documenting the use of the specific system(s); and determining which University staff requires access to that system and its data. University policy may restrict or dictate the Data Custodian's role regarding data design and control (e.g., a policy indicating how access to Institutional Data should be handled would take precedent over individual Data Custodian decisions/ determinations). Examples of Data Custodians are: the Directors of Human Resources would have Data Custodian responsibility over payroll and personnel information and a Principal Investigator is the Data Custodian for research data related to their grant. All employees are the data custodian(s) of data stored on their individual computer or any shared or removable media.

Personally Identifiable Information (PII)

 An individual's first name and last name or first initial and last name in combination with one or more of the following data elements: social security number, driver's license number or state-identification card number, or financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account. (Massachusetts Law Chapter 93H) Individually identifiable health information (i.e., information relating to past, present or future physical or mental health or condition of an individual; provision of healthcare to an individual or payment for the provision of healthcare to an individual; Individually identifiable health information may include, but is not limited to: name, telephone/fax number, email address, social security number, driver's license number, internet address or any other unique identifying number, characteristic or code). Some, but not all, health information is protected under the Health Insurance Portability and Accountability Act of 1996 (i.e., HIPAA) Student education records not defined as student "directory information" (e.g., student number, grades, courses taken, etc.) by the University and its Campuses are protected under the Family Educational Rights and Privacy Act (i.e., FERPA). "Customer" records such as names, addresses, phone numbers, bank and credit card account numbers, credit histories, or social security numbers as they related to student financial aid information are protected under the Graham Leach Bliley Act of 1999 (i.e., GLB).

Protected information

Protected Information is assigned a security classification of confidential and includes University data whose disclosure would not result in any business, financial or legal loss but involves issues of personal credibility, reputation, or other issues of personal privacy. The security and protection of this data is dictated by a desire to maintain staff and student privacy. Protected data includes an individual's first name or initial and last name in combination with one or more of the following data elements: their birth date, mother's maiden name, state employee salary, employee identification number, electronic signature, fingerprint, photograph or computerized image, physical characteristics or description, or passport number.

FERPA: Family Educational Rights and Privacy Act

FERPA, the Family Educational Rights and Privacy Act of 1974, was passed in order to protect student records from being shared with those who do not have a legitimate reason to access them. The Act provides students specific rights and applies to all institutions that are the recipients of federal funding. More information is in the Student Handbook