APPENDIX TO POLICY

Institutional Data Storage Standard

Related Policy: Data Security Policy

What is Institutional Data?

Institutional data is information created, collected, maintained, transmitted, or recorded by or for the college to conduct college business. It includes data used for planning, managing, operating, controlling, or auditing college functions, operations, and mission.

It does not include personal data, which is information created, collected, maintained, transmitted, or recorded by college owned devices, media, or systems in accordance with the Computing Access Policy that is personal in nature and not related to college business.

Institutional data includes, but is not limited to, information in paper, electronic, audio, and visual formats.. Institutional data is considered essential, and its quality must be ensured to comply with legal, regulatory, and administrative requirements.

 

NOTE: Messiah College prohibits the use of personal accounts in the transmission or storage of institutional data.

 

The following table provides information on approved locations for the storage of institutional data:

Service Name

Public Data

Private Data

Confidential Data

SSNs

FERPA

HIPPA

Department Drive (M:)

Yes

Yes

Some ==>

No

Yes

Yes

User Drive (O:)

Yes

Yes

Some ==>

No

Yes

Yes

Local PC

Yes

Yes

Some ==>

No

Encryption and Data Administrator Approval required

Encryption and Data Administration Approval required

Removable Storage

Yes

No

None ==>

No

No

No

Mobile Device

Yes

No

None ==>

No

No

No

Email

Yes

Yes

Some ==>

No

Yes1

No

Microsoft
Office 365

Yes

No

Some ==>

No

Yes2

No

Google
Apps for Education

Yes

No

Some ==>

No

Yes3

No

Canvas

Yes

Yes

Some ==>

No

Yes

No

Qualtrics

Yes

Yes

None ==>

No

No

No

 

1 GENERAL STATEMENT ON EMAIL - Email is an official means of College communication.  FERPA does not prohibit the use of email for transmitting FERPA-protected information to a student or authorized third-party.  However, like information disclosed over the telephone or via U.S. mail, information disclosed via email can inadvertently be disclosed to someone other than the intended recipient.

Faculty and staff should use email with the amount of caution appropriate to (1) the level of sensitivity of the information being disclosed, (2) the likelihood of inadvertent disclosure to someone other than the intended recipient, and (3) the consequences of inadvertent disclosure to someone other than intended recipient. 

As a general rule, email should contain the least amount of FERPA-protected information as possible. The subject line of an email should not include FERPA-protected information. The body of an email should not contain highly sensitive FERPA-protected information, such as a studentís social security number.

 

2 Microsoft's Enterprise Agreement for Office 365 provides compliance with the Family Educational Rights and Privacy Act (FERPA) . This means student information is protected and onshore data storage is ensured. As part of Messiah College's Office 365 agreement, Microsoft also won't mine individual data and will only access that data for troubleshooting needs or malware prevention. Office 365 customer data belongs to individuals and they can export their data at any time.

Office 365 should not be used for highly-sensitive FERPA-protected information.

 

3 Google Apps for Education complies with Family Educational Rights and Privacy Act (FERPA). Google Apps for Education services don't collect or use student data for advertising purposes or to create ads profiles.

Google Apps for Education should not be used for highly-sensitive FERPA-protected information.