St. Cloud State University Policies & Procedures

Ensuring Safety of Non-Public Data Link☍

Create PDF: Ensuring Safety of Non-Public Data

Current Status: Approved

Policy Type: All University

Effective Date: 09/20/2016

Last Updated: 03/31/2021

Applies To: Students, Faculty, Staff

Responsible University Officer: Interim President

Policy Owner: Vice President for University Affairs and Advisor to the President

Policy Contact: Vice President for University Affairs and Advisor to the President

Rationale

The adoption of this policy by St. Cloud State University satisfies the requirement in Minnesota Statutes, section 13.05, subd. 5, to establish procedures ensuring appropriate access to not public data. By incorporating employee access to not public data in SCSU’s Data Inventory (required by Minnesota Statutes, section 13.025, subd. 1), in the individual employee’s position description, or both, SCSU’s policy limits access to not public data to employees whose work assignment reasonably requires access.

Many federal and state laws regulate the collection, handling and disclosure of University data, including the Family Rights to Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Minnesota Government Data Practices Act, and Payment Card Industry regulations. Exposure of confidential data through improper disclosure or security risk is a violation of these laws, and can result in the institution's incurring legal liability, financial liability, loss of reputation, and loss of trust. In addition, Minnesota law requires all state entities to notify individuals if there is a security breach involving their protected data.

The use of mobile computing devices (e.g., laptops, PDAs, cell phones, USB drives) increases the vulnerability of university electronic data to theft and unauthorized disclosure and mandates additional requirements for securing non-public data as set forth in Minnesota State Policy 5.22 and 5.23 and associated procedures and guidelines.

Policy

This policy defines the data management environment and assigned roles and responsibilities for protecting St. Cloud State University's non-public information from unauthorized access, disclosure, or misuse. It is the responsibility of every University employee who accesses non- public data and information to secure and protect that data. It is the responsibility of every University employee who is responsible for potential data breach to cooperate with the Data Practice Compliance Official to notify individuals whose data may have been exposed.

Procedure

Data Inventory:

Under the requirement in Minnesota Statutes, section 13.025, subd. 1, SCSU has prepared a Data Inventory which identifies and describes all not public data on individuals maintained by SCSU. To comply with the requirement in section 13.05, subd. 5, SCSU has also modified its Data Inventory to identify the employees who have access to not public data.

In the event of a temporary duty as assigned by a manager or supervisor, an employee may access certain not public data, for as long as the work is assigned to the employee.

In addition to the employees listed in SCSU’s Data Inventory, the Responsible Authority, the Data Practices Compliance Official (DPCO), SCSU Administrators, and Minnesota State staff to include the General Counsel and Attorney General, may have access to all not public data maintained by SCSU if necessary for specified duties. Any access to not public data will be strictly limited to the data necessary to complete the work assignment.

Employee Position Descriptions:

Position descriptions may contain provisions identifying any not public data accessible to the employee when a work assignment reasonably requires access.

Data Sharing with Authorized Entities or Individuals:

State or federal law may authorize the sharing of not public data in specific circumstances. Not public data may be shared with another entity if a federal or state law allows or mandates it. Individuals will have notice of any sharing in applicable Tennessen warnings (see Minnesota Statutes, section 13.04) or SCSU will obtain the individual’s informed consent. Any sharing of not public data will be strictly limited to the data necessary or required to comply with the applicable law.

Ensuring That Not Public Data Are Not Accessed Without a Work Assignment:

Within SCSU, divisions may assign tasks by employee or by job classification. If a division maintains not public data and not all employees within its division have a work assignment allowing access to the data, the division will ensure that the not public data are secure. This policy also applies to divisions that share workspaces with other divisions within SCSU where not public data are maintained.

Recommended actions for ensuring appropriate access include:

Assigning appropriate security roles, limiting access to appropriate shared network drives, and implementing password protections for not public electronic data
Password protecting employee computers and locking computers before leaving workstations
Securing not public data within locked work spaces and in locked file cabinets
Shredding not public documents before disposing of them

Penalties for Unlawfully Accessing Not Public Data:

SCSU will utilize the penalties for unlawful access to not public data as provided for in Minnesota Statutes, section 13.09, if necessary. Penalties include suspension, dismissal, or referring the matter to the appropriate prosecutorial authority who may pursue a criminal misdemeanor charge.

Guidelines

Questions regarding this policy should be directed to SCSU’s Data Practices Compliance Official (DPCO):

Judith Siminoe
200 Administrative Services
St. Cloud State University
jpsiminoe@stcloudstate.edu

Keywords

Family Rights to Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Minnesota Government Data Practices Act, Payment Card Industry regulations, public data, computer security, authentication, access control, data inventory, unlawfull access

Supporting URLs

Websites, Related External Documents, Statutes

Minnesota Government Data Practices Act

Gramm-Leach-Bliley Act

Minnesota State 5.22 ( Acceptable Use of Computers and Information Technology Resources)

Non-public data (Minnesota Statutes, section 13.025, subd. 1)

Family Rights to Privacy Act (FERPA)

Health Insurance Portability and Accountability Act (HIPAA)

Minnesota State 5.23 (Security and Privacy of Information Resources)

Definitions

Protected Data

Any data protected by the Minnesota Government Data Practices Act, Chapter 13, Minn. Stat., or by other applicable state or federal law.

Student

All Persons or group of persons who:

Are enrolled in one or more courses, either credit or non-credit, through a college or university; or
Withdraw, transfer, or graduate after an alleged violation of the code of student conduct; or
Are not officially enrolled for a particular term but who have a continuing relationship with the college or university; or
Have been notified of their acceptance for admission or have initiated the process of application for admission or financial aid; or
Are not college or university employees and are not enrolled in the institution but live in a college or university owned or controlled residence hall.

Active Student:

Criteria 1:

A degree-seeking student who has completed the enrollment process and has been admitted into the University, an undergraduate major or a graduate program of study; or
A degree-seeking student who has completed the enrollment process and has not yet been admitted into the University, and undergraduate major or a graduate program of study; or
A student seeking a graduate certificate

Criteria 2:

The student must have registered into and successfully completed at least one credit in a semester in the previous two years.

A student who fulfills Criteria 1, will cease to be an active student at the University if they do not register for and successfully complete at least one credit in a semester within two years, will be administratively removed from the University and be categorized as inactive.

The credits that the student accumulates as an active student will not expire upon becoming an inactive student, unless the student has been admitted to a graduate program, refer to the Graduate Student Handbook for the program completion timeframe guidelines.

Graduate Studies at SCSU has procedures for an admitted student to request a leave or absence, please see the Graduate Student Handbook for information on that process.

An inactive student intending to return to the University will not have to reapply for admission to the University, but will need to reapply for admission into a current program of study.

System

The Colleges and Universities of Minnesota State.

Contacts

Responsible University Officer Dietz, Larry H. Interim President	larry.dietz@stcloudstate.edu --
Owner Siminoe, Judith P. Vice President for University Affairs and Advisor to the President	jpsiminoe@stcloudstate.edu 320-308-2124
Contact Siminoe, Judith P. Vice President for University Affairs and Advisor to the President	jpsiminoe@stcloudstate.edu 320-308-2124

To make a comment or suggest changes to this policy:

St. Cloud State University Users: Login
Non-St. Cloud State Users: Email comments to policy@stcloudstate.edu