Seattle Pacific University is dedicated to ensuring the privacy and proper handling of private and restricted information of students, employees, and individuals associated with the University. The primary purpose of this policy is to increase awareness as to the proper handling of sensitive information, and to ensure that University employees and students know and comply with all applicable laws and regulations. This policy establishes minimum requirements for the proper handling and protection of confidential data.
Seattle Pacific has classified its information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access. All departments are responsible to limit access of confidential data to only those individuals with a business need to the information in order to do their job. For definitions and examples, see Data Classification Levels.
Data classified as restricted will not be stored by the University or any of its employees in any fashion without explicit approval from the CIO.
Entities Affected By This Policy
All University faculty, staff and affiliates with access to confidential or restricted institutional data.
Reason for Policy
To protect individuals whose data is stewarded by the University, and to comply with Federal, State and Local statutes pertaining to the storage, use and transmission of sensitive data entrusted to the University and its systems.
Policy Version: 1.0
Responsible Office:Computer and Information Systems Responsible Executive: AVP for Information Technology / CIO
Effective Date: July 1, 2019 Last Updated: July 1, 2019
Storage, Transmission, and Back-up of Confidential Data
Confidential data must stored with great care in compliance with University and regulatory requirements.
Confidential data in electronic format must be stored on a computer or server centrally managed by Computing and Information Services (CIS) or in an environment that is under strict legal contracts with the university that meet this policy. Data may not be stored on a non-CIS managed computer, portable storage device, or cloud storage.
Computers, servers, and other data systems must run current operating systems and software under vendor support for regular security patches
Any exception to this must be reviewed by CIS management to ensure compliance with confidential data storage regulations
Confidential data in any hard copy format must be stored in locked cabinets or offices, and not be able to be accessed by unauthorized persons
Only encrypted networks or communications tools may be used in the digital transmission of confidential data
Confidential data may not be transmitted via email without use of an specialized email encryption tool
CIS backs up all electronically stored confidential data stored in pre-approved University data systems