Seattle Pacific University is dedicated to ensuring the privacy and proper handling of private and restricted information of students, employees, and individuals associated with the University. The primary purpose of this policy is to increase awareness as to the proper handling of sensitive information, and to ensure that University employees and students know and comply with all applicable laws and regulations. This policy establishes minimum requirements for the proper handling and protection of confidential data.

Seattle Pacific has classified its information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access. All departments are responsible to limit access of confidential data to only those individuals with a business need to the information in order to do their job. For definitions and examples, see Data Classification Levels.

Data classified as restricted will not be stored by the University or any of its employees in any fashion without explicit approval from the CIO.

Entities Affected By This Policy

All University faculty, staff and affiliates with access to confidential or restricted institutional data.

Reason for Policy

To protect individuals whose data is stewarded by the University, and to comply with Federal, State and Local statutes pertaining to the storage, use and transmission of sensitive data entrusted to the University and its systems.

Policy Version: 1.0

Responsible Office: Computer and Information Systems
Responsible Executive: AVP for Information Technology / CIO

Effective Date: July 1, 2019
Last Updated: July 1, 2019

Storage, Transmission, and Back-up of Confidential Data

Storage

Confidential data must stored with great care in compliance with University and regulatory requirements.

Confidential data in electronic format must be stored on a computer or server centrally managed by Computing and Information Services (CIS) or in an environment that is under strict legal contracts with the university that meet this policy. Data may not be stored on a non-CIS managed computer, portable storage device, or cloud storage.
- Computers, servers, and other data systems must run current operating systems and software under vendor support for regular security patches
- Any exception to this must be reviewed by CIS management to ensure compliance with confidential data storage regulations
Confidential data in any hard copy format must be stored in locked cabinets or offices, and not be able to be accessed by unauthorized persons

Transmission

Only encrypted networks or communications tools may be used in the digital transmission of confidential data
Confidential data may not be transmitted via email without use of an specialized email encryption tool

Backup

CIS backs up all electronically stored confidential data stored in pre-approved University data systems
It is the responsibility of the data steward of all other confidential data to back it up and store it in a secure and controlled location
Backups of confidential data must be encrypted

Related Policies and Procedures

Institutional Policy

Handling Confidential Data

Statement and Purpose

Table of Contents