Office of Origin: Institutional Research
Responsibility: Executive Director, Institutional Research
Original Date Adopted: 10-22-2013
Dates Reviewed: 09-18-2018
Last Date Approved: 03-24-2020

Institutional data is defined as all data created, collected, maintained, recorded or managed by Lake Michigan College (the College). The College collects institutional data for multiple purposes, including data used for planning, managing, operating, controlling, or auditing College functions, and compliance reporting. Institutional data also includes research data that contains personally identifiable subject information and proprietary College information and trade secrets.

Institutional data is an organizational asset and therefore owned and managed by the College. The Data Management Policy and accompanying procedures articulates the protection of the College’s institutional data from accidental or intentional unauthorized access, damage, alteration or disclosure while preserving the ability of authorized users to access and use institutional data for appropriate purposes and setting guidelines for publishing and reporting institutional data.

1. College administration is responsible for identifying authorized users and may limit the distribution of institutional data at its discretion.
2. The College will establish appropriate procedures to collect, maintain, and protect institutional data. These procedures are intended to protect the privacy of its students, faculty, staff, and patrons to the greatest extent possible, as well as to advance the mission of the College using institutional data.
3. College employees working with or using institutional data in any manner must comply with all federal, Michigan, and other applicable laws. Examples include the federal Family Education Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and the college’s policy on Acceptable Use of Technology Resources.
4. College employees are responsible for ascertaining, understanding, and complying with all laws, rules, policies, standards, contracts and licenses applicable to their own and their subordinates' specific uses of institutional data.
5. All published findings or hypothesis shared with outside organizations, not including federal or state agencies, must be approved in advance by the Institutional Review Board.
6. Data will at all times be used in an ethical manner that represents the best interest of the students, employees, and the mission of the College.
7. All institutional data must be managed and maintained in accordance with the College’s Records Retention policy.
8. All requests for institutional data received under the Freedom of Information Act must be directed to the legal representative for the college.

Data User Roles

College employees authorized to use institutional data must understand and fulfill the responsibilities associated with their assigned level of access to institutional data, including a signed copy of all relevant forms (FERPA, Confidentiality Agreement) in the employees’ records. These responsibilities are assigned roles as follows:

1. Data Trustee: a senior College administrator with management and policy responsibilities.
2. Data Steward: a College employee with direct operational responsibility for the collection, storage, retrieval, and protection of any type of institutional data.
3. Data Custodian: a College unit or employee responsible for the operation and management of systems and servers which collect, manage, and provide access to institutional data.
4. Data User: a College unit, employee, or student using institutional data in the authorized conduct of College business.

Within one year of the date of approval of this policy, all employees will be designated by the Data User Roles system. A list of all employee data user roles, as defined above, will be assigned by the Office of Information Technologies, and maintained by the Office of Human Resources. All new positions created after the date of approval of this policy must have a Data User Role assigned prior to hire.

Data Use Classifications

The College’s institutional data is classified as one of the following categories below. Membership to a Data Use Classification category are assigned by the College’s Data Management Team and approved by the President.

1. Public - Data intended for broad distribution in support of the College's mission and/or freely available to any person or organization with no restrictions. Examples include aggregated data available on the public website and reported to state and federal agencies, e.g. IPEDS, VFA, STARR.
2. Limited Access- Data available without restriction for College use, but whose integrity must be carefully maintained. Examples include anonymous data collected via surveys, focus groups, interviews, or data used interdepartmentally where data is sanitized of any restricted information.
3. Restricted - Data that is limited to College operations, protected or regulated by law. Restricted data must be shared using secure protocols such as an internal restricted shared drives or encrypted data files. Examples include but are not limited to: personal identifying information such as social security numbers, credit card numbers, personally identifiable healthcare data and student records, proprietary information, trade secrets, and any confidential information on surveys or interviews.

All data roles are responsible for classifying institutional data under their stewardship and managing it accordingly. This responsibility includes assessing the level of security required for confidential or sensitive information, controlling access to data appropriately, and informing those under their supervision or their responsibility to protect data to which individual employees are authorized to view, access, maintain, or distribute such.

Restricted Data Requirements

While all institutional data should be protected, restricted data must be given the utmost protection. To help ensure this, at a minimum, restricted data must be:

1. Stored and shared on a LMC protected internal drive or intranet site, e.g. SharePoint, MS Teams, etc.
2. Encrypted if stored or used on portable devices issued by the College, if removed from a College location, or if electronically transmitted. See LMC Data Security Policy
3. Never stored on a personally-owned computer or storage device.
4. Never stored or used by a non-employee without non-disclosure agreement to provide appropriate protection to the same standards used by the College.

Breaches, losses, or unauthorized exposures of restricted data must be immediately reported to the IT.

Other Data Requirements

Data Trustees, Data Stewards, Data Custodians, or specific College units may have additional policies covering institutional data within their areas of operational or administrative control. Consult your supervisor, unit management, or the appropriate data trustee, data steward, or data custodian if further information is needed.
College employees must report actual or suspected criminal activity associated with any institutional data to the HR and IT for action and coordination, if required, with law enforcement agencies. In a perceived emergency situation, College administration may take immediate steps, including denial of access to the College’s network and institutional data as well as seizure and quarantine of College-owned data processing and storage assets, to ensure the integrity of College data and systems and to protect the College from liability.

Enforcement

College employees or non-employees acting on behalf of the College who violate this policy may be denied access to institutional data and may be subject to other penalties and disciplinary actions, up to and including termination.

References: Acceptable Use for Technology Resources; Conflict of Interest – Employee; External Agencies – Compliance with Requirements; Family Education Rights to Privacy Act (FERPA) Compliance: Student Information; Freedom of Information Act and Guidelines; Health Insurance Portability and Accountability Act (HIPAA); Identity Theft Prevention and Red Flag Rules; Protection of Human Subjects in Research; Record Retention; Social Security Number; Student Records Retention and Disposal