Institutional Data Management
Breadcrumb
Office of Origin: Institutional Research
Office of Origin: Institutional Research
Responsibility: Chief Information Officer
Original Date Adopted: 10-22-13
Dates Reviewed: 9-18-18, 5-21-24
Last Date Board Approved: 5-21-24
Institutional data is defined as all data created, collected, maintained, recorded or managed by Lake Michigan College (the College). The College collects institutional data for multiple purposes, including data used for planning, managing, operating, controlling, or auditing College functions, and compliance reporting. Institutional data also includes research data that contains personally identifiable subject information and proprietary College information and trade secrets. Institutional data is an organizational asset and therefore owned and managed by the College.
This policy and accompanying procedures articulate the protection of institutional data from accidental or intentional unauthorized access, damage, alteration or disclosure while preserving the ability of authorized users to access and use institutional data for appropriate purposes and setting guidelines for publishing and reporting institutional data.
- Cabinet is responsible for identifying authorized users and may limit the distribution of institutional data at its discretion.
- The College will establish appropriate procedures to collect, maintain, and protect institutional data. These procedures are intended to protect the privacy of its students, faculty, staff, and patrons to the greatest extent possible, as well as to advance the mission of the College using institutional data.
- Employees working with or using institutional data in any manner must comply with all federal, Michigan, and other applicable laws. See reference section for examples.
- Employees are responsible for determining, understanding, and complying with all laws, rules, policies, standards, contracts, and licenses applicable to their own and their subordinates' specific uses of institutional data.
- All published findings or hypothesis shared with outside organizations, not including federal or state agencies, must be approved in advance by the Institutional Review Board.
- Data will at all times be used in an ethical manner that represents the best interest of the students, employees, and the mission of the College.
- All institutional data must be managed and maintained in accordance with the College’s Records Retention policy.
- All employees are responsible for understanding the types of institutional data under their stewardship and managing it accordingly. This responsibility includes assessing the level of security required for confidential or sensitive information, controlling access to data appropriately, and informing those under their supervision or their responsibility to protect data to which individual employees are authorized to view, access, maintain, or distribute such.
Restricted Data Requirements
While all institutional data should be protected, restricted data must be given the utmost protection. To help ensure this, at a minimum, restricted data must be:
- Stored and shared on a protected internal drive or intranet site, e.g. Employee Portal (aka SharePoint), MS Teams, etc.
- Encrypted if stored or used on portable devices, if removed from a College location, or if electronically transmitted.
- Never stored on a personally-owned computer or storage device.
- Never stored or used by a non-employee without a non-disclosure agreement to provide appropriate protection to the same standards used by the College.
Breaches, losses, or unauthorized exposures of restricted data must be immediately reported to the IT.
Other Data Requirements
Specific College units may have additional policies covering institutional data within their areas of operational or administrative control. Consult your supervisor or the unit’s management if further information is needed.
Employees must report actual or suspected criminal activity associated with any institutional data to the HR and IT for action and coordination, if required, with law enforcement agencies. In a perceived emergency situation, College administration may take immediate steps, including denial of access to the College network and institutional data as well as seizure and quarantine of College-owned data processing and storage assets, to ensure the integrity of data and systems and to protect the College from liability.
Enforcement
Employees or non-employees acting on behalf of the College who violate this policy may be denied access to institutional data and may be subject to other penalties and disciplinary actions, up to and including termination.
References: Acceptable Use for Technology Resources; Conflict of Interest – Employee; External Agencies – Compliance with Requirements; Family Education Rights to Privacy Act (FERPA) Compliance: Student Information; Freedom of Information Act and Guidelines; Health Insurance Portability and Accountability Act (HIPAA); Identity Theft Prevention and Red Flag Rules; Protection of Human Subjects in Research; Record Retention; Social Security Number; Employee Compliance with Requirements of External Organizations