Data Security and Privacy Policy
In effect as of 6/19/2015 (pending approval of the IT Policy and allocation Committee)
Accounts
Access to GU IT resources is controlled through the use of account credentials and the permissions that are associated with those credentials. Greenville University provides account credentials to all members of the Greenville University community. All University-provided accounts are required to have a password. The account holder is responsible for guarding against unauthorized use of their account and is responsible for any activity originating from their account. Account holders must not leave any of their accounts “logged in” and unattended. If the account holder discovers that another individual accessed their account without authorization, they must immediately report the intrusion to the Information Technology (IT) department. Account credentials are not to be shared with any other individuals, including family members.
Data Ownership
By their very nature, GU IT resources exist to be used for the creation, dissemination, consumption, and archival of data. Ownership of this data can be a confusing, and sometimes contentious, topic, and is defined differently for various types of data and for various roles within the University community.
The University is the owner of all data collected, stored, and/or managed by University employees or using University resources.
The University is the owner or co-owner unless the creation or collection of such data is governed by a written agreement or contract to the contrary.
However, there are some exceptions to this general statement:
Faculty
As a natural part of their role, faculty at Greenville University will create a great deal of scholarly data using GU IT resources. This scholarly data is generally the property of the faculty member who created it, and is not the property of Greenville University, unless a specific agreement is in place transferring ownership of the data to Greenville University.
Students
In the course of their University career, Greenville University students will create many papers, reports, projects, and other data for their classes using GU IT resources. This student-created data is generally the property of the student who created it, and is not the property of Greenville University, unless a specific agreement is in place transferring ownership of the data to Greenville University.
Email messages sent or received by Greenville University students and alumni within the panthers.greenville.edu domain are the property of the sender and/or receiver of the messages.
Many times students will also be employed by Greenville University. Any data created by a student using GU IT resources in the course of their duties as a student employee of Greenville University, excepting scholarly data created by a student employee under the supervision of a faculty member, is the property of Greenville University.
Personal Data
From time to time, it is likely that faculty, staff, and students will create data, using GU IT resources, that is not work-related, student academic-related, or scholarly. This incidental personal data is the property of the individual who created it, and is not the property of Greenville University.
Overall System Security
Members of the Greenville University community are required to report any breaches, possible breaches, or security vulnerabilities of which they become aware, of any GU IT resource, to the IT department or to the Director of Information Technology. Any attempt by an individual to access, copy, or modify security information or to obtain account permissions beyond those that have been granted, or perform any action that interferes with the management or operation of GU IT resources, or is likely to have such effects, is prohibited. The Greenville University Information Technology Department will assume leadership, responsibility, and control of responses, in conjunction with the senior administration of Greenville University, to unauthorized access to GU IT resources, unauthorized disclosure of data, and security breaches of GU IT resources.
Data Privacy
The Greenville University data infrastructure must be managed for the entire University community in a manner that attempts to preserve a level of privacy and confidentiality in accordance with relevant laws, regulations, and University policy. All account holders are expected to honor the privacy of data which they do not have permission to access. However, Greenville University cannot guarantee the privacy of data that exists on GU IT resources, whether the data is work-related, scholarly, student academic-related, or personal. Data ownership, as outlined in this policy, does not confer any expectation of privacy.
No member of the Greenville University community may access data that exists on GU IT resources unless their account has permission to access that data, except when, in specific, limited circumstances, Greenville University Information Technology personnel must access data that exists on GU IT resources.
GU IT personnel may access data that exists on GU IT resources when:
• Access permission is granted to GU IT personnel by an account holder who already has permission to access the data
• Access permission is granted to GU IT personnel by a senior administrator at Greenville University
• A situation occurs that causes GU IT personnel to believe that an active process has the potential to negatively impact the operation of any GU IT resource
Data Privacy and Email
The concept of data privacy as it relates to email creates a unique situation due to the implicit expectations of the sender of the email. The sender must be able to trust that no person other than the addressed recipient(s) will have initial access to the content of the message. Furthermore, the sender has an expectation that the recipient(s) will use their best judgement to evaluate the content of the message when determining if that message should be shared with any other individuals. Because of the implied burden placed on the recipient to protect the privacy of the sender, no party may grant another party full access to the first party’s email account. If it is necessary for multiple individuals to have access to a single email account, an account with a name that makes it clear that the account is being shared is the only acceptable solution.
Definitions
GU IT Resources include any:
• Computing device
• Data storage device
• Production device (e.g. printer, copier, 3D printer, monitor, projector)
• Data network device
• Telephone network device
• Data transmission medium (e.g. cabling, wireless network transmissions)
• Software application
• Email system operated within the greenville.edu domain
• Set of account credentials which is owned or licensed by Greenville University
Data – any information processed, stored and/or transmitted electronically
Data Security and Privacy Policy Maintenance
Policies may be updated and modified from time to time. The latest approved version of this policy will be posted on the Greenville University web site. This draft of the policy was produced and is considered to be in effect as of 6/19/2015, pending approval of the IT Policy and Allocation Committee.
Attribution
Portions of this policy have been adapted from policies developed and published by Cornell University, Indiana University, and the University of Michigan.
Discipline
Every employee has the duty and responsibility to be aware of and abide by existing rules and policies. Employees also have the responsibility to perform his/her duties to the best of his/her ability and to the standards as set forth in his/her job description or as otherwise established.
Greenville University supports the use of a progressive discipline to address issues such as poor work performance or misconduct. Our progressive discipline policy is designed to provide a corrective action process to improve and prevent a recurrence of undesirable behavior and/or performance issues.
Outlined below are the steps of our progressive discipline policy and procedure. Greenville University reserves the right to combine or skip steps in this process depending on the facts of each situation and the nature of the offense, as it deems appropriate in each instance. The level of disciplinary intervention may also vary. Some of the factors that may be considered are whether the offense is repeated despite coaching, counseling and/or training; the employee’s work record; and the impact the conduct and performance issues have on our organization.
The following outlines Greenville University’s progressive discipline process:
• Verbal warning: A supervisor verbally counsels an employee about an issue of concern, and a written record of the discussion is placed in the employee’s file for future reference.
• Written warning: Written warnings are used for behavior or violations that a supervisor considers serious or in situations when a verbal warning has not helped change unacceptable behavior. Written warnings are placed in an employee’s personnel file. Employees should recognize the grave nature of the written warning.
• Performance improvement plan: Whenever an employee has been involved in a disciplinary situation that has not been readily resolved or when he/she has demonstrated an inability to perform assigned work responsibilities efficiently, the employee may be given a final warning or placed on a performance improvement plan (PIP). PIP status will last for a predetermined amount of time not to exceed 90 days. Within this time period, the employee must demonstrate a willingness and ability to meet and maintain the conduct and/or work requirements as specified by the supervisor and the organization. At the end of the performance improvement period, the performance improvement plan may be closed or, if established goals are not met, dismissal may occur.
• Suspension
• Termination
Greenville University reserves the right to determine the appropriate level of discipline for any inappropriate conduct, including oral and written warnings, suspension with or without pay, demotion, and discharge.