Worplace Practices: Information Security
|William C. Rickle, S.J.
Date to be reviewed:
|Director of Human Resources
All employees of Wheeling Jesuit University are responsible for protecting against the unintended or unauthorized disclosure of information to either internal or external sources. Furthermore, the University respects the information associated with the business practices of other institutions and organizations. Consequently, the acquisition or collection of information from other institutions and organizations is also regulated and employees will be held to the same standards in obtaining that information. This policy is not intended to discourage concerted activity such as discussion or efforts among employees to change the working conditions or terms of employment.
2.0 POLICY STATEMENT
2.1.1 "Information" includes printed or electronic files, emails, and the content of verbal communications.
2.1.2 "Protection" refers to the security of the information from inception through disposal, including retention, storage, and transfer.
2.1.3 "Hierarchy of Security" refers to the level of protection applied to the Information.
2.1.4 "Sharing" means conveyance of information including, but not limited to, transmission via copying, mailing, electronic transfer or speech. This also includes receipt of Information, the acquisition of which could adversely affect the University's reputation.
2.1.5 "Nondisclosure Agreement", or NDA, is a legal instrument designed to protect Information deemed "Restricted" by the University.
2.1.6 "Senior Leadership" includes the President's direct reports.
2.1.7 "Senior Administration" includes Senior Leadership, department directors, officers, and those who have specific budgetary responsibilities. Faculty chairs will be equivalent.
Information that is to be protected includes data specific to Wheeling Jesuit University and data obtained from or supplied to a third party. University supervisors, directors, and administrators are to apply the appropriate level of protection, according to the Hierarchy of Security, associated with the Information that they manage and share. Secretaries, administrative assistants, staff employees, and student workers are to respect the protection associated with Information and understand that they are functioning as an extension of their supervisors; therefore, they are bound to comply with the same protection as the supervisor to whom they are assigned.
2.3 Hierarchy of Security
2.3.1 Public: Information of general knowledge that can be shared freely among the public or employees of the University including university calendars, brochures, mission statements, etc., and all published information delivered in any form or media (paper, radio, television) or on the website.
2.3.2 Private-Confidential: Incudes two types of information:
- Private - Personal information on individual employees and students where access is controlled according to federal, state or local regulations including: individual personnel files protected by state laws, individual medical files protected by HIPAA, and student files and academic records protected by both HIPAA and FERPA. Permission to access this information (such as inspecting files) or pass it to a third party (such as insurance providers for quotes) will be granted to specific University employees in accordance with their job descriptions and applicable federal, state or local regulations and in compliance with necessary security measures to maintain individual privacy. Employee addresses,
phone numbers, email, and cell phones, in addition to University benefits plans and salary & wage scales, are not private or covered by federal, state, or local regulations.
- Confidential - Includes departmental budgets, grants, etc. This information is protected on a "needs-to-know"
basis among senior administration and faculty chairs. Permission to access this information may be granted to
specific individuals below senior administration and faculty chair in accordance with the directives of senior
administration and the approval of senior leadership.
2.3.3 Restricted: Information that is protected because of its proprietary nature. This information includes: proprietary
University budgets and financial information, technology, grants, information of a strategic or proprietary nature,
intellectual capital, research impacting a program or the potential start-up of an entrepreneurial outgrowth, legally
protected files designated attorney-client privilege, etc., as well as proprietary information on donors, alumni, or
business partners. etc. This Information is protected on an "eyes-only" basis among University senior leadership and
can only be shared at that level or above. Every individual on University senior leadership must have an NDA on file
in the Human Resources Department when they are appointed to this level. If it is appropriate for an employee
outside of University senior leadership to handle restricted information, that employee shall be preapproved by the
President and sign an NDA beforehand.
2.4 Identifying / Handling Information
2.4.1 Information that is shared jointly among University administration and faculty shall be considered Private-Confidential. Other employees who, in the course of their employment, handle such Information for a supervisor shall
consider it Private-Confidential and comply with any applicable federal, state or local regulations.
2.4.2 All information that is Restricted shall be handled by senior leadership only (exception: permission may be granted to
senior administration). If it is to be circulated below that level is should be identified at the time of dissemination and
any employee handling such information must sign a NDA beforehand.
2.4.3 The University will employ legal and ethical means to collect and disseminate Information and will not collect or
disseminate such Information unless the party from whom the Information is obtained or to whom the Information is
sent is agreeable to the University's application of that Information.
2.4.4 Employees may not disclose Restricted data or Private - Confidential information protected by HIPAA, FERPA,
Personnel File Laws, or information of a proprietary nature regarding employees, students, business partners,
vendors or customers with family, student workers and other University employees not authorized to have access to
the Information or download such Information to personal devices. Employees should avoid leaving Private-
Confidential or Restricted Information lying openly on desks, computer monitors or copiers; and printing on remote
printers and failing to retrieve the Information immediately afterward. There is no prohibition on employees discussing
their wages, benefits, or public information such as phone numbers, addresses, or contact information either inside or
outside the workplace.
2.5 Consequences for Failure to Adhere
Individuals who fail to adhere to this Policy may be disciplined according to the policy on Corrective Discipline. Such discipline
may range from a simple memo placing them "on notice" or counseling session up to and including termination. The level of
discipline will be determined according to the policy, if it is a minor or major infraction, number of prior occurrences, type of
Information shared, intent of the party, and exposure to the University.
The Director of Human Resources may change this policy at any time, with or without notice, and all such changes must be
approved by the University President or his designee.