2.1.1 "Information" includes printed or electronic files, emails, and the content of verbal communications.
2.1.2 "Protection" refers to the security of the information from inception through disposal, including retention, storage, and transfer.
2.1.3 "Hierarchy of Security" refers to the level of protection applied to the Information.
2.1.4 "Sharing" means conveyance of information including, but not limited to, transmission via copying, mailing, electronic transfer or speech. This also includes receipt of Information, the acquisition of which could adversely affect the University's reputation.
2.1.5 "Nondisclosure Agreement", or NDA, is a legal instrument designed to protect Information deemed "Restricted" by the University.
2.1.6 "Senior Leadership" includes the President's direct reports.
2.1.7 "Senior Administration" includes Senior Leadership, department directors, officers, and those who have specific budgetary responsibilities. Faculty chairs will be equivalent.
Information that is to be protected includes data specific to Wheeling Jesuit University and data obtained from or supplied to a third party. University supervisors, directors, and administrators are to apply the appropriate level of protection, according to the Hierarchy of Security, associated with the Information that they manage and share. Secretaries, administrative assistants, staff employees, and student workers are to respect the protection associated with Information and understand that they are functioning as an extension of their supervisors; therefore, they are bound to comply with the same protection as the supervisor to whom they are assigned.
2.3 Hierarchy of Security
2.3.1 Public: Information of general knowledge that can be shared freely among the public or employees of the University including university calendars, brochures, mission statements, etc., and all published information delivered in any form or media (paper, radio, television) or on the website.
2.3.2 Private-Confidential: Incudes two types of information:
- Private - Personal information on individual employees and students where access is controlled according to federal, state or local regulations including: individual personnel files protected by state laws, individual medical files protected by HIPAA, and student files and academic records protected by both HIPAA and FERPA. Permission to access this information (such as inspecting files) or pass it to a third party (such as insurance providers for quotes) will be granted to specific University employees in accordance with their job descriptions and applicable federal, state or local regulations and in compliance with necessary security measures to maintain individual privacy. Employee addresses, phone numbers, email, and cell phones, in addition to University benefits plans and salary & wage scales, are not private or covered by federal, state, or local regulations.
- Confidential - Includes departmental budgets, grants, etc. This information is protected on a "needs-to-know" basis among senior administration and faculty chairs. Permission to access this information may be granted tospecific individuals below senior administration and faculty chair in accordance with the directives of senior administration and the approval of senior leadership.
2.3.3 Restricted: Information that is protected because of its proprietary nature. This information includes: proprietary University budgets and financial information, technology, grants, information of a strategic or proprietary nature, intellectual capital, research impacting a program or the potential start-up of an entrepreneurial outgrowth, legally protected files designated attorney-client privilege, etc., as well as proprietary information on donors, alumni, or business partners. etc. This Information is protected on an "eyes-only" basis among University senior leadership and can only be shared at that level or above. Every individual on University senior leadership must have an NDA on file in the Human Resources Department when they are appointed to this level. If it is appropriate for an employee outside of University senior leadership to handle restricted information, that employee shall be preapproved by the
President and sign an NDA beforehand.
2.4 Identifying / Handling Information
2.4.1 Information that is shared jointly among University administration and faculty shall be considered Private- Confidential. Other employees who, in the course of their employment, handle such Information for a supervisor shall
consider it Private-Confidential and comply with any applicable federal, state or local regulations.
2.4.2 All information that is Restricted shall be handled by senior leadership only (exception: permission may be granted to senior administration). If it is to be circulated below that level is should be identified at the time of dissemination and any employee handling such information must sign a NDA beforehand.
2.4.3 The University will employ legal and ethical means to collect and disseminate Information and will not collect or disseminate such Information unless the party from whom the Information is obtained or to whom the Information is
sent is agreeable to the University's application of that Information.
2.4.4 Employees may not disclose Restricted data or Private - Confidential information protected by HIPAA, FERPA, Personnel File Laws, or information of a proprietary nature regarding employees, students, business partners,
vendors or customers with family, student workers and other University employees not authorized to have access to the Information or download such Information to personal devices. Employees should avoid leaving Private-
Confidential or Restricted Information lying openly on desks, computer monitors or copiers; and printing on remote printers and failing to retrieve the Information immediately afterward. There is no prohibition on employees discussing their wages, benefits, or public information such as phone numbers, addresses, or contact information either inside or outside the workplace.
2.5 This Information Security policy is not intended to prevent employees from discussing the terms and conditions of employment with co-workers or discussing union organizing or other protected, concerted activities with co-workers in the workplace provided, however, that such discussion is consistent with the intent of this policy regarding proprietary information, protected information (HIPAA) on other employees absent their consent, and the University policy on Solicitation.
2.6 Our Information Security policy applies with equal force with respect to social media. While employees are free to use social media in concert with co-workers to discuss or otherwise address public information, wages, hours, working conditions, workplace complaints, and other terms and conditions of employment, use of social media with University information beyond these topics shall be governed by our policy on Information Security to the extent that it applies to off-duty conduct.
2.7 Consequences for Failure to Adhere
Individuals who fail to adhere to this Policy may be disciplined according to the policy on Corrective Discipline. Such discipline may range from a simple memo placing them "on notice" or counseling session up to and including termination. The level of discipline will be determined according to the policy, if it is a minor or major infraction, number of prior occurrences, type of Information shared, intent of the party, whether the discussion and the information is protected per 2.5 above, and exposure to the University.