Protection of Compliant Data when using non-University Devices or Networks

Employees who work at home or at non-University locations and employees who use non-University devices will follow the measures below. Employees who telecommute will also follow these measures as part of their telecommuting agreement.

Compliant data includes personally identifiable information, confidential research information, and information that requires protection under law or agreement. Examples of compliant data include: financial records, health records, student educational records, and any information which could permit a person to attempt to harm or assume the identity of an individual such as an individual’s name in combination with a Social Security, credit card or bank account number.

1. University-owned Device

An employee who stores, accesses, or emails Compliant Data, other than limited student data as it pertains to particular course (such as faculty records of student activity in a course) will work with Campus IT to ensure the necessary precautions are taken and have encryption enabled on the device. Accessing Compliant Data through MaineStreet does not require working with Campus IT.

2. Non-University-owned Devices

An employee who uses a non-University owned device for work, even if only for University email, agrees to:

  • Never store Compliant Data other than student course information on a non-University-owned device. For example faculty may store student data to include class lists and information about current students.
  • University data, including email attachments, should never be stored, downloaded or cached on public computers such as those in public libraries or computer cafes.
  • Install virus protection software on a computer which is used to access University systems and will manage the system in such a way that the system is monitored and virus signatures are kept current.
  • Have disabled web browser’s option to store passwords to University systems.
  • In the case of a suspected breach, report it to campus IT and, if required, provide access to his or her personally-owned device to UMS staff.

3. Portable Storage Devices

An employee who uses a portable storage device (e.g., portable HDD, memory stick, thumb drive, etc.) agrees that if he or she moves or stores Compliant Data, other than student course information, with a portable storage device, the employee will work with Campus IT to encrypt the Compliant Data storage area and securely erase the device or files when finished using the device for Compliant Data storage.

4. Non-University Network

An employee who has a wireless network at home and might access Compliant Data must secure the wireless network with encryption even if the computer being used is hardwired. An employee who uses non-University networks to access Compliant or Business Sensitive data, will use be sure the connection is secure (for example through https).

Back to APL VI-C.