Standard for Handling Institutional Information - 3. Handling Electronically Stored Information
Information stored electronically, whether on servers, removable media, mobile devices, or “in the cloud,” should be handled according to the highest Classification of information contained in the file. For example, if a file contains both PL-2 and PL-4 information, then the file should be handled according to the handling requirements for PL-4 information.
Storage on servers
This category includes New School central and departmental file storage servers. It may also include storage on servers hosted or operated by third party vendors with whom The New School has contracted for services. This category does not include cloud storage and collaboration services (see "Storage on cloud storage and collaboration services" below).
SERVERS REQUIRING AUTHENTICATION
This subcategory includes servers where access is protected via New School authentication credentials. These credentials include the New School NetID and password, or a username and password combination issued by an application administrator when the New School NetID and password cannot be reasonably used. Examples of storage scenarios in this subcategory include:
- Information stored on servers that can be accessed from a campus workstation as part of a user’s workstation profile (“share drives”).
- Information stored on servers that can be accessed remotely via a file transfer protocol where New School authentication credentials must be provided before a user can access the files.
- Information stored on servers that can be accessed remotely via the use of an application through the Internet where New School authentication credentials must be provided before a user can access the files.
- New School web servers containing information intended for New School dissemination only and where New School authentication credentials must be provided before a user can access the information.
- Information stored on third party hosted servers where the university has determined that there is a business need for the vendor’s solution, the university has entered into a contract with the vendor, and New School authentication credentials are used to access the vendor’s solution. (This situation is usually documented extensively through New School business practices.)
University-provided central and departmental servers are among the most secure places to store Sensitive Institutional Information. However, some Sensitive Institutional Information types may be subject to laws or regulations that require additional security and/or privacy safeguards to be implemented. These information types are usually Classified at Protection Level PL-4. Special requirements for regulated information discusses these requirements in more detail.
Prot. Level | Requirements |
PL-1 | No special requirements. |
PL-2 | No special requirements. |
PL-3 | Personal Data: Must be Pseudonymized and encrypted, either at the file level or the database column level. |
PL-4 | Special Categories of Personal Data: Must be Pseudonymized and encrypted, either at the file level or the database column level. |
SERVERS NOT REQUIRING AUTHENTICATION
This subcategory includes servers where the information stored on those servers can be accessed via the Internet, and where that access does not require the use of New School authentication credentials. Examples of storage scenarios in this subcategory include:
- New School web pages with information intended for public dissemination
- Files on servers that can be accessed remotely via the use of an application through the Internet where New School authentication credentials are not required before access.
Application Owners and Data Owners are urged to use caution when providing access to Institutional Information without appropriate New School authentication. For instance, when allowing non-New School users to access New School data, an Application Owner or Data Owner must ensure that there are adequate protections (such as password protection, encryption, and secure communication channels) in place to protect that data.
Prot. Level | Requirements |
PL-1 | No special requirements. |
PL-2 | Not permitted. |
PL-3 | Not permitted. |
PL-4 | Not permitted. |
Storage on cloud storage and collaboration services
The New School-branded version of Google’s G Suite (formerly Google Apps) applications (reachable through MyNewSchool or {calendar,drive,docs}.newschool.edu) is the official university general-purpose cloud storage and collaboration platform.
Canvas is the official university learning management system.
Starfish is the official university student success network.
NEW SCHOOL G SUITE
Google, Inc. hosts the New School G Suite collection of applications on behalf of the university in accordance with a specially negotiated end-user license agreement designed to protect the privacy and security of information owned by The New School and the members of its community. The agreement ensures that Google will not access or reuse information stored in these applications for its own commercial purposes, and adds special protection for Education Records subject to the Family Educational Rights and Privacy Act (FERPA).
Prot. Level | Requirements |
PL-1 | No special requirements. |
PL-2 | No special requirements. |
PL-3 | Education Records: Limit sharing to individuals with a “legitimate educational interest;” do not share externally (outside the |
PL-4 | Not permitted. |
Appropriate and inappropriate uses of the New School G Suite platform
The New School G Suite platform is appropriate for many types of business communication and collaboration, but the nature and sensitivity of some types of information, as well as applicable security and privacy policies, laws, regulations, or other restrictions must be carefully considered before choosing to store information there.
- The New School G Suite platform may be used to store and share Institutional Information Classified at Protection Levels PL-1 and PL-2.
- The New School G Suite platform may be used to store and share Education Records and N-numbers.
Traditionally, grades, class rosters, and other information about students was shared via email, spreadsheets, and hard copy documents. All of those methods have security concerns and deficiencies. The use of a Google document or spreadsheet for these purposes has several advantages over these methods. However, care must be taken to ensure that only those individuals with a “need to know” have access to the information. In particular, class rosters and other documents that include identifying information about students should never be “published to the web,” since FERPA prohibits the release of such information outside the confines of the university. - The New School G Suite platform may be used to store and share Personal Data about Workforce Members, but only those attributes that would typically be present in the job-related documentation sections of their personnel files (those sections accessible to HR Partners, managers, and supervisors).
Traditionally, less sensitive information about Workforce Members was shared via email, spreadsheets, and hard copy documents. All of those methods have security concerns and deficiencies. The use of a Google document or spreadsheet for these purposes has several advantages over these methods. However, care must be taken to ensure that only those individuals with a “need to know” have access to the information. In particular, documents that include Personal Data about Workforce Members should never be “published to the web.”
More sensitive Personal Data, such as attributes that would typically only be present in the confidential sections of Workforce Members’ personnel files (those sections accessible only to “Central HR”) and especially those attributes considered Special Categories of Personal Data, must never be stored or shared on the New School G Suite platform. - Except for Education Records and some types of Personal Data as described above, the New School G Suite platform is generally not appropriate for storing or sharing information Classified at Protection Level PL-3. Consult with the Data Owner and/or the Information Security and Privacy Office before engaging in any such activity.
- The New School G Suite platform is not appropriate for storing or sharing information Classified at Protection Level PL-4. Information in this category includes data subject to state, federal, and international privacy laws and regulations, such as Social Security Numbers, Individual Taxpayer Identification Numbers, Personal Financial Information, Protected Health Information, and Special Categories of Personal Data.
- Although Google maintains multiple copies of all information stored on the New School G Suite platform to ensure that it is always available even in the event of a hardware or software failure within the Google infrastructure, the New School G Suite platform should not be used as the sole storage location for business critical university records. Although such records may be kept on the New School G Suite platform for ease of use and collaboration, a primary copy should be kept internally on a network file share where it can be regularly backed up.
Guidelines for sharing information on the New School G Suite platform
One of the key benefits of the New School G Suite platform is the ease with which information can be shared with others. However, care must be taken, especially when sharing Education Records, to ensure that information is not shared too broadly.
- Check the email address. Be sure that you are choosing the proper email address, as there are many similar and duplicate names in the newschool.edu domain. It is also possible to share a document with individuals outside the university by entering an email address. In these scenarios, make sure you are certain that the email address you enter is that of the colleague you intend to share the data with, and that they will use it responsibly.
- Check the scope of distribution. Choose wisely as to whether you want those you are sharing a document with to have the ability to edit the document (the default), or to only be able to view the document without making changes. When you provide someone with the ability to edit the document, they also have the ability to share it with others.
- Use “publish to the web” carefully. The “publish to the web” sharing option makes a document visible to anyone on the Internet. Although some information may be appropriate for that view, carefully evaluate the use of this option. In particular, documents that contain Personal Data must never be “published to the web.”
CANVAS
Instructure, Inc. hosts the Canvas learning management system on behalf of The New School in accordance with a license agreement designed to protect the privacy and security of information owned by The New School and the members of its community. The agreement ensures that Instructure will not access or reuse information stored in Canvas for its own commercial purposes, and includes protection for Education Records subject to the Family Educational Rights and Privacy Act (FERPA).
Prot. Level | Requirements |
PL-1 | No special requirements. |
PL-2 | No special requirements. |
PL-3 | Education Records: Limit sharing to individuals with a “legitimate educational interest.” |
PL-4 | Not permitted. |
STARFISH
Starfish Retention Solutions (a subsidiary of Hobsons, Inc.) hosts the Starfish suite of applications (the “New School Student Success Network”) on behalf of The New School in accordance with a license agreement designed to protect the privacy and security of information owned by The New School and the members of its community. The agreement ensures that Starfish Retention Solutions and Hobsons will not access or reuse information stored in Starfish applications for its own commercial purposes, and includes protection for Education Records subject to the Family Educational Rights and Privacy Act (FERPA).
Prot. Level | Requirements |
PL-1 | No special requirements. |
PL-2 | No special requirements. |
PL-3 | Education Records: Limit sharing to individuals with a “legitimate educational interest.” |
PL-4 | Not permitted. |
OTHER SERVICES
With the exception of the services identified above, the license agreements for most other cloud services, regardless of whether they are offered through The New School, do not provide legal protection or accountability for New School Institutional Information. They also generally do not comply with the information security and privacy safeguards required by state, federal, and international laws and regulations or university policies. Some of the more common services in this category include, but are not limited to, Dropbox.com, Box.com, Apple iCloud, Microsoft OneDrive, Office 365, Adobe Creative Cloud, and the consumer Google G Suite platform.
Prot. Level | Requirements |
PL-1 | No special requirements. |
PL-2 | Not permitted. |
PL-3 | Not permitted. |
PL-4 | Not permitted. |
Storage on removable/transportable media
This category includes any type of removable/transportable media on which electronic information can be stored, such as external and portable hard drives, magnetic tapes, diskettes, CDs, DVDs, digital memory cards (SD, Compact Flash, Memory Stick, etc.), and USB storage devices.
This category is intended to apply to a person‘s direct use of removable/transportable media and does not apply to archival, disaster recovery, and backup media used by the New School Office of Information Technology as part of normal operational activities. Such archival electronic media must be properly secured from loss, theft, and unauthorized access.
Information users are reminded that internal servers, where New School authentication is required (see "Servers requiring authentication" above), are the best place to store all categories of Institutional Information, particularly information Classified at Protection Level PL-4. Information users are urged to consult the relevant Data Owner if Sensitive Institutional Information must be stored on removable/transportable media.
Prot. Level | Requirements |
PL-1 | No special requirements. |
PL-2 | No special requirements. |
PL-3 | Not advised; limit to situations where operationally necessary. |
PL-4 | Not permitted unless no reasonable alternative is available. |
Storage on mobile devices
This category includes all devices, regardless of name, that serve as a stand-alone and mobile computing device. Devices such as laptop computers, tablet computers, smart phones, cell phones, e-readers, and personal digital assistants fall into this category. This requirement is concerned with storage of Institutional Information on mobile devices when the information is not actively being used; it is not concerned with the short-term incidental storage of such information while that information is being processed on the device (e.g., as a file is being edited).
Information users should exercise caution and common sense when storing Institutional Information on personally owned computing devices, including electronic media. In almost all instances, Sensitive Institutional Information should never be stored on personally owned computing devices.
Prot. Level | Requirements |
PL-1 | No special requirements. |
PL-2 | No special requirements. |
PL-3 | Not advised; limit to situations where operationally necessary. |
PL-4 | Not permitted unless no reasonable alternative is available. |
Disposal of electronic media and electronic devices
Any electronic media (server hard drive, desktop or laptop hard drive, removable/transportable media, etc.) or electronic device used to process or store Institutional Information, regardless of Classification, must be properly Sanitized before it can be reused, resold, recycled, or discarded. See the Standard for Disposing of Institutional Information for details on Sanitization procedures.
Voicemail
The New School uses a computerized messaging system for voicemail services. Voicemail messages are stored on the messaging system and can be accessed from a telephone. Voicemail messages can also be forwarded to an email address as an audio file attachment.
Information users must exercise care in using the messaging system and in forwarding voicemail messages to email as an attachment, because such messages may contain Sensitive Institutional Information.
Prot. Level | Requirements |
PL-1 | No special requirements. |
PL-2 | No special requirements. |
PL-3 | Do not leave PL-3 information in a voicemail message. Ask the recipient to call back. |
PL-4 | Do not leave PL-4 information in a voicemail message. Ask the recipient to call back. |