Access to Bates College data is granted based on a legitimate business need and requires approval from the appropriate Data Steward or Data Administrator, as outlined in Roles and Responsibilities. In some cases, additional approval from a Data Trustee may also be required. Access to college data is only granted in order for employees to perform job-related responsibilities.

Once access has been granted and data have been shared, it is incumbent upon the recipient to handle the data responsibly. Key principles for the responsible handling and use of data are outlined below. 

Principles for Responsible Data Handling

1. Purpose of Data Usage: Data should only be collected, processed, and used for the specific purpose defined when access was granted by the Data Steward.
2. Authorization for Use: Any use of data beyond the defined purpose requires explicit authorization from the Data Steward.
3. Distribution Restrictions: Users are prohibited from redistributing data to parties not originally identified as recipients by the Data Steward at the time of access grant.
4. Credential Sharing Prohibition: Sharing credentials for generating, transmitting, or accessing data is strictly forbidden under the Bates College Information and Library Services Acceptable Use Policy and violates this data use policy.
5. Storing Data: Store Bates data on either the Bates Google Drive workspace or on Bates network drives (Belfast or China). Do not store college data on your Bates computer’s hard drive or on personal devices. For more information on data storage at Bates, see the college’s Data Management Guidelines.
6. Deleting Data: When a user is done with the data, the user must ensure that all instances of the data are deleted, including those in sent emails, inboxes, folders, or on desktops.
7. Use of AI Tools: As new tools such as AI-driven chatbots (e.g., Gemini, ChatGPT) are introduced, users must ensure that these tools are only used in compliance with college data protection guidelines. AI tools may not be used to process or analyze Restricted data. Users must confirm that any data handled via AI tools adheres to the college’s data classification and privacy rules. Please refer to the Appendix below for further guidance on AI use with Bates data.

The responsibility of maintaining accurate and up-to-date data belongs to each Data Steward. Reasonable efforts should be made to ensure that data are accurate, complete, and up-to-date. Users who have questions about the accuracy of data or would like to request a correction or review should contact the Data Steward.

Each Data Steward will establish and maintain a data retention schedule outlining the duration for which each category of data must be retained. Retention periods will be determined based on legal, regulatory, and operational requirements. Data that has surpassed its retention period must be deleted or destroyed utilizing methods that prevent recovery, reconstruction, or future use of data. For more details on data retention, disposal schedules, and data destruction procedures, refer to the college’s Record Retention Policy. 

All suspected incidents must be reported to the Director of Information Security, Privacy, and Compliance and the ILS Helpdesk. They will then initiate the steps outlined in the Information and Library Services Information Security Incident Response Plan to evaluate, mitigate, and address the incident. Additionally, the Data Steward must be promptly notified in case of a data breach or any security incident involving college data.

Violations of this Policy may result in disciplinary actions, including warnings, suspension, termination of access privileges, or termination of employment as covered in section 105 of the employee handbook. Individuals found in violation may also be subject to legal action if their actions result in harm to the college or individuals.

This Data Usage Policy will be reviewed regularly and updated by the Data Governance Group as necessary to reflect changes in laws, regulations, technological advancements (including AI tools), and college practices. Updates to this policy and any significant changes in data processing practices will be communicated to the college community.

1. Data Accuracy: Ensure data accuracy and update records as necessary to maintain reliability.
2. Data Storage: Data classified as Internal or Restricted are not to be stored on personal devices. Storing such data on personal devices presents several risks and challenges, including:
   • Compliance Concerns: Bates has strict regulations (e.g., FTC Safeguards, HIPAA, FERPA) regarding the storage and protection of sensitive data. Storing such data on personal devices may violate these compliance requirements, leading to legal repercussions or fines.
   • Security Risks: Personal devices typically have less stringent security measures compared to corporate devices or networks. They may lack encryption, antivirus protection, or secure access controls, making them more vulnerable to cyberattacks, malware, or unauthorized access.
   • Data Breach Potential: Personal devices typically have less stringent security measures compared to Bates-issued devices or networks and are more susceptible to theft, loss, or hacking attempts. If sensitive work data is stored on these devices without adequate protection, it increases the risk of data breaches that could compromise confidential information.
   • Lack of Control: Bates ILS Department has no control and oversight over personal devices. This lack of control makes it challenging to enforce security policies, monitor for threats, or ensure that devices are regularly updated with security patches.
3. Cloud Storage Best Practices: For departments that need to use cloud-hosted services for storing, accessing, processing, or transmitting sensitive data, it is crucial to follow best practices to ensure data security and compliance. Key practices include:
   • Collaboration with Information Security Office: Work closely with the Information Security and Systems Development and Integration offices to ensure compliance with institutional security policies and standards as well as relevant regulations (FERPA, FTC, and HIPAA). These offices will conduct necessary security assessments of vendors and review final contracts to include appropriate data security clauses for data protection, compliance, and incident response, ensuring that data protection measures are thoroughly addressed and integrated into vendor agreements.
   • Implement Data Security Measures: Ensure encryption is used for restricted data both at rest and in transit. Regularly monitor access to and usage of sensitive data to detect unauthorized access or suspicious activities.
   • Vendor Requests: If the cloud service is managed by a third-party vendor, those who manage the contract or administrators of the service may need to formally request the vendor to securely delete the data. This request should be made according to the terms of service or Master Services agreement, and it may involve obtaining confirmation that the data has been fully and irreversibly deleted from all storage and backup systems.
   • Permanent Deletion: When using cloud storage services, securely deleting data involves ensuring that the files are permanently removed from the server. This often requires using the “permanent delete” option provided by the service, which bypasses the recycle bin or temporary storage, ensuring the data is not easily recoverable.
4. AI Tools and Responsible Data Use: With the increasing use of AI tools, such as chatbots (e.g., Gemini, ChatGPT), it is essential to understand how they can and cannot be used with Bates College data:
   • Restricted Data Prohibition: Restricted data (including PII, FERPA-protected records, financial information, and health data) must never be processed using AI tools.
   • Permitted Use Cases: AI tools may only be used for non-sensitive tasks, such as refining teaching materials (e.g., syllabi, study guides), analyzing publicly available datasets, or composing non-confidential documents.
   • Consultation for Uncertainty: If you are unsure whether specific data can be used with AI tools, consult the Data Classification Guidelines or contact your Data Administrator.
   • AI Evolution: As AI tools continue to evolve, guidelines will be updated to reflect best practices for their responsible use while maintaining data security and compliance.
5. Physical Security and Data Disposal
   • Physical Security: Ensure physical security measures are in place to protect data stored on physical media (e.g., hard drives, USB/thumb drives, paper documentation). This includes secure access to data storage facilities, filing cabinets, and protections against theft or damage.
   • Data Disposal: Dispose of data securely by shredding physical documents and using secure deletion methods for digital files. For digital files, secure deletion involves moving the data to the recycle/trash bin and then permanently deleting it by emptying the bin.