Purpose and Scope

This policy outlines guidelines for accessing, handling, and safeguarding data at Bates College to ensure security, privacy, and compliance with relevant laws and regulations. It applies to Bates College data in all forms and to all individuals with access to Bates College data, including employees, students, contractors, volunteers, and third-party service providers. This policy and accompanying guidelines complement the Bates College Information and Library Services Acceptable Use Policy and the Bates College Data Management Guidelines, ensuring the proper handling and protection of data.

Data Classification

The college retains ownership of all data except data considered to be scholarly work under the college’s intellectual property policy (Part 7 of the Faculty Handbook), and unauthorized manipulation or utilization thereof is strictly prohibited. All College data are classified into levels of sensitivity to provide a basis for understanding and managing college data:

• Restricted – Data requiring the highest level of protection due to legal mandates (federal or state laws), college policies, or confidentiality concerns.
• Internal – Data not classified as Restricted but still requiring protection because it is not publicly available and involves proprietary, ethical, or privacy considerations.
• Public – Data intended for public access, such as information on the Bates.edu website, press releases, and public announcements.

For further detail and examples, please consult the Classification of College Data page.

Data Access

Access to Bates College data is granted based on a legitimate business need and requires approval from the appropriate Data Steward or Data Administrator, as outlined in Roles and Responsibilities. In some cases, additional approval from a Data Trustee may also be required. Access to College data is only granted in order for employees to perform job-related responsibilities.

Data Handling 

Once access has been granted and data have been shared, it is incumbent upon the recipient to handle the data responsibly. Key principles for the responsible handling and use of data are outlined below. 

Principles for Responsible Data Handling

1. Purpose of Data Usage: Data should only be collected, processed, and used for the specific purpose defined when access was granted by the Data Steward.
2. Authorization for Use: Any use of data beyond the defined purpose requires explicit authorization from the Data Steward.
3. Distribution Restrictions: Users are prohibited from redistributing data to parties not originally identified as recipients by the Data Steward at the time of access grant.
4. Credential Sharing Prohibition: Sharing credentials for generating, transmitting, or accessing data is strictly forbidden under the Bates College Information and Library Services Acceptable Use Policy and violates this data use policy.
5. Storing Data: Store Bates data on either the Bates Google Drive workspace or on Bates network drives (Belfast or China). Do not store college data on your Bates computer’s hard drive or on personal devices. For more information on Bates’ data storage policies, see this place / document
6. Deleting Data: When a user is done with the data, the user must ensure that all instances of the data are deleted, including those in sent emails, inboxes, folders, or on desktops.

Data Maintenance and Accuracy

The responsibility of maintaining accurate and up-to-date data belongs to each Data Steward. Reasonable efforts should be made to ensure that data are accurate, complete, and up-to-date. Users who have questions about the accuracy of data or would like to request a correction or review should contact the Data Steward.

Data Retention and Disposal

Each Data Steward will establish and maintain a data retention schedule outlining the duration for which each category of data must be retained. Retention periods will be determined based on legal, regulatory, and operational requirements. Data that has surpassed its retention period must be deleted or destroyed utilizing methods that prevent recovery, reconstruction, or future use of data. For more details on data retention, disposal schedules, and data destruction procedures, refer to the College’s Record Retention Policy. 

Incident Response

All suspected incidents must be reported to the Director of Information Security, Privacy, & Compliance (Dir, IS) and the ILS Helpdesk. They will then initiate the steps outlined in the Information and Library Services Information Security Incident Response Plan to evaluate, mitigate, and address the incident. Additionally, the Data Steward must be promptly notified in case of a data breach or any security incident involving college data.

Enforcement

Violations of this Policy may result in disciplinary actions, including warnings, suspension, termination of access privileges, or termination of employment as covered in section 105 of the employee handbook. Individuals found in violation may also be subject to legal action if their actions result in harm to the College or individuals.

Transparency

This Data Usage Policy will be reviewed regularly and updated by the Data Governance Group as necessary to reflect changes in laws, regulations, and college practices. Updates to this policy and any significant changes in data processing practices will be communicated to the college community.