Data Security Policy

This policy sets forth the procedure for evaluating the electronic and physical methods of collecting, accessing, storing, using, transmitting, protecting and, when appropriate, destroying Personal Information that Lesley stores, maintains, or controls. 
 

Members of the Lesley community must create effective administrative, technical, and physical safeguards for the protection of Personal Information in compliance with our obligations under the following laws and related regulations: 
 

• Massachusetts General Law, Chapter 93H 
• Massachusetts General Law, Chapter 93I 
• Standards for the Protection of Personal Information of Residents in the Commonwealth (201 CMR 17.00) (PDF)  

This Data Security Policy is enforced along with other university policies: 
 

• University’s Password Policy
• Acceptable Use Policy
• Privacy Policy
• FERPA Policy 

Any information in Lesley's control that contains the first name or initial and last name of an individual in combination with any one or more of the following pieces of information that relate to such individual: 
 

• Social Security Number
• Driver’s license number or state-issued identification number
• Financial account number or credit card number; or
• Biometric indicator 

Personal Information can be found in employment applications, I-9 forms, student records, student applications, among other places. 
 

Other information may also be considered private, and members of the community are encouraged to consider the protection of that information when accessing or transferring that information. 

Lesley has designated its Chief Information Officer as the University’s Data Security Coordinator. The Data Security Coordinator oversees compliance with this policy and assists members of the Lesley community in protecting Personal Information and addressing potential breaches of Personal Information.
 

Contact the Data Security Coordinator if you have any questions about this policy, or concerns about protecting Personal Information.

The Data Security Coordinator is responsible for and oversees:

• Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, or integrity of all electronic, paper, or other records containing Personal Information and evaluating and improving, where necessary, the effectiveness of all current safeguards.
   
• Training all employees about this Data Security Policy.
   
• Assessing and testing the Data Security Policy’s safeguards and compliance with the policy on a regular basis.
• Ensuring that reasonable steps are taken to verify that third-party services providers with access to Personal Information have the ability to protect such information in accordance with state law and regulations.
   
• Reviewing the scope of the Data Security Policy security measures annually, or whenever there is a material change in Lesley's business practices or changes in the law that may implicate the security or integrity of records containing Personal Information.
   
• Conducting periodic training sessions on the Data Security Policy for all members of the community who have access to Personal Information. Tracking the attendance and training of those members on their familiarity with Lesley's requirements for ensuring the protection of Personal Information.
   
• Ensuring that physical and electronic access immediately ends for terminated/resigned employees to records containing Personal Information, including deactivating all passwords and user names that permit that employee access to records containing Personal Information.
   
• Documenting actions taken when responding to incidents involving unauthorized access to or use of Personal Information.
   
• In consultation with the Director of Human Resources, recommending corrective and disciplinary measures for violations of the Data Security Policy, and implementing and documenting such measures as appropriate.

To maintain data security as required under the law, members of the Lesley community are required to cooperate with a number of procedures: 

• Report any suspicious or unauthorized use of Personal Information.
• Dispose of paper or electronic records (including records stored on hard drives or other electronic media) containing Personal Information only in a manner that complies with M.G.L. c. 93I: For paper: Personal Information must be either redacted, burned, pulverized, or shredded so that Personal Information cannot practicably be read or reconstructed. For electronic media and other non-paper media: Personal Information must be destroyed or erased so that it cannot practicably be read or reconstructed.
• Follow the procedures described here and in the University’s Password Policy, Acceptable Use Policy, and FERPA Policy, if the department manages access to its own computer systems containing Personal Information, and document actions taken.
• Unless encrypted, avoid sending email messages that include anyone’s Personal Information and avoid sending email messages that include any student's academic record.
• Use encryption software on all portable devices such as laptops, thumb drives, and smartphones.
• Develop procedures for each department (bearing in mind the educational and operational needs of that department) that ensure that reasonable restrictions on physical access to records containing Personal Information are in place. Each department should have a written procedure that sets forth the manner in which physical access to such records in that department is restricted; and each department must store such records and data in locked facilities, secure storage areas, or locked containers.
• Lesley will audit or monitor its computer systems and community members' activities on the systems for, among other things, unauthorized use of or access to Personal Information.
• Only permit members of the Lesley community to access Personal Information for educational or operational reasons within the scope of their employment or affiliation with Lesley. 

When an employee leaves employment at Lesley, their immediate supervisor or manager is required to ensure that the employee complies with these security requirements. 

• Return all records containing Personal Information in any form that may be in employee's possession at the time of such termination. This includes all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.
• Cease physical and electronic access to Personal Information held by Lesley.
• Turn in all keys, IDs, access codes or badges, business cards, and any other property that permits access to Lesley's premises or information.
• Stop remote electronic access to Lesley's computer systems which contain Personal Information and cease use of Lesley voicemail and Internet access, unless written authorization is obtained to do so.
• Cease access to Lesley's digital environment or any services accessed with Lesley employee credentials.
• Terminated employees who are also students or alumni, or retired/emeritus faculty or retired staff who meet the eligibility criteria, will retain access to their Lesley student email account. They will also retain the privilege of access to the Lesley network, which does not include access to Personal Information. 

Members of the Lesley Community: 

• Are prohibited from disclosing Personal Information to any unauthorized person or in any unauthorized manner.
• Should review the Data Security Policy annually and upon request acknowledge doing so to Human Resources.
• Must participate in training sessions, when required by the Data Security Coordinator, and must certify their attendance.
• Must report as soon as known, regardless of time or place, the loss or theft of any laptop, PDA, CD, or other portable electronic device that either contains Personal Information or would allow access into Lesley's computer system to the Data Security Coordinator.
• Must immediately report to the Data Security Coordinator: Any loss, theft, or disclosure to an unauthorized person or entity of Lesley community member information or Personal Information. Any suspicious or unauthorized use of Lesley community member information or Personal Information, and Any situations where Lesley community member information or Personal Information is not protected as required under this Data Security Policy.
• Are required to use password protected files when sending personal Information electronically within Lesley’s network. However, before sending Personal Information wirelessly or over the public internet, it must first be encrypted. Contact Information Technology for details on encrypting files.
• When transporting Personal Information on a laptop or other portable device, must do so only where such information is encrypted, to the extent technologically feasible.
• Must alert the Data Security Coordinator if they become aware of any new source or kind of Personal Information that Lesley stores, maintains, or controls.
• Must limit the amount of Personal Information collected to that amount reasonably necessary to accomplish Lesley's legitimate business purposes or to comply with state or federal regulations.
• Must limit access to records containing Personal Information to those persons who are reasonably required to know such information to accomplish Lesley's legitimate business purposes or to enable Lesley to comply with other state or federal regulations.
• Must secure open files containing Personal Information on their desks when they are not at their desks.
• Must assist and participate in any post-incident reviews and actions taken.
• At the end of the work day, employees must secure all files and other records containing Personal Information in locked file cabinets or electronically secured in a way that access can only be achieved by authorized users with a password.
• Must ensure that all paper records containing Personal Information are discarded in shredding containers or by shredding. They are not to be thrown in the regular or recycled trash receptacles or discarded off-site in any manner.
• Must refrain from submitting their own or others' Personal Information to Lesley unless requested to do so by Lesley or an authorized person.
• Must immediately report to the Data Security Coordinator if they are the victims of identity theft or any unauthorized use of their Personal Information (where there is no explanation for the unauthorized use or the unauthorized use is known not to be related to Lesley).
• Are encouraged to make recommendations to the Data Security Coordinator about ways in which Lesley can better protect Personal Information.