Dartmouth College is committed to protecting the privacy and security of Dartmouth-held data in a manner consistent with applicable laws, regulations and institutional policies.
Dartmouth uses an array of administrative, technical and physical security measures to protect personal data, including role-based access requirements and other safeguards. All individuals with access to, or handling personal data are accountable for the applicable Dartmouth privacy and information security-related policies and procedures.
Refer to the guidelines and policies below on recognizing higher-risk data and sharing and storing data securely.
Recognize which types of data are classified as higher risk:
Understand the Information Security Control Objectives (DISC) and data security level classification level of the data you are requesting. Higher risk data includes sensitive and personally identifiable information (PII) and is usually classified as DISC level 2 or 3. Some requests for sensitive information deemed Level 2 or 3 may require a security review before an information request can be completed and may take longer than expected.
DISC classification is integral to determining the sensitivity of data and involves categorizing it as follows:
DISC 1 (Internal Use Only): Appropriate for data that is less sensitive, where unauthorized access would have minimal organizational risk.
DISC 2 (Confidential): For data that, if compromised, could have a moderate adverse effect on the organization’s operations or reputation.
DISC 3 (Highly Confidential): Reserved for the most sensitive data, where unauthorized disclosure could cause significant harm to the organization, individuals, or where data protection is mandated by legal regulations. Data governed by regulations (e.g., HIPAA, FERPA) automatically receives a DISC 3 classification due to its high sensitivity and regulatory compliance requirements.
PII includes data that could identify individuals directly by providing a name, ID, SSN or other unique identifier. PII also includes data which, alone or in combination, could be linked to an individual with reasonable certainty and expose sensitive information.
For more information, please refer to A Practical Guide to DISC Classification and the Dartmouth Information Security Policy. If you have questions about DISC policy, please reach out to the Information Security team at infosec@dartmouth.edu.
Share data securely and be mindful of where is it being saved or stored and how long to store it. When sharing within Dartmouth:
- Always save data files and records in a secure location such as the Dartmouth Network.
- Do not email data or records with sensitive information. Encrypt any files containing higher risk, sensitive data with a password and use tools such as DropBox to securely share the information. Refer to Knowledge Base article “When Encryption is Mandatory”
- There are several Dartmouth-approved tools and applications that can be used to securely share files and records. These include Google Drive and My Drive, DropBox (for external-facing requests), Office 365 Groups and Teams, OnBase, OurFiles, Sharepoint Online and others. Refer to Knowledge Base articles “How to Share Documents with Others” and “Collaboration, File Sharing and Data Storage” for more information on why and how to use them.
- Always follow the applicable data retention policies for stored data. Refer to the General Retention Schedule from the Records Management Group unless the Data Steward establishes a different schedule.
Consider a Data Sharing Agreement.
- A document describing what data is shared, who it is shared with, for what purpose, and how it can be used is a common and useful tool for spelling out expectations.
- Contents of a data sharing agreement are specific to each situation, but common elements include the type and scope of the data being shared, a statement of the reasons for sharing the data, specification of how the data can be used and who it can be shared with, and responsibilities for storage and destruction of the data.
- The data sharing agreement would be initiated by the data provider and signed by both parties prior to providing the requested data.
For further information on keeping Dartmouth data/information secure, refer to the Safe Computing and Data Security page available in the Dartmouth Services Portal.
Reach out to the Data Governance team if you have any questions.
Note: Funded research data may have additional requirements or restriction on usage and storage of data.
-------------------------------------------------------------------------------
Definitions:
Dartmouth data/information: with respect to information security, data in any form which is owned, processed, stored, or transmitted by Dartmouth College, or its agents, other than information published for public use.
Dartmouth Record: Any recorded information, regardless of format (written, typed, electronic, paper, audio, video, etc), generated in the course of conducting business, and which must be maintained in order to meet the fiscal, legal, historical or administrative needs of Dartmouth College.
Dartmouth Network: the private network of Dartmouth College, including wired network, and the "Dartmouth Secure" wireless network. Access to this network is restricted, via network authentication credentials, to Dartmouth students, faculty, staff, and sponsored guests.
Personally Identifiable Information (PII) as defined by FERPA Subpar General, Section 99.3:
The term includes, but is not limited to—
(a) The student's name;
(b) The name of the student's parent or other family members;
(c) The address of the student or student's family;
(d) A personal identifier, such as the student's social security number, student number, or biometric record;
(e) Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;
(f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
(g) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates. (Authority: 20 U.S.C. 1232g)
Record means any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche. (Authority: 20 U.S.C. 1232g)
Secretary means the Secretary of the U.S. Department of Education or an official or employee of the Department of Education acting for the Secretary under a delegation of authority.(Authority: 20 U.S.C. 1232g)
Student, except as otherwise specifically provided in this part, means any individual who is or has been in attendance at an educational agency or institution and regarding whom the agency or institution maintains education records.(Authority: 20 U.S.C. 1232g(a)(6))
[53 FR 11943, Apr. 11, 1988, as amended at 60 FR 3468, Jan. 17, 1995; 61 FR 59295, Nov. 21, 1996; 65 FR 41852, July 6, 2000; 73 FR 74851, Dec. 9, 2008; 76 FR 75641, Dec. 2, 2011]