The Information Security Policy requires additional data protections for Confidential Information.
Confidential Information refers to all information collected by, shared with, or reported to the College in the course of its business or activity that is protected by local, state or federal law or that the College is contractually obligated to protect. In addition, the College may designate information as confidential. Confidential information includes but is not limited to:
- Financial information as specified by the Financial Services Modernization Act of 1999 (Gramm Leach Bliley Act or GLB);
- Protected Health Information (PHI) as specified by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH);
- Education records of students as defined by the Family Educational Rights Privacy Act of 1974 (FERPA);
- Human subject research data which falls under the jurisdiction of the College’s Institutional Review Board (IRB);
- Confidential medical records used to provide an employee with a reasonable accommodation under the Americans with Disabilities Act of 1990 (ADA);
- Payroll records or other documentation pertaining to an employee’s compensation;
- Employment and/or personnel information (such as salary, health or disability information, disciplinary or grievance information, annual review information);
- Controlled information or technology pursuant to the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) that does not fall under the Fundamental Research Exclusion or other exclusions to ITAR/EAR; and
- Payment card data (such as credit/debit card numbers, security codes or PINs) covered by the Payment Card Industry (PCI) standards.
If you are authorized to access, share, transmit or otherwise use Confidential Information, you must encrypt the information when sending it through insecure channels, such as email.