Summary  

Appropriate electronic data security includes the full life cycle of the data, from creation through destruction. Sensitive and confidential data collected and used at Bellevue College will be protected, no matter what form it has or how it is accessed.

Categories of Electronic Data

College data should not be disclosed to the public outside of the procedures prescribed under the open public records and meetings laws and the supporting college policies. At Bellevue College, electronic data is classified as follows:

Public Information

This is information and/or data for which there is no state or federal law restricting disclosure and/or release to the public.  While it does not need special protection from unauthorized disclosure, it does require protection from unauthorized changes that alter the information. This includes all information that is already in the public view, but does not include public records that are exempted from public access according to RCW 42.17.310 and WAC 132H-169-070.

Sensitive Information

This is information that may ultimately be defined as a public record and able to be disclosed, but will be carefully protected prior to being released through the campus disclosure process.  This might include financials, payroll-personnel, operating procedures, as well as basic computer, network and security configurations.

Confidential Information

This is information that cannot be released to the public, being specifically protected by state or federal law (including FERPA).  Confidential information should deliberately and carefully be protected from disclosure, and generally includes:

1. Personal information about individuals, regardless of how that information is obtained.
2. Information concerning employee payroll and personnel records.
3. IT security information that, if released, could jeopardize the integrity of data or result in fraud, unauthorized disclosure, or modification of information.

Information Requiring Special Handling

Information requiring special handling is confidential information for which additional protections need to be in place.   This will include information such as student information, personnel health records, credit card information, and other similar data. This includes, but is not limited to:

1. Information for which either state or Federal laws or regulations require protection or dictate particular handling requirements, for example, the Family Education Rights and Privacy Act (FERPA) or Health Information Portability and Accountability Act (HIPAA).
2. Information that is covered by a contract or agreement in which specific and strict handling requirements are set forth.
3. Information for which serious consequences can arise from unauthorized disclosure ranging from life threatening action to legal sanctions.

Electronic Data

Electronic data is subject to the same privacy restrictions as non-electronic information and requires the same protections. Information disseminated though any internet-accessible medium will conform to the Washington state Office of the Chief Information Officer’s  “Public Records Privacy Protection” policy, which in turn implements the Governor’s Executive Order 00-03, “Public Records Privacy Protections.”  These specific requirements also apply:

Web

Public information posted on a Bellevue College web site shall be reviewed and approved for release in the same manner as other public dissemination of official memos, reports or other official non-electronic data and information.  Sensitive and confidential information accessible through a web site will be password protected and will not be stored or posted in the same directories as public information.

E-mail

E-mail sent to internal administrative Bellevue College addresses is considered secure and may be used with discretion to disseminate confidential and sensitive information.  Confidential and sensitive information will not be included in any e-mail which is addressed to an external e-mail address or to a Bellevue College student e-mail account.

Blogs / Social Media

Blogging sites and social media sites are specialized types of web site and are therefore covered under the requirements identified under “Web”, above.  However, because of the spontaneous nature of many blogging or social media interactions, special care and caution should be taken by campus users to ensure that confidential and sensitive information is never included in a blog or social media posting, whether the hosting site is internal or external to Bellevue College.

Instant Messaging

Because the sites hosting instant messaging may or may not be external to Bellevue College, maintaining the security of information distributed in that manner cannot be guaranteed.  Therefore, confidential and sensitive data should never be included in any instant messaging posting, no matter whether the recipient is another Bellevue College user or not.  If such information needs to be exchanged between college recipients, e-mail should be used.

Podcast

Confidential or sensitive information will not be posted as part of any podcast or as part of any web site, page or file transfer site supporting podcasting.  This restriction applies whether the hosting site is internal or external to Bellevue College.

Storage of Electronic Data

Electronic data stored on any media will be secured commensurate with its level of confidentiality or value.

1. Some data that is labeled confidential might, for example, require encryption and/or storage only within a database.
2. Backup media must be stored in such a way as to assure not only its magnetic integrity, but also its physical security.
3. Hard copy reports of data created for internal use at the Bellevue College will be protected commensurate with the sensitivity of the data they contain. When hard copies are no longer needed, they should be disposed of properly.  Printouts that contain any sensitive or confidential information will be shredded.

Failure to maintain, secure or destroy electronic copies of information that is sensitive, confidential, or requires special handling as described in this article is a serious matter, and may be a violation of state and/or federal law.

Further Information

If you need further information regarding the security of sensitive and confidential information and data, please contact the Bellevue College Technology Service Desk  425-564-4357.