Data Security Policy

The purpose of the Data Security Policy (DSP) is to prevent identity theft by protecting the Personal Information (defined below) of the members of the Lesley community.

The DSP sets forth the procedure for evaluating the electronic and physical methods of accessing, collecting, storing, using, transmitting, protecting and, when appropriate, destroying Personal Information that Lesley stores, maintains, or controls. (effective 7/1/10).Members of the Lesley community are asked create effective administrative, technical, and physical safeguards for the protection of Personal Information in compliance with our obligations under M.G.L. ch. 93H and M.G.L. ch. 93I and 201 CMR 17.00.

II. Personal Information

Under this Policy, "Personal Information" is any information in Lesley's control that contains the first name or initial and last name of an individual in combination with any one or more of the following pieces of information that relate to such individual:

Some examples of "Personal Information" could include employment application, credit card information, I-9 forms, student records, student applications, etc.
 
III. Data Security Coordinator

Lesley has designated Sandra Doran, its University Counsel, to be Lesley's Data Security Coordinator. The Data Security Coordinator is responsible for overseeing compliance with the DSP and assisting members of the Lesley community in protecting Personal Information and addressing potential breaches of Personal Information.

If there are any questions about this policy or any concerns about protecting Personal Information, please contact Shirin Philipp, the Data Security Coordinator at 617-349-8505.

The Data Security Coordinator will be responsible for and/or overseeing the following:

(a) identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, or integrity of all electronic, paper, or other records containing Personal Information and evaluating and improving, where necessary, the effectiveness of all current safeguards;
(b) Training all employees about the DSP and the Data Security Program ("Program");
(c) Regular assessment and testing of the Program's safeguards and compliance with the DSP;
(d) Ensuring that reasonable steps are taken to verify that third-party services providers with access to Personal Information have the ability to protect such information in accordance with state law and regulations;
(e) Reviewing the scope of the security measures in the Program annually or whenever there is a material change in Lesley's business practices or changes in the law that may implicate the security or integrity of records containing Personal Information;
(f) Conducting an annual training session on the Program for all members of the community who have access to Personal Information. Tracking the attendance and training of those members on their familiarity with Lesley's requirements for ensuring the protection of Personal Information;
(g) Ensuring that physical and electronic access immediately ends for terminated/resigned employees to records containing Personal Information, including deactivating all passwords and user names that permit that employee access to records containing Personal Information;
(h) Documenting actions taken when responding to incidents involving unauthorized access to or use of Personal Information;
(i) In consultation with the Director of Human Resources, recommending corrective and/or disciplinary measures for violations of the DSP or Program and implementing and documenting such measures as appropriate.

IV. Scope and Discovery of Personal Information

This policy covers all Personal Information that Lesley stores, maintains, or controls.

Lesley has taken steps to identify and inventory all such information. If a member of the Lesley community becomes aware of a new source or type of Personal Information, that source should be reported immediately to the Data Security Coordinator.
 
V. Meeting Current Security Requirements

To maintain data security as required under the law, members of the Lesley community will be required to cooperate with a number of procedures:

Report any suspicious or unauthorized use of Personal Information.
Access to electronically stored Personal Information shall be electronically limited to those employees having a unique log-in ID; and re-log-in shall be required when a computer has been inactive for more than ten (10) minutes.
Paper or electronic records (including records stored on hard drives or other electronic media) containing Personal Information shall be disposed of only in a manner that complies with M.G.L. c. 93I.
 
For paper: Personal Information shall be either redacted, burned, pulverized, or shredded so that personal data cannot practicably be read or reconstructed
 
For electronic media and other non-paper media: Personal Information shall be destroyed or erased so that it cannot practicably be read or reconstructed.
 
In an effort to prevent hackers from accessing our Student Information System (SIS), electronic access to user identification will be blocked after three (3) unsuccessful attempts to gain access. For example, when logging on to Lesley's SIS, (Datatel Colleague), if a username or password is typed incorrectly three times the user will be locked out of the site and will need to call University Technology (UT) at 617-349-8770 before the user will be allowed access to the SIS system.
 
Departments at Lesley who manage access to their own systems containing Personal Information should follow the same process above for the Student Information System and should document their processes appropriately.
 
Current users of Lesley's computer network will be prompted and required to bi-annually change their logon password.
 
Each department shall develop procedures (bearing in mind the educational and business needs of that department) that ensure that reasonable restrictions upon physical access to records containing Personal Information are in place. Ideally, each department will have a written procedure that sets forth the manner in which physical access to such records in that department is to be restricted; and each department must store such records and data in locked facilities, secure storage areas or locked containers.
 
Lesley will monitor the computer systems and community members' activities on the system for, among other things, unauthorized use of or access to Personal Information.
 
Only members of the Lesley community who are accessing Personal Information for business reasons are authorized to do so.

VI. Security Requirements Regarding Terminated Employees

When an employee leaves their employment at Lesley, their immediate supervisors/managers are required to ensure that the employees comply with the following:

Return all records containing Personal Information in any form that may be in employee's possession at the time of such termination (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.)
Cease physical and electronic access to Personal Information held by Lesley.
Surrender all keys, IDs, access codes or badges, business cards, and any other property that permits access to Lesley's premises or information.
Cease remote electronic access to Lesley's computer systems which contain Personal Information and cease use of Lesley voicemail and internet access, unless written authorization is obtained to do so. Terminated student employees who are inactive (i.e. not currently enrolled and not graduated) will cease to have electronic access to Lesley's email and network. Terminated employees who are also students or alumni will retain access to their Lesley email account and will retain the privilege of access to the Lesley network, which does not include access to Personal Information.

VII. Duties of Lesley Community Members

  • Members of the Lesley community are prohibited from disclosing Personal Information to any unauthorized person or in any unauthorized manner.
      
  • Members of the Lesley community should review the DSP annually and upon request acknowledge doing so to Human Resources.
      
  • Members of the Lesley community must participate in training sessions when required by the Data Security Coordinator and must certify their attendance.
      
  • Members of the Lesley community must report as soon as known, regardless of time or place, the loss or theft of any laptop, PDA, CD, or other portable electronic device that either contains Personal Information or would allow access into Lesley's computer system to the Data Security Coordinator.
      
  • Members of the Lesley community must immediately report to the Data Security Coordinator (a) any loss, theft, or disclosure to an unauthorized person or entity of Lesley community member information or Personal Information, (b) any suspicious or unauthorized use of Lesley community member information or Personal Information, and (c) any situations where Lesley community member information or Personal Information is not protected as required under the Program.
      
  • Members of the Lesley community who send Personal Information electronically within Lesley's network are required to do so in password protected files. However, before sending Personal Information wirelessly or over the public internet, it must first be encrypted. Contact University Technology for details on encrypting files.
      
  • Members of the Lesley community who transport Personal Information on a laptop or other portable device must do so only where such information is encrypted, to the extent technologically feasible.
      
  • Members of the Lesley community must alert the Data Security Coordinator if they become aware of any new source or kind of Personal Information that Lesley stores, maintains, or controls.
      
  • Members of the Lesley community must limit the amount of Personal Information collected to that amount reasonably necessary to accomplish Lesley's legitimate business purposes or to comply with state or federal regulations.
      
  • Members of the Lesley community must limit access to records containing Personal Information to those persons who are reasonably required to know such information to accomplish Lesley's legitimate business purposes or to enable Lesley to comply with other state or federal regulations.
      
  • Members of the Lesley community must secure open files containing Personal Information on their desks when they are not at their desks.
      
  • Members of the Lesley community must assist and participate in any mandatory post-incident reviews and actions taken.
      
  • At the end of the work day, employees must secure all files and other records containing Personal Information in locked file cabinets or electronically secured in a way that access can only be achieved by authorized users with a password.
      
  • Members of the Lesley community must ensure that all paper records containing Personal Information are discarded in Shred-It containers or by shredding. They are not to be thrown in the regular or recycled trash receptacles or discarded off-site in any manner.
      
  • Members of the Lesley community must refrain from submitting their own or others' Personal Information to Lesley unless requested to do so by Lesley or an authorized person.
      
  • Members of the Lesley community must immediately report to the Data Security Coordinator if they are the victims of identity theft or any unauthorized use of their Personal Information (where there is no explanation for the unauthorized use or the unauthorized use is known not to be related to Lesley).
      
  • Members of the Lesley community are encouraged to make recommendations to the Data Security Coordinator about ways in which Lesley can better protect Personal Information.


Lesley will impose corrective and/or disciplinary measures for all violations of this DSP.

This policy shall remain in effect until such time the University and/or specific State or Federal rules and regulations that govern the Data Security Policy indicate a change in the policy or procedures.