The purpose of the Data Security Policy (DSP) is to prevent identity theft by protecting the Personal Information (defined below) of the members of the Lesley community.
The DSP sets forth the procedure for evaluating the electronic and physical methods of accessing, collecting, storing, using, transmitting, protecting and, when appropriate, destroying Personal Information that Lesley stores, maintains, or controls. (effective 7/1/10).Members of the Lesley community are asked create effective administrative, technical, and physical safeguards for the protection of Personal Information in compliance with our obligations under M.G.L. ch. 93H and M.G.L. ch. 93I and 201 CMR 17.00.
II. Personal InformationUnder this Policy, "Personal Information" is any information in Lesley's control that contains the first name or initial and last name of an individual in combination with any one or more of the following pieces of information that relate to such individual:Some examples of "Personal Information" could include employment application, credit card information, I-9 forms, student records, student applications, etc. III. Data Security CoordinatorLesley has designated Sandra Doran, its University Counsel, to be Lesley's Data Security Coordinator. The Data Security Coordinator is responsible for overseeing compliance with the DSP and assisting members of the Lesley community in protecting Personal Information and addressing potential breaches of Personal Information.If there are any questions about this policy or any concerns about protecting Personal Information, please contact Shirin Philipp, the Data Security Coordinator at 617-349-8505.The Data Security Coordinator will be responsible for and/or overseeing the following: (a) identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, or integrity of all electronic, paper, or other records containing Personal Information and evaluating and improving, where necessary, the effectiveness of all current safeguards; (b) Training all employees about the DSP and the Data Security Program ("Program"); (c) Regular assessment and testing of the Program's safeguards and compliance with the DSP; (d) Ensuring that reasonable steps are taken to verify that third-party services providers with access to Personal Information have the ability to protect such information in accordance with state law and regulations; (e) Reviewing the scope of the security measures in the Program annually or whenever there is a material change in Lesley's business practices or changes in the law that may implicate the security or integrity of records containing Personal Information; (f) Conducting an annual training session on the Program for all members of the community who have access to Personal Information. Tracking the attendance and training of those members on their familiarity with Lesley's requirements for ensuring the protection of Personal Information; (g) Ensuring that physical and electronic access immediately ends for terminated/resigned employees to records containing Personal Information, including deactivating all passwords and user names that permit that employee access to records containing Personal Information; (h) Documenting actions taken when responding to incidents involving unauthorized access to or use of Personal Information; (i) In consultation with the Director of Human Resources, recommending corrective and/or disciplinary measures for violations of the DSP or Program and implementing and documenting such measures as appropriate.IV. Scope and Discovery of Personal InformationThis policy covers all Personal Information that Lesley stores, maintains, or controls.Lesley has taken steps to identify and inventory all such information. If a member of the Lesley community becomes aware of a new source or type of Personal Information, that source should be reported immediately to the Data Security Coordinator. V. Meeting Current Security RequirementsTo maintain data security as required under the law, members of the Lesley community will be required to cooperate with a number of procedures: Report any suspicious or unauthorized use of Personal Information. Access to electronically stored Personal Information shall be electronically limited to those employees having a unique log-in ID; and re-log-in shall be required when a computer has been inactive for more than ten (10) minutes. Paper or electronic records (including records stored on hard drives or other electronic media) containing Personal Information shall be disposed of only in a manner that complies with M.G.L. c. 93I. For paper: Personal Information shall be either redacted, burned, pulverized, or shredded so that personal data cannot practicably be read or reconstructed For electronic media and other non-paper media: Personal Information shall be destroyed or erased so that it cannot practicably be read or reconstructed. In an effort to prevent hackers from accessing our Student Information System (SIS), electronic access to user identification will be blocked after three (3) unsuccessful attempts to gain access. For example, when logging on to Lesley's SIS, (Datatel Colleague), if a username or password is typed incorrectly three times the user will be locked out of the site and will need to call University Technology (UT) at 617-349-8770 before the user will be allowed access to the SIS system. Departments at Lesley who manage access to their own systems containing Personal Information should follow the same process above for the Student Information System and should document their processes appropriately. Current users of Lesley's computer network will be prompted and required to bi-annually change their logon password. Each department shall develop procedures (bearing in mind the educational and business needs of that department) that ensure that reasonable restrictions upon physical access to records containing Personal Information are in place. Ideally, each department will have a written procedure that sets forth the manner in which physical access to such records in that department is to be restricted; and each department must store such records and data in locked facilities, secure storage areas or locked containers. Lesley will monitor the computer systems and community members' activities on the system for, among other things, unauthorized use of or access to Personal Information. Only members of the Lesley community who are accessing Personal Information for business reasons are authorized to do so.VI. Security Requirements Regarding Terminated EmployeesWhen an employee leaves their employment at Lesley, their immediate supervisors/managers are required to ensure that the employees comply with the following: Return all records containing Personal Information in any form that may be in employee's possession at the time of such termination (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.) Cease physical and electronic access to Personal Information held by Lesley. Surrender all keys, IDs, access codes or badges, business cards, and any other property that permits access to Lesley's premises or information. Cease remote electronic access to Lesley's computer systems which contain Personal Information and cease use of Lesley voicemail and internet access, unless written authorization is obtained to do so. Terminated student employees who are inactive (i.e. not currently enrolled and not graduated) will cease to have electronic access to Lesley's email and network. Terminated employees who are also students or alumni will retain access to their Lesley email account and will retain the privilege of access to the Lesley network, which does not include access to Personal Information.VII. Duties of Lesley Community Members
Lesley will impose corrective and/or disciplinary measures for all violations of this DSP.This policy shall remain in effect until such time the University and/or specific State or Federal rules and regulations that govern the Data Security Policy indicate a change in the policy or procedures.
Acceptable Use Policy
Community Standards of Conduct
Community Violence Prevention Policy
Complaint Resolution Policy and Procedure
Data Security Policy
Discrimination, Harassment, Sexual Harassment, and Sexual Violence Policy
Equal Opportunity and Inclusion Policy
Prohibition of Weapons Policy
Unequal Consensual Relationships Policy