Skip navigation

INFORMATION SECURITY AND DATA PRIVACY POLICY

Policy Statement

The following statements describe Iona College’s policy on information security and data privacy with particular regard to the security and privacy of personal, private information belonging to our applicants, employees, students and donors.

Reason for Policy

Iona College needs to collect and use information about individuals with whom it works in order to operate and carry out its functions.  It is a priority of Iona College to preserve the integrity of personally identifying information that may be collected.  Negligence or inappropriate use of personal data will not be accepted.  Information regarding applicants, employees, students and donors is subject to legal protection.  Iona College regards the lawful and appropriate treatment of personal information as very important to its successful operations and essential to maintaining confidence between the College and those with whom it carries out business.  Iona College is fully committed to complying and keeping in accordance with the requirements of the Family Educational Rights and Privacy Act of 1974 (FERPA) for student data, Health Insurance Portability and Accountability Act of 1996 (HIPPA) for health data in a clinical setting, and the General Data Protection Regulation (GDPR) for data of European residents.

Scope

This policy applies to processing and maintaining personal data, both in paper and electronic form.  Everyone who works with Iona College has some responsibility for ensuring data is collected, stored and handled appropriately and is responsible for the following:

  • Safeguarding personally identifying information which may include such things as name, address, age, gender, identification numbers (employee ID, Social Security number), income, employment, assets, liabilities, source of funds, payment records, personal references and health records;
  • Collecting and processing only the data and information that is needed;
  • Keeping data accurate, complete and up-to-date;
  • Using and disclosing data only in ways compatible with these purposes;
  • Implement physical security controls such as securely locking files and paper records containing personal information;
  • Ensuring computers and applicable programs are password protected;
  • Ensuring computer passwords are used consistently and changed frequently;
  • Retaining data for no longer than is necessary for the purpose or purposes;
  • Shredding and carefully disposing of records containing personally identifying information;
  • Limiting access to personal information to only those who have an absolute need for its use;
  • Obtaining approval of the Director, Internal Audit prior to disseminating personal information to outside parties;
  • Immediately reporting a breach in data security to the Director, Internal Audit.

Administration, Faculty and Staff will have a key role in implementing the policy and should be provided with a copy of the policy and other relevant information.


Definitions

Personal Data: Any information relating to an identified or identifiable natural person.  Examples of personal data records held by the Iona College may include:

Staff/Administration/Faculty records: These may include:

  • Name, address and contact details, PeopleSoft ID number
  • Original records of application and appointment
  • Record of appointments to promotion posts
  • Details of approved absences (career breaks, parental leave, study leave etc.)
  • Details of work record (qualifications, classes taught, subjects etc.)
  • Details of complaints and/or grievances including consultations or competency discussions, action/improvement/evaluation plans and record of progress.
  • Note: a record of grievances may be maintained which is distinct from and separate to individual personnel files.
Student records:  These may include:
  • Information which may be sought and recorded at enrollment, including:
    • name, address and contact details, PeopleSoft ID number
    • names and addresses of parents/guardians and their contact details
    • religious belief
    • racial, ethnic or national origin
    • any relevant special conditions (e.g. special educational needs, health issues etc.) which may apply
    • information on previous academic record
    • psychological assessments
  • Attendance Records
  • Academic record – subjects studied, class assignments, examination results as recorded on official school reports
  • Records of significant achievements
  • Records of disciplinary issues and/or sanctions imposed
  • Other records e.g. records of any serious injuries/accidents etc.

Processing: performing any operation or set of operations on data, including:

  • Obtaining, recording or keeping data
  • Collecting, organizing, storing, altering or adapting the data
  • Retrieving, consulting or using the data
  • Disclosing the information or data by transmitting, disseminating or otherwise making it available, or
  • Aligning, combining, blocking, erasing or destroying the data

Data Protection Controller

The College has appointed the Director, Internal Audit to assume the responsibilities of a Data Protection Controller (DPC)/Information Security Officer.  The Director, Internal Audit will endeavor to ensure that all personal data is processed in compliance with this policy.  This individual will be assigned the role of coordinating implementation of the policy and for ensuring that everyone who handles or has access to personal data is familiarized with their data protection responsibilities.

Responsibilities include but are not limited to:

  • Briefing the Audit, Risk and Compliance Committee on data protection responsibilities
  • Initiates, facilitates and promotes activities to foster information data security and privacy awareness
  • In collaboration with the Vice Provost for Information Technology, reviewing and approving the dissemination of personal information to outside parties.
  • Conducts investigations of data breaches. Works effectively with Senior Leadership and respective management to resolve these instances.

External Processors

Iona College must ensure that data processed by external processors, for example service providers including storage, web sites, etc. are compliant with this policy and the relevant legislation and regulations.

Enforcement

If an individual believes that the College has not complied with this policy, the individual should contact the Director, Internal Audit/Data Protection Controller.

Related Policies

  • Computer Use Policy
  • Record Retention Policy