Data Access Policy
Effective: November 12, 2013
Revised & Renamed: May 24, 2018
Revised: April 2022
Barnard College operations require the sensitive information of students, faculty, staff and others. The college has a high business dependency on this information and a robust security posture must be in place to protect the confidentiality, integrity and availability of this data but also maintain access to it as necessary. This policy is designed to codify data access expectations to private data held by the college.
Reason for the Policy:
The college affirms that the mutual trust and freedom of thought and expression essential to the academic mission of a college rest on a reasonable expectation of privacy, and that the privacy of those who work, study, teach, and conduct research in a college setting will be respected. This policy is intended to highlight some general principles that should help to define the rights of the college to access private data and the expectations of privacy of those in the college community.
Who is Responsible for This Policy
Responsible Office: The Office of the General Counsel, BCIT
Who is Governed by This Policy
This policy applies to all individuals who access, use, or control college resources. Those individuals covered include, but are not limited to, staff, faculty, students, those working on behalf of the college, guests, tenants, visitors, and individuals authorized by affiliated institutions and organizations.
The college provides computers, user accounts, email accounts, networks and other resources to faculty, staff and students for the purpose of furthering the college's academic mission and conducting college business. While incidental and occasional personal use of such systems, including e-mail and voice mail, is permissible, personal communications and files transmitted over or stored on college systems are not treated differently from college related communications.
As is the case for information in non-electronic form stored in college facilities, the college's need for information will be met in most situations by simply asking the author or custodian for it. However, the college reserves the right, consistent with this policy, to access, review and release information that is transmitted over or stored in college systems or facilities.
When access, review or release of information is required, an officer of the college may request access to a user’s resources without the consent of the assigned user when there is a reasonable basis to believe that such action:
- Is necessary to comply with legal requirements or process
- May yield information necessary for the investigation of a suspected violation of law, regulation, or college policy (e.g. alleged harassment)
- Is needed to maintain the integrity of college computing systems
- May yield information necessary to deal with an emergency
- Will yield information that is necessary for the completion of ordinary business of the college
The office of the General Counsel is responsible for obtaining the final approval of requests and for maintaining a record of the authorized searches.
Pursuant to Civil Rights Law § 52-c, which requires that New York employers provide notice to all employees of the potential use of electronic monitoring in the workplace, the College provides all new employees with a Notice of Electronic Monitoring. The notice is also posted in a conspicuous location where it is readily viewable by employees.
Procedure to Access Private Information
Requests for access to the private information of faculty, students and staff will follow the procedure below:
- The requestor contacts the officer of the college for their administrative area or the general counsel with the request.
- The officer forwards the request to the office of the General Counsel.
- The office of the General Counsel reviews the request for compliance with this policy and contacts the president and/or her designee for approval.
- The office of the General Counsel forwards approved requests to the executive director for IT and/or her designee who will provide the data requested (if available) to the office of the General Counsel.
- The office of the general counsel reviews the data with the requestor.
Due to the sensitivity of the requests, it is crucial that the parties involved in this process do not disclose any information about the request to anyone not involved in the processing of the request.
Applicable Acts, Regulations, and Laws
Electronic resource use is subject to many laws and regulations. Suspected violations of applicable law are subject to investigation by the college and possibly law enforcement officials. Among the applicable laws are:
- Family Education Rights and Privacy Act (FERPA): a federal law that protects the privacy of student education records.
- General Data Privacy Regulation (GDPR): a European Union (EU) data privacy regulation, effective May 25, 2018, protecting the personal data of EU subjects or others physically located in the EU which is collected by the college
- Civil Rights Law § 52-c requires that New York employers provide notice to all of its employees, upon hire, of the potential use of electronic monitoring in the workplace, effective May 7, 2022
- Defamation: Someone may seek civil remedies if they can show that they were clearly identified as the subject of defamatory messages and suffered damages as a consequence. Truth is a defense against charges of defamation.
- Common law actions for invasion of privacy: Someone may seek civil remedies for invasion of privacy on several grounds.
- Public disclosure of private facts: the widespread disclosure of facts about a person, even when true, may be deemed harmful enough to justify a lawsuit.
- False light: a person wrongfully attributes views or characteristics to another person in ways that damage that person's reputation.
- Wrongful intrusion: the law often protects those areas of a person's life in which they can reasonably expect they will not be intruded upon.
Violations of these policies are adjudicated according to the procedures defined in the student, faculty or employee policies and procedures and may result in the removal of access to Barnard resources and/or more serious sanctions.