SUNY New Paltz has enacted new revisions to the institutional Confidential Information Policy, to ensure compliance with federal law and modernize practices around the storage and retention of potentially protected information.
As part of this set of changes, Paul Chauvet, information security officer, has been named the “Qualified Individual” overseeing the policy and related information security concerns.
These updates to internal practices are in compliance with updated Standards for Safeguarding Customer Information that were ratified by the Federal Trade Commission in late 2021.
Among the updates to the Confidential Information Policy are new additions to the section on Employee Responsibilities:
No storage of sensitive data on personal devices: Employees are not permitted to store any sensitive institutional data on personal computing devices such as personal laptops, desktops, smartphones or tablets. This includes synchronizing OneDrive, Teams or SharePoint folders to personal devices if those contain sensitive data. For details on what the university deems to be sensitive data, please visit www.newpaltz.edu/itpolicy.
All research should follow HREB guidelines: Faculty conducting research involving sensitive or confidential data should ensure they are following guidelines and requirements set by the University’s Human Research Ethics Board (HREB).
There are also new policies connected to record retention and when it is appropriate to delete sensitive information that does not need to be kept.
The new language calls on divisions and departments to develop, implement, and maintain standard procedures for the secure disposal of student, employee, and other individual information, in consultation with Chauvet as designated Qualified Individual, no later than two years after the last date the information is used (barring exceptions where disposal is not feasible, when information is necessary for legitimate business purposes or when information is required to be retained). For data in systems such as Banner, or Banner Xtender, please consult Administrative Computing for assistance.
The final set of revisions involves “clean desk” and “clean screen” standards. Employees should ensure that sensitive paper documents are locked away when not in use and/or when offices are unoccupied, and that there is no sensitive information on their computer screens visible to others without a need to access that information. This includes when both in-person meetings or when sharing screen via virtual meeting tools such as WebEx, Teams or Zoom.
The Office of Information Technology Services thanks all members of the campus community for upholding these policies and helping the University protect sensitive information within our operations.
