Sharing College Data

Bellevue College is required by law to protect certain classes of electronic information that its employees and other official representatives gather during the course of conducting business.

College officials (a term which includes employees, trustees, volunteers and others performing services on behalf of the college) must ensure that sharing protected college data with the public at large complies with the Washington state Office of the Chief Information Officer Securing Information Technology Assets Policy and other applicable statutes and regulations.

Executive Summary of Requirements

A college official considering sharing college data must:

    1. Initiate and complete a contract when technical or data services are being provided, particularly when college data will be shared with Non-Employees (see CONTRACT and NON-EMPLOYEES, below).
    2. Determine the category of the shared data based on the highest sensitivity of the information contained therein (see CATEGORIES OF COLLEGE DATA, below).
    3. Determine whether the data being shared will be stored on or off-campus (see SERVICES LOCATION, below).
    4. Complete the college paperwork which is required based on the data category and location (see DOCUMENTATION, below).
    5. Authorize the sharing of any college data in compliance with the documentation requirements (see AUTHORIZATION, below).
Sharing Data

When any college official wishes to obtain information services provided by someone who is not an employee of the college, or who represents an outside entity of any kind, and those services include:

    • directly giving that individual or entity electronic copies of college data; or
    • storing college data on computers, servers, or any storage media outside the college and/or under the control of that individual or entity[1]; or
    • providing that individual or entity direct access through Bellevue College technology resources to college data;

it is considered SHARING college data with a non-employee, and requires appropriate authorization.

Requirements

CATEGORIES OF COLLEGE DATA

Category 1 – Public data

Public college data may be released to the public or posted publically by any college official without approval. It does not need protection from disclosure.

The college has determined that certain student data–which otherwise may have been classified category 2 or higher—falls into this category as designated FERPA directory information, and may be disclosed upon request. This includes:

    • Student Name
    • Degree or certificate awarded
    • Dates of attendance
    • Athletic statistics
    • Scholarships received
    • Membership or office in BC student government or honor society
    • Part or full-time student status
    • Previous schools attended
    • Student’s e-mail address

Category 2 – Sensitive data

Sensitive information may not be specifically protected from disclosure by law or policy, but is generally for official use only.

Sensitive information is generally not released to the public unless specifically requested.

Category 3 – Confidential data

Confidential information is specifically protected from disclosure by state or federal law or regulations.

Data under this classification includes personally identifying information about individuals that college officials are obligated to protect to prevent identity theft or similar crimes or abuses.

This is usually someone’s name in combination with any of the following:

    • Personal address
    • Personal telephone number
    • Date of birth
    • Government –issued driver’s license or identification number
    • Alien registration number,
    • Passport number,
    • Employee/student ID number (SID).

It may also include, but is not limited to:

    • Information concerning employee payroll and personnel records.
    • Information that is inherently personal.
    • Information regarding IT infrastructure or security of computer and telecommunications systems which could result in fraud, illicit disclosure of, or modification to, information.

This includes passwords or other information used to access computer systems and applications.

Category 4 – Confidential data, with special handling

This is information specifically protected by law from disclosure, and is information for which especially strict handling requirements and safeguards are dictated by statutes, regulations, or agreements.

This includes:

    • Student data and education records protected under the Family Educational Rights and Privacy Act (FERPA).
    • Medical information protected under the Health Information Portability and Accountability Act (HIPAA).
    • Data which has been shared with Bellevue Collee for which a contract or agreement sets forth specific and strict handling requirements.
    • Data from which serious consequences could arise from unauthorized disclosure, such as threats to health and safety, or legal sanctions.

Other data under this classification can include:

    • Passwords,
    • Social Security Numbers (SSN),
    • Credit card numbers,
    • Credit card expiration dates,
    • Personal Identification Numbers,
    • Credit card security codes,
    • Financial profiles,
    • Bank routing numbers, and
    • Law enforcement records,

as well as other types of information.

Access to this type of data regarding another person is limited to authorized users who have a defined or demonstrated need to know in order to perform their duties.

Sensitive college data (category 2), confidential college data (category 3), and data classified as Confidential, with special handling (category 4) held by the college may not be shared publically, posted to any website (internal or external), shared with, or be allowed to be accessed by, any third-party or any non-employee, for any reason, without authorization and documentation, unless otherwise prescribed by law.

These categories of college data are referred to collectively as “protected data.”

These categories of college data may sometimes be released to the public when specifically requested and processed through the college’s public disclosure procedures established under RCW 42.56 – Public Records Act.

NON-EMPLOYEES / THIRD PARTIES / CONTRACTORS / VENDORS / OUTSIDE ENTITY

These are defined as:

      • any individual who is not a college employee who is given access or potential access to college data using college computers, either directly or remotely, while performing a contracted technical service (such as vendors, contractors, volunteers, etc.), and/or
      • officials of agencies, companies, or vendors contracted to store, maintain, support, access, or share college data as a service provided through networks and/or servers external to the college (such as Software as a Service [SaaS] or Hosted Service Providers [HSP]).

CONTRACT

When any category of college data is being shared with an outside entity or agency, or stored on their computers, servers or storage media, a contract with that entity is required.

This is often fulfilled as an Administrative Services or Purchasing Office responsibility following their standard purchasing processes.

This initial contract may be created by either Bellevue College or the entity themselves, but both parties must agree to its contents.

When sharing Category 2 and above data, the contract must address the following, unless otherwise prescribed by law. While some vendor contracts may address these issues adequately, many will not:

    • The data that will be shared.
    • The specific authority for sharing the data.
    • The classification of the data shared.
    • Access methods for the shared data.
    • Authorized users and operations permitted.
    • Protection of the data in transport and at rest.
    • Storage and disposal of data once it is no longer required.
    • Backup requirements for the data, if applicable.
    • Other applicable data handling requirements.

If the initial contract does not address these concerns, additional college documentation related to the services and information security provided by the vendor or contractor is required every time sensitive or confidential college data is shared.

DOCUMENTATION

When a college official knows the category of data intended to be shared and where it is going to be located, they can determine what paperwork is required.

When category 1 college data is being shared with the outside entity there is no documentation required other than this initial contract between the college and the vendor.

If category 2 college data is being shared, a college administrator must complete a Confidentiality and Non-Disclosure Agreement (NDA) and authorize sharing the data.

  • The NDA is an agreement that the college and the third-party will retain the confidence of any information or data shared between the parties.
  • All completed NDAs generated must be signed by both the authorizing college official and an authorized representative of the third party before the data may be shared, and will be filed with the ITS office.[2]

If the college data being shared is category 3 or category 4, a Data Sharing Agreement (DSA) must be completed and signed by the college official authorizing the sharing and by an authorized representative of the third-party with whom the data will be shared.

This is a formal, legally binding agreement signed by officials of the company and a college official describing:

    • what specific data will be shared with the company,
    • how they will access it or be given it,
    • how they will take care of it,
    • how they will protect it and
    • how they will dispose of it after the contract ends.

SERVICES LOCATION

In addition to the agreements described above, when copies of category 3 or category 4 college data will be stored, processed or manipulated using networks, servers or computers off-campus under the control of an external entity, the company providing the service must attest that their technology security configuration and data handling procedures are in compliance with the college’s requirements before college data may be shared or stored.

    • This is a technical and operational requirement separate from the primary contract and separate from the NDA or DSA agreements regarding whether the company can actually have permission to the data.
    • College procedure #5220-P5 – “Utilizing Hosted Service Providers” describes what “compliance” means to the college and provides a checklist document named “Hosted Service Provider Compliance Form” for the vendor to fill out to confirm they understand and comply with those expectations.
    • This document does not apply if the college data in question will only be stored on BC systems.

Because each document covers separate requirements, the documents can exist independently.

    • For instance, a contract could obviously exist without the other two, and a contract and data sharing agreement which limits a company or agency to accessing the college data from within our on-campus network wouldn’t require a compliance form.
    • However, all three documents related to college data may be required be compliant, e.g., when a company storing copies of protected college data on their own computers outside the college would require all three.

If a contracted individual or company refuses to sign any of the required documents, college data may not lawfully be shared with them in any manner.

AUTHORIZATION

Access to sensitive or confidential college data must be authorized by a college administrator with stewardship over the data in question and/or the authority to grant permission to the data to others.

This authorization requirement always applies, whether an individual is a college employee or not.

Individuals who have been given permission to access this protected college data in the course of their work duties may not share the data or copies of the data with others without specific administrative permission.

In most cases it is a violation of law for a college official to share sensitive or confidential data with unauthorized people or entities, and anyone choosing to do so without the appropriate documentation risks personal prosecution.

Further Information

If you have questions related to these procedures, the categories of college data, the documentation required or any information security policies, procedures, standards or processes, please contact the information security manager.


Note:

[1] It is often not clear to campus users that storing copies of college electronic information on servers located outside the college is considered data sharing because those servers are accessible by employees of the outside entity. Even if college systems or college officials are the only individuals routinely accessing the data through whatever software or service the company is providing, the fact that it resides on a server owned and supported by an outside company means that the company’s system administrators and technical support personnel have the ability access to the data. Thus, the need for appropriate agreements are still triggered based on the data’s category.

[2] In some situations, an NDA may be signed before a formal contract has been initiated (such as in the case of vendor demonstrations or presentations where college data may be used) or without a specific contract in place (such as when sharing category 2 data with other SBCTC entities and colleges).  Conversely, in other cases, it may be appropriate to complete a DSA, even for category 2 college data.

The college official releasing college data will make the determination regarding the appropriate use of an NDA or DSA based on these general guidelines.

Skip to toolbar