Data Security Guidelines for dixie.edu

*note: this policy is still under review and subject to change.

Introduction

Dixie State Web Services takes the protection of our users’ data seriously. We’ve drafted the following guidelines for protecting sensitive personal information about our users and minimize the risk of data exposure.
For our purposes, we’re defining sensitive information as information that can be used to steal a person’s identity, used by those intending harm, or information that is protected by FERPA.
Data Exposure is exposure of sensitive and/or personal information on the internet in such a way that it becomes visible to the public. In the event of an exposure, we have outlined a procedure to resolve the situation as quickly and fairly as possible.

Sensitive Information

What is Considered Sensitive Information:

  • first/last name
  • addresses
  • phone numbers
  • emails
  • majors
  • grades/GPA
  • Date of birth
  • Family information
  • passwords
  • hometown
  • previous schools
  • class schedules
  • social security numbers
  • Visa numbers
  • ID/Driver’s License
  • Credit Card/Bank account info
  • medical records

Some of this information must never be collected or revealed on dixie.edu, and some of it must  be used conscientiously. Details are outlined below.

User Data Collection on dixie.edu

It is often necessary to collect information about students, employees or prospective students through dixie.edu. We understand the need for information, and want to balance this with the safety and security of the personal information of everyone in the community. We’ve outlined examples of acceptable information to collect on the website, what information you can typically find in the Banner system, and what information should never be collected.

Safe Information to Collect

Acceptable Information to collect from current or past students and employees:

  • First/Last Name
  • dixieID
  • Email
  • Anything not on the sensitive information list

Collect Additional Data from Banner

With a dixieID staff and faculty can collect the following information (and much more) from Banner:

  • addresses
  • phone numbers
  • majors
  • grades/GPA
  • DOB
  • hometown
  • previous schools
  • class schedules
  • social security
  • ID/Driver’s License

DO NOT COLLECT

Information that should NEVER BE COLLECTED:

  • social security number
  • ID/Driver’s License
  • Credit Card/Bank account info
  • medical records
  • uploads containing sensitive data (eg scans of driver’s license, SS card, resumes)

Displaying User Data on dixie.edu

Views or pages displaying user information are not to be created by any user who is not part of DSU Web Services. Members of DSU Web Services should get authorization from the webmaster, Rex Frisbey, before proceeding with creating a view and follow the guidelines below.

Note about views: Views are by default limited our campus network, and to publish a view to be view by any internet user requires special permission from our webmaster.

Guidelines for Views

Never create a “view” or page displaying personal or sensitive user information. You may display non-sensitive data from anonymous submissions or users. When displaying non-sensitive data about users, use only one piece of identifying information – eg, identify by name or dixieID but never use both. A phone or email is acceptable if contact information is needed.

When building pages or views that display data about users, the page must be set to “Restricted” before it is published. DO NOT publish the page until it is ready, work in draft mode.

Using third-party forms: Google Forms, Surveymonkey, etc

Never use third-party forms for any kind of sensitive data or personal information. DSU Web Services can not protect the data stored in third-party forms. Any data collected in a third-party form you are responsible for protecting.

Acceptable Uses:

  • Reservations for events
  • Anonymous surveys
  • Opinion polls

Not-Acceptable Uses:

  • Applications for jobs/scholarships/etc

Questions?

Need data on the Do Not Collect List?

If you’re collecting personal information beyond name, dixieid, and/or email  and can not get it through Banner, go through Web Services and receive approval with Rex Frisbey, webmaster, and/or Andrew Goble, information security officer.

Unsure if your data is safe to collect?

If you are unsure if the data you are collecting is considered “sensitive” please contact the DSU Web Services with your questions. We will be happy to help you determine the best solution for your needs while protecting the data of the DSU community.

Preventing an Exposure

Preventing an exposure requires thought and consideration from everyone involved. Before building or requesting a form, consider the following:

  • What is the least amount of information needed?
  • What is at risk if this information became public?
  • Would I want this information about me to be public?

Once the data is submitted, it is stored in a secure database and can be emailed as text or a CSV file. Once you receive the data in your email, it becomes your responsibility to protect it. DO NOT put this data on a portable drive or a public computer. Protect it the same as you would your own personal information.

When building pages that display data about users, it must be set to “Restricted” before it is published. DO NOT publish the page until you are certain the page is working correctly and the data will be secure.

In the Event of an Exposure

Contact the DSU webmaster, Rex Frisbey, immediately.

Inform him of which page is exposed, what is on it, and when and how it happened. The DSU web team and information security office will take steps to secure and protect the user information exposed, and prevent future exposures.
If a view/page with sensitive data is published without “Restricted” enabled, it is still an exposure and is our responsibility to verify the data has not been compromised, even if you later “restrict” the page.