Policy on Protecting Confidential Information

Policy Number: 702

University Records and Information Systems

The permanent link for this policy is: https://policies.northeastern.edu/policy702/

I. Purpose and Scope

Northeastern University is committed to protecting the Confidential Information it creates, receives, maintains, and/or stores while pursuing its educational and research missions and performing its administrative functions. This policy guides the university community on appropriately protecting its proprietary and non-public information. It also describes the obligations of members of the university community to prevent unauthorized disclosure or use of the university’s Confidential Information.

This policy applies to all members of the university community, including students, faculty, staff, alumni, and volunteers in connection with university activities, as well as contractors, vendors, consultants, and affiliates when performing services for the university. It encompasses all Confidential Information accessed or created while employed or engaged with the university, whether paid or unpaid.

II. Definitions

Confidential Information means any proprietary or non-public information the unauthorized disclosure, use, alteration, or loss of which could result in a violation of Northeastern’s legal obligations or policies, or could adversely affect the university’s reputation, programs and services, safety, operations, finances, or community members.

Examples of Confidential Information include, without limitation, any Personal Information of employees, students (including their educational records), applicants, and parents; financial information (including credit card numbers, bank account numbers, and university financial data); health information; non-public contracts, awards, and grants; Restricted Research Data; alumni and donor records; personnel records; system passwords; and future operational and strategic plans.

Data Classification Guidelines refers to the university’s framework for organizing, classifying, securing, and sharing institutional data based on the type of data, level of risk, and confidentiality requirements.

Data Custodians are university employees who oversee the usage and access to Confidential Information for their business domain. They coordinate with University Decision Support (UDS) and the Office of the General Counsel (OGC) to classify the Confidential Information for which they are responsible and charter new opportunities or initiatives on business-/data-related issues.

Personal Information means information relating to an individual that identifies or can reasonably be used to identify the individual, directly or indirectly (including in combination with other data), by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the identity of the individual.

Restricted Research Data means information or data used for university research that is subject to restriction on its access, use, or disclosure under contract terms, applicable law, or university policy.

III. Policy

All members of the university community are required to protect Confidential Information in accordance with the following requirements:

1. Confidential Information may be accessed, used, and shared internally only on a need-to-know basis with authorized members of the university
  community for an approved purpose.
2. Confidential Information may be shared externally with a supplier, contractor, or other third party only (i) when it has an agreement with
  Northeastern that meets the requirements of the Policy on the Review and Approval of Proposed Contracts and (ii) when it’s sharing 3 Lock or 4 Lock
  Confidential Information, it has completed the Office of Information Security (OIS) vendor compliance assessment process within the prior three
  years (or more frequently if required by OIS).
3. All Confidential Information collected, created, or maintained by a university department or business unit should be assigned a classification level
  (Critical Risk/4 Lock, High Risk/3 Lock, or Low Risk/2 Lock) by its Data Custodian. These levels are defined in the university’s Data Classification
  Guidelines. Relevant data users must follow the controls associated with the assigned classification level. The UDS Data Classification Tool is
  designed to help users identify the applicable classification level and the handling requirements for specific types of Confidential Information.
4. Confidential Information must be handled in accordance with university security and privacy policies and standards, including, without limitation,
  the Policy on Information Technology System Security, the Policy on Appropriate Use of Computer and Network Resources, and the two policies
  governing student privacy and employee privacy.
5. When an individual separates from the university, or on request of HR or another university authority, all originals and copies of Confidential
  Information in the individual’s possession or control, whether in electronic or hardcopy form, must be returned to the university or destroyed (as
  directed by the university) and all further access to and use of such information permanently relinquished.

If an external request for access to Confidential Information is received, whether from a government agency or law enforcement, or whether via legal process (e.g., subpoena) or another form of request (e.g., U.S. Freedom of Information Act), contact the OGC immediately so it can assess the request’s validity and provide guidance on the appropriate response.

See the University Policies home page for important information on disciplinary and other actions that can result from violating this policy.