Information Technology

Data Classification Policy

Title: Data Classification Policy
Policy Owner: Information Technology Services / Chief Information Security Officer 
Applies to: All students, faculty, staff, volunteers, and contractors  
Campus Applicability:  All Campuses except UConn Health
Effective Date: August 30, 2021
For More Information, Contact UConn Information Security Office 
Contact Information: techsupport@uconn.edu or security@uconn.edu 
Official Website: https://security.uconn.edu/

PURPOSE 

This policy defines the classifications of institutional data (i.e., the categories of data that the University is responsible for safeguarding) and the associated measures that are necessary to safeguard each classification. Institutional data commonly exists in many forms, including electronic, magnetic, optical, and traditional paper documents. Common types of electronic data include email messages, spreadsheets, word processing documents, PDF reports, and university managed databases and file storage systems. 

APPLIES TO 

This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to protected or confidential information. This policy covers data that is stored, accessed, or transmitted in all formats, including electronic, magnetic, optical, paper, or other non-digital formats. 

DEFINITIONS  

Cloud: Any environment not operated by UConn. This includes cloud-based services that provide basic infrastructure including operating system and storage or services that provide a full software stack for an intended purpose or platform offering multiple services. 

Confidential Data: Institutional information protected by law, government regulations, statutes, industry regulations, contractual obligations, or specific university policies. Examples of confidential data may include Personally Identifiable Information (PII), Protected Health Information (PHI), Educational Records (FERPA), Credit Card Information (PCI-DSS). An extended list of Confidential Data can be found in Appendix A of this policy. 

Protected Data: Institutional information that must be guarded due to proprietary, ethical, privacy, or business process considerations. By default, most administrative data will fall into this classification or if data is not confidential or public. 

Public Data: Institutional information that may or must be freely available to the general public. Such information has no local, national, international, or contractual restrictions on access or usage. 

POLICY STATEMENT  

Through the normal course of business, many individuals at the University of Connecticut collect, maintain, transmit, and/or have access to personal information, financial data, and other information which is protected or confidential in nature. The protection of some types of data is governed by industry or governmental regulations. While other types of information may not be covered by specific legal requirements, it is in the University of Connecticut’s best interest to take steps to safeguard all university information reasonably and responsibly. 

Except for those classes of data expressly protected by statute, contract, or industry regulation, the data classification examples presented in this policy are guidelines. Ultimate responsibility for the classification in the university environment is determined by the Data Steward, as defined in the University’s Data Roles and Responsibilities Policy, and the Office of General Counsel for any given set of data. 

Data Protection 

The University of Connecticut has established the following requirements and guidelines in order to protect each classification of data. 

Public Data 

While there are few restrictions on public data, such data should be properly secured to prevent unauthorized modification, unintended use, or inadvertent/improper distribution. It should be understood that any information that is widely disseminated within the university community is potentially available to the public at large. 

The following guidelines are for information systems that are used to store and share the University’s public data. 

  • When practical, public data should only be shared via systems over which the University maintains full administrative control, which includes the ability to remove or modify the data in question. 
  • Information systems, such as web servers or cloud services that are used to share public data, must be properly secured to prevent the unauthorized modification of published public data. 
  • Interactive access to databases containing public data, such as online directories or library catalogs, should be properly secured using query rate limiting, CAPTCHA’s or similar technology to impede bulk downloads of entire collections. 

    Protected Data 

    Protected data requires additional levels of protection because its unauthorized disclosure, alteration, or destruction could cause damage to the University or its constituents.  

    In addition to the requirements outlined for public data, protected data must also meet these requirements: 

    • If stored in the cloud, stored only on cloud-based information systems managed or contracted by the University. 
    • Protected through the use of authenticated access in order to prevent loss, theft, or unauthorized access, disclosure or modification. 
    • Printed sensitive data including reports must be stored in a secure manner (file cabinet, closed office, or department where electronic/physical access control systems are in place) when not in use. 

    Confidential Data 

    Confidential data (see Appendix A) requires the highest level of protection due to the risk and magnitude of loss or harm that could result from disclosure, alteration, or destruction of the data. Certain types of information, such as health information, may have additional requirements for protection. Wherever possible, confidential information should remain in source systems and not propagated through saved files, spreadsheets, or other file formats. Whenever storage of confidential data is required outside the source system, it should be limited to the minimum amount, and for the minimum time, required to perform the business function, or as required by law and/or State of Connecticut Data Retention requirements. 

    In addition to the requirements for protected data, confidential data must be: 

    • Protected with strong passwords and should leverage Multi-Factor Authentication whenever such capabilities exist.  
    • Stored on devices that have appropriate protection, monitoring and encryption measures in order to protect against theft, unauthorized access and unauthorized disclosure. 
    • Transmitted using approved encryption methods. 
    • Accessed via approved remote access services such as VPN when accessed remotely.  
    • Stored on university-owned devices. Confidential data is not permitted to be stored on any personally owned devices including mobile phones, laptops, or home computers. 
    • Stored, if printed material, only in a locked drawer; a locked room; an area where access is controlled by a guard, cipher lock, and/or card reader; or an area that has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other individuals not on a need-to-know basis. 

      The University’s Confidential Data may not be accessed, transmitted, or stored using public computers or via email. 

      Encryption 

      To maintain its confidentiality, all data shall be encrypted while in transit across communication networks or when stored. Stored data may only be encrypted using current encryption methodologies. To ensure that data is available when needed, each department or user of encrypted University data will ensure that encryption keys are adequately protected and that procedures are in place to allow data to be recovered by another authorized University employee. In employing encryption as a privacy tool, users must be aware of, and are expected to comply with, Federal Export Control Regulations. 

      Service Providers  

      Departments shall take steps to ensure that third-party service providers understand the University’s Data Classification Policy and protection of the University’s Data. No user may give a third-party access to the University’s Protected or Confidential Data or to systems that store or process Protected or Confidential Data without permission from the Data Steward and a standard Confidentiality Agreement from University Procurement in place.  

      Disposal 

      Systems administrators will ensure that all data stored on electronic media is properly destroyed or wiped to current Department of Defense Data Wipe standards prior to the disposal or transfer of the equipment.  

      Confidential Data maintained in hard copy form will be properly disposed of when no longer required for business or legal purposes. 

      ENFORCEMENT 

      Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

      Questions about this policy or suspected violations may be reported to any of the following: 

      Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

      Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

      Information Security Office – https://security.uconn.edu 

      REFERENCES 

      Data Roles and Responsibilities, Policy On 

      POLICY HISTORY 

      Policy created:  May 16, 2012 

      Revisions: August 30, 2021

       

      Data Roles and Responsibilities Policy

      Title: Data Roles and Responsibilities Policy, Information Technology
      Policy Owner: Information Technology Services / Chief Information Security Officer 
      Applies to:  All students, faculty, and staff  
      Campus Applicability:  All campuses except UConn Health 
      Effective Date: August 30, 2021
      For More Information, Contact UConn Information Security Office 
      Contact Information: techsupport@uconn.edu or security@uconn.edu 
      Official Website: https://security.uconn.edu/

      PURPOSE 

      To define the responsibilities of individuals within the organization in protecting the University of Connecticut’s data assets. 

      APPLIES TO 

      This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to or have been assigned one of the roles defined in this policy. 

      POLICY STATEMENT  

      Through the normal course of operations of the University, ever increasing amounts of data are created, processed, modified, and eventually disposed of as part of daily activities. To ensure the proper management of the various data sets, the University has defined the following roles and responsibilities to ensure data is properly protected, used, and managed throughout its lifecycle. 

      Data Stewards are employees of the university responsible for the overall use and proper handling of administrative, academic, public engagement, or research data. Data Stewards must classify data according to the University’s Data Classification Policy. Data Stewards ensure that appropriate steps are taken to protect data and implement policies and agreements that define appropriate use of data.  

      The Data Steward or their designated representatives are responsible for: 

      • Ensuring the information they are responsible for is accurate 
      • Authorizing the specific use of information across the organization 
      • Working with other Data Stewards to resolve conflicting data issues 
      • Specify appropriate controls, based on data classification, to protect the data from unauthorized modification, deletion, or disclosure 
      • Ensuring access rights are evaluated on a regular basis 

        Data Administrators are usually system administrators who are responsible for applying appropriate controls to data based on its classification level and required protection level. Data Administrators are also responsible for securely processing, storing, and recovering data. The Data Administrator is accountable for: 

        • Implementing the appropriate controls specified by the Data Stewards 
        • Removing access rights to specific data resources due to a job change or separation from the University 
        • Implementing the appropriate monitoring techniques and procedures for detecting, reporting, and investigating incidents 
        • Assisting Data Stewards in evaluating the overall effectiveness of controls and monitoring  

        Data Users are individuals who receive authorization from the Data Steward/Administrator to access, enter, or update information. Data Users  must use the resource only for the purpose specified by the Data Steward, complying with controls established by the Steward, and preventing disclosure or confidential or protected information. 

        ENFORCEMENT 

        Failure to properly fulfill the roles and responsibilities articulated in this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code. 

        Questions about this policy or suspected violations may be reported to any of the following: 

        Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

        Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

        Information Security Office – https://security.uconn.edu 

         

        POLICY HISTORY 

        Policy created:  May 16, 2012 

        Revisions: August 30, 2021 [Approved by President’s Senior Team]

        Acceptable Use, Information Technology

        Title: Acceptable Use, Information Technology
        Policy Owner: Information Technology Services/Chief Information Security Officer
        Applies to: All University Information Technology Users
        Campus Applicability: All campuses except UConn Health
        Effective Date: August 30, 2021
        For More Information, Contact UConn Information Security Office
        Contact Information: techsupport@uconn.edu or security@uconn.edu
        Official Website: https://security.uconn.edu/

        BACKGROUND 

        The University’s IT resources support many systems to fulfill the academic, research and administrative needs of the University’s constituents, including students, faculty, staff, and guests. These resources must be used in a responsible manner consistent with Federal and State laws and University policies. 

        PURPOSE 

        To define expectations of appropriate use and inform all users of information technology (IT) resources at UConn of their obligation to comply with all existing laws and institutional policies in their use of IT resources. 

        APPLIES TO 

        This policy applies to all constituents (students, faculty, staff, affiliates and guests) who use UConn’s information technology resources, including but not limited to wired and wireless networks, computer-based systems and services, printers/copiers, and cloud-based services. 

        DEFINITIONS  

        Access Point (AP): A networking hardware device that allows other Wireless (Wi-Fi) devices to connect to the University network. 

        Information Technology (IT) Resources: Include but are not limited to: 

        • Systems and equipment such as computers, hard drives, printers, scanners, video and audio recorders, cameras, photocopiers and other related devices.  
        • Software such as computer software, including open-source and purchased software, and all cloud-based software including infrastructure-based cloud computing and software as a service.  
        • Networks such as all voice, video, and data systems, including both wired and wireless network access across the institution. 

          IoT: Internet of Things are devices that communicate across a network without direct human interaction. These include but are not limited to smart assistants, lightbulbs, appliances, and televisions. 

          POLICY STATEMENT  

          The appropriate use of UConn IT Resources focuses on three primary areas including: (1) the fair and equitable use of limited resources by all constituents; (2) individual responsibilities in the use of UConn IT resources; and (3) the appropriate use of IT resources in compliance with all applicable federal and state laws, university rules, regulations and policies. 

          All activities involving the use of UConn IT resources are not personal or private; therefore, users should have no expectation of privacy in the use of these resources.  Information stored, created, sent or received via UConn systems, including cloud-based systems, may be accessible when required by law, including requests made under the Freedom of Information Act (FOIA), the Family Educational Rights and Privacy Act (FERPA), subpoena, or other legal process, statute, or regulation. 

          ACCEPTABLE USE 

          • UConn provides IT resources to enable faculty, students, and staff to accomplish their university-related work and support the University’s mission. University equipment is to be used primarily in support of the University’s mission and may not be used to conduct commercial activities or any activity prohibited by state and federal law or University policy.  
          • UConn IT Resources may not be used for the illegal download, copying, or distribution of copyright materials without the copyright owner’s permission or where not permitted by fair use standards under the TEACH Act. 
          • Actions that negatively impact the ability of the University to operate or cause undue stress on IT resources are prohibited. These actions include but are not limited to interfering with the legitimate use of IT resources by others, introducing additional software or devices to any IT resource without appropriate authorization, or the mass mailing of unapproved email or other electronic communication. 
          • Do not intentionally seek or provide information or access to IT resources to which one is not authorized, nor assist others in doing so. Do not attempt to subvert or circumvent University systems’ security measures nor use University IT resources to subvert or circumvent other systems’ security measures for any purpose. 
          • Do not publish, post, transmit or otherwise make available content that is in violation of law or policy. The University cannot protect individuals against the existence or receipt of material that may be offensive to them. As such, those who make use of electronic communications are warned they may come across or be recipients of material they find offensive or objectionable. 
          • Do not violate the privacy of other individuals. This includes viewing, monitoring, copying, altering, or destroying any file, data, transmission or communication unless you have been given explicit permission by the owner. 
          • Do not forge, maliciously disguise or misrepresent your personal identity. This policy does not prohibit users from engaging in anonymous communications, providing that such communications do not otherwise violate the Acceptable Use Policy. University technology resources may not be used by employees of the University for partisan political purposes or presenting the impression the University has a particular political position except for those individuals authorized by the University as part of their formal responsibilities. 

            INDIVIDIUAL RESPONSIBILITIES 

            • Protect your data and the institution’s data 
            • Do not share your password with ANYONE or allow anyone else to use your account(s).  
            • Do not use anyone else’s account. 
            • Be vigilant in identifying and reporting various types of phishing attacks to gain access to your information. Store confidential and/or sensitive data on appropriate University approved services only. 
            • While UConn owned computers often are maintained by ITS and other University IT organizations, any personally owned devices connecting to the University network (including tablets, cell phones and IoT devices) are expected to be kept up to date with current operating system and software patches, as well as employing appropriate security measures which are automatically updated. 
            • Do not utilize UConn computing resources, including personally owned computers connected to UConn’s network for non-University related commercial activity.  
            • Users who connect personally owned computers to UConn’s network that are used as servers, or who permit others to use their computers, whether directly or through user accounts, have the additional responsibility to respond to any use of their server that is in violation of the Acceptable Use Policy. IT Resource administrators and those who permit the use of the computers by others are responsible for the security and actions of others on their systems. 

                  ENFORCEMENT 

                  Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

                  Individual or system access may be revoked at any time based on the decision of the Chief Information Security Officer or the Chief Information Officer to protect the confidentiality, integrity, and/or availability of UConn IT Resources.  

                  PROCEDURES/FORMS 

                  Questions about this policy or suspected violations may be reported to any of the following: 

                  Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

                  Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

                  Information Security Office – https://security.uconn.edu 

                  POLICY HISTORY 

                  Policy created:  05/16/2012 

                  Revisions: 08/24/2015; 08/30/2021 [Approved by President’s Senior Team]  

                   

                  Use of the Social Security Number at the University of Connecticut, Policy on

                  Title: Use of the Social Security Number, Policy on
                  Policy Owner: Information Technology Services / Chief Information Security Officer
                  Applies to: Faculty, Staff, Students
                  Campus Applicability: All campuses except UConn Health 
                  Effective Date: August 30, 2021
                  For More Information, Contact Director of IT Security, Policy and Quality Assurance
                  Contact Information: techsupport@uconn.edu or security@uconn.edu 
                  Official Website: https://security.uconn.edu

                  PURPOSE 

                  To protect the confidentiality and privacy of students and employees of the University of Connecticut regarding the collection, use, and disclosure of Social Security numbers. Social Security numbers have been used to uniquely identify students and employees in various University systems. As systems are updated and replaced, the reliance on Social Security numbers should be used only as required. 

                  APPLIES TO 

                  This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to or have been assigned one of the roles defined in this policy. 

                  POLICY STATEMENT  

                  In order to protect the Social Security number of its students, staff, faculty and affiliates, the University of Connecticut will: 

                  1. Discontinue the collection of Social Security numbers, except where necessary for employment records, financial aid records, and other business and governmental transactions as required by law or to satisfy a business requirement when permitted by law. 
                  2. Develop a University of Connecticut identifier to be assigned to all students, faculty, staff and other individuals associated with the University, to uniquely and permanently identify the individual. This identifier will be considered public information and be assigned and distributed to the individual upon initial association with the University. It will be used in all electronic and paper data systems to identify, track and service the individual. 
                  3. Ensure that no new systems or technology purchased or developed by the University of Connecticut  use the Social Security number as its primary key to the database, except where required by law. Any exemption to this policy must be approved by the Office of University Compliance. 
                  4. Ensure that new systems or technologies purchased or developed by the University of Connecticut will use Social Security numbers as data elements only (not as keys to databases) when required by law or business necessity. Approval by the Council of Data Stewards is required for inclusion of the Social Security number in databases. 
                  5. Ensure that all requests, either verbal or written, for which faculty, staff or students are required to provide their Social Security number contain or have appended to them a statement explaining the University’s request (i.e., the legal obligation on which the request is based, if there is one, and how the Social Security Number will be used).  
                  6. Ensure that all requests, either verbal or written, for which faculty, staff or students are requested to voluntarily provide their Social Security number contain or have appended to them a statement explaining the University request and its purpose. The statement must indicate that no service or privilege will be withheld upon failure to provide the Social Security number and that the person may use the identifier provided by the University of Connecticut in place of the Social Security number. 
                  7. Ensure that any request for any form or document that contains the Social Security number, where the Social Security number is not the primary reason for the request, be accompanied by a statement indicating that the Social Security number is not required and should be blanked out on the form or document prior to being provided. 
                  8. Ensure that no new systems purchased or developed by the University of Connecticut display Social Security number visually, whether on computer monitors or on printed forms or other output, unless required by law. 
                  9. Access to Social Security numbers in online systems must be restricted as appropriate and visible only for required or approved uses. 

                  ENFORCEMENT 

                  Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

                  Questions about this policy or suspected violations may be reported to any of the following: 

                  Office of University Compliance:  https://compliance.uconn.edu (860-486-2530) 

                  Information Technology Services Tech Support:   https://techsupport.uconn.edu (860-486-4357) 

                  Information Security Officehttps://security.uconn.edu 

                  POLICY HISTORY 

                  Policy created: 08/2008   

                  Revisions: August 30, 2021  [Approved by President’s Senior Team]

                  Use of Official Email Lists

                  Title: Use of Official Email Lists
                  Policy Owner: Information Technology Services
                  Applies to: Faculty, Staff, Students
                  Campus Applicability:  Storrs and Regionals
                  Effective Date: December 15, 2008
                  For More Information, Contact Information Technology Services
                  Contact Information: (860) 486-4357
                  Official Website: https://its.uconn.edu/

                   

                  Background and Reasons for the Policy: In January 2001, as part of the University’s ongoing activities to improve communication and leverage its investment in technology, University ITS created Official Email Lists to help the University conduct its business with targeted audiences. In order to ensure that faculty, staff and students would not be inundated with mass e-mailings, oversight procedures were put in place to monitor the email messages being sent via the official email lists.

                  Purpose of Policy: The purpose of this policy is to ensure that the Official Email Lists are used in a manner consistent with the Electronic Communication policy and that email users are aware of the types of official lists available, the criteria to be used when communicating via the official lists, and the procedures for using the official lists.

                  Expected Institutional Outcome: It is expected that this policy will insure proper use of Official Email Lists and reduce costs and improve efficiency of information exchange with our students and employees.

                  Applicability of Policy: This policy applies to all members of the University community.

                  Definitions:

                  Official Email Lists: Official Email Lists are involuntary, closed membership, moderated lists created by University ITS. These lists are intended to provide a method for addressing official University announcements to targeted populations of students (undergraduate and graduate), faculty, employees, at Storrs, Regional campuses, School of Social Work and Law School via their officially assigned University of Connecticut email address (Personal name). These lists are not intended as discussion (“open forum”) lists.

                  Subscription to these lists is based on information in either the Student database or the Human Resources database. These lists are refreshed automatically on a regular basis to ensure that membership remains current.

                  List Moderator: List Moderator is an individual whose job it is to approve or reject messages sent to a moderated list.

                  Policy Statement: Official Email Lists are available for use by any University unit (department, office, center, etc.) or recognized University organization for the purpose of sending messages that pertain to university work or typical university information such as

                  • Normal everyday work activities of the University
                  • Messages concerning emergency, health and safety announcements
                  • Messages pertaining to matters of university-wide policy
                  • Messages of a timely nature having direct impact on large numbers of one or all of the following groups: University faculty, staff and students.

                  Messages sent to any of the Official Email Lists must emanate from within the UConn domain and be created by an individual with appropriate responsibility to the topic.

                  Messages submitted for transmission to any of the Official Email Lists will be reviewed for adherence to the criteria for that list by one of the list moderators designated by the Chief Information Officer. To be accepted for posting, messages should adhere to the General Formatting Guidelines. Moderators will not approve any message that does not adhere to the guidelines.

                  Messages sent to any of the Official Email Lists will be archived and made available for 1 year.

                  Responsibilities:

                  The Chief Information Officer is responsible for the oversight of these lists. Technical management of the lists resides in University ITS.

                  Individuals utilizing official email lists are expected to adhere to all applicable Federal and State statutes and University policies, including the University’s Electronic Communication policy, the Electronic Privacy and Disclaimer Notice policy and the University’s Individual Responsibilities with Respect to Appropriate Use of Information Technology Resources policy.

                  Moderators for the Official Email Lists are responsible for insuring that messages submitted for transmission meet the criteria for the list and adhere to the General Formatting Guidelines

                  Enforcement and Review:

                  This policy will be reviewed on a bi-annual basis.

                  UConn Web Policy

                  Title: UConn Web Policy
                  Policy Owner: Information Technology Services
                  Applies to: Faculty, Staff, Students
                  Campus Applicability: All departments at all campuses except UConn Health
                  Effective Date: February 24, 2009
                  For More Information, Contact ITS
                  Contact Information: (860) 486-4357
                  Official Website: https://its.uconn.edu/

                   

                  Background and Reason for the Policy: The University of Connecticut’s World Wide Web presence is increasingly an important method for communicating with students, faculty, staff, alumni, parents and friends of the University. As the role of the Web expands, it is essential that there be clear guidelines regarding the creation and maintenance of University websites.

                  Creativity and diversity are important components of an academic community – however, through the establishment of an identity program in 1998, the University of Connecticut has made a significant commitment to its existence and image as “one university.”

                  Purpose of Policy: The purpose of this policy is to provide clarification of standards, consistent with Federal, State and University laws and policies, for displaying information on any official University website that is accessed or pointed to through the main University website.

                  Expected Institutional Outcome:Adherence to this policy will result in a University web presence that provides important University information for effectively communicating with varied audiences while providing a consistent University image and remaining in compliance with Federal, State and University laws and policies.

                  Applicability of Policy: This policy applies to all developers of University of Connecticut web pages

                  Definitions:

                  University website: The University website comprises the main University website (www.uconn.edu) and the publicly-accessible homepages and websites of departments, offices, and other units of the University.

                  Main University website: The main University website is located at www.uconn.edu and is managed by University Communications.

                  Official University websites: Official University of Connecticut websites are those that have been sponsored by the University of Connecticut, whether they are stored on the University’s central server or on a University distributed server.

                  Official University webpages: Official University of Connecticut webpages are those that have been created by the University, its campuses, colleges, schools, departments or other administrative units, for University business. Official University webpages clearly convey a relationship to the entire University and support and advance the University’s mission.

                  Unofficial websites: Websites that are hosted but not sponsored by the University of Connecticut. The University of Connecticut does not endorse, regulate or maintain the contents of these sites, nor does it accept responsibility for the information contained in these websites.

                  Unofficial webpages: Individual webpages created by faculty, staff, students or student organizations. The University of Connecticut does not endorse, regulate or maintain the contents of these pages, nor does it accept responsibility for the information contained in these webpages.

                  Please see the links below for policies that complement the University of Connecticut Website Policy:

                  Electronic Privacy and Disclaimer Notice

                  Web Site Accessibility

                  Policy Statement: The rights of academic freedom and freedom of expression apply to the University website. However, all Official University websites must adhere to all applicable Federal and State statutes and University policies, including the University’s Acceptable Use policy.

                  Per a March, 2007 directive by the President’s Office, all Official University webpages must adhere to University Web Standards developed in collaboration by University Communications and ITS.  These standards, as well as technical resources, are defined at the WebTools website.  In addition, all Official University webpages must clearly convey a relationship to the entire University and adhere to the University Logos and Graphic Standards.

                  The University Web Standards do not apply to password-protected University web applications.

                  Responsibilities:

                  The Chief Information Officer has overall responsibility for this policy.

                  University Communications is responsible for overseeing the content and design of the main University website and for maintaining and publishing the University Web Standards.

                  The University’s webmanager in the Office of University Communications is responsible for approving all links to the main University website based upon the linked site’s adherence to this policy.

                  A department head or equivalent administrator will be considered the “owner” of a unit’s website and will be responsible for the overall function of the information it contains and for the adherence of its website to this policy.

                  A technical contact (webmaster, webmanager or site administrator) must be appointed by the website owner to maintain the website and its data. This technical contact will be the unit’s website administrator. The functions of the website administrator include:

                  • Adhering to University website policies and regulations, along with any additional department policies and procedures;
                  • Keeping the website consistently on-line and available to users;
                  • Implementing and maintaining the website software and the hardware, if maintaining their own server, including providing security for and integrity of the data; and
                  • Staying informed with respect to changes to website policies and University Web Standards.

                  Deans, directors and department heads may, at their discretion, permit individuals from their unit to display personal home pages through the department’s home page. However, if a personal website is found to be in violation of University or other appropriate policies, regulations or laws, the link from the department’s website may be removed until the issue is addressed.

                  Enforcement and Review:

                  The University reserves the right to deny publication or to remove from display any information that is considered inconsistent with published policies and practices.

                  Requests for exemption to this policy should be directed to University Communications, accompanied by written justification for the exemption request.

                  This policy and the University Web Standards will be reviewed on a bi-annual basis.

                  Responding to Requests for University Information, Policy on

                  Title: Responding to Requests for University Information, Policy on
                  Policy Owner: Information Technology Services
                  Applies to: Faculty, Staff
                  Campus Applicability:
                  Effective Date: October 22, 2007
                  For More Information, Contact Assistant VP for IT Security, Policy & Quality Assurance
                  Contact Information: (860) 486-4357
                  Official Website: https://its.uconn.edu/

                  Background and Reason for the Policy:

                  The University of Connecticut views University data, in all its forms and throughout its life cycle, as an asset of the University.  As an asset, University data must be protected to meet both Federal and State laws such as:

                  • the Family Rights and Privacy Act (FERPA),
                  • the Health Insurance Portability and Accountability Act (HIPAA),
                  • the Electronic Communications Privacy Act (ECPA),
                  • the Gramm-Leach-Bliley Act and
                  • the Freedom of Information Action (FOIA),

                  as well as to comply with the policies of the institution.

                  However, many employees may not understand all of the confidentiality rules for the data to which they have access.  In addition, there has not been a clear protocol for dealing with requests for University data.

                  Purpose of Policy:

                  This policy is intended to direct employees of the University of Connecticut to whom requests for information may be made.

                  Expected Institutional Outcome: It is expected that this policy will provide the University community with a protocol for handling internal and external requests for University data.

                  Definitions:

                  • Data Classification Policy:  See Data Classification Policy
                  • Data Custodian: The entity/entities or office/offices that is/are delegated with the day-to-day operational-level responsibility of performing management functions for a defined portion of University data (i.e. specific administrative data sets) based on the definitions, procedures and guidelines developed by the Data Steward.
                  • University Data:  Any recorded data or information relating to the University’s business prepared, owned, used, received, or retained by the University and its employees and agents, whether such data or information is handwritten, typed, tape-recorded, printed, photostatted, photographed or recorded by any other method.
                  • External Requests: External requests are those made by individuals, agencies, groups or other entities outside of the University or by University members not acting in their official University capacity.
                  • Internal Requests:  Internal requests are those made by a University office, a University employee, or a student.
                  • Legitimate Business Purpose: A University Official has a Legitimate Business Purpose if the disclosure is relevant and necessary in the ordinary course of the requestor’s official duties and is related to the purpose for which the information was acquired.  Any University official who needs University Data in the course of performing instructional, supervisory, advisory, or administrative duties for the University has a Legitimate Business Purpose.
                  • Official University Webpages: Official University of Connecticut webpages are those that have been created by the University, its campuses, colleges, schools, departments or other administrative unit, for University business.  Official University webpages clearly convey a relationship to the entire University and support and advance the University’s mission.
                  • Publicly-Available:  Any information that is either published on one of the Official University webpages, the Undergraduate or Graduate Catalog, or other official University publication.
                  • Non-publicly Available: Information that the employee gains by reason of employment with the University and that he/she knows or reasonably should know has not been made available to the general public.
                  • University Official: A University Official is a University employee, administrator, officer, staff, professional, and any other individual who has been authorized by the University to act on behalf of the University.

                  Statement of Policy:

                  1. Internal Requests for Information:

                  • Employees are permitted to disclose Publicly-Available University Data or to disclose Non-Publicly Available Data to a University Official with a Legitimate Business Purpose.  Employees may release information regarding individual student to that individual student.  All other requests should be referred as indicated below.
                  • Requests for individual law student educational information or for lists of individual Law School student educational information should be referred to the Law School.
                  • Requests for individual medical or dental student educational information or for lists of individual Medical School or Dental School student educational information should be referred to the University of Connecticut School of Medicine or School of Dentistry, respectively.
                  • Requests for individual graduate student educational information by anyone other than the individual student, or for lists of individual graduate student educational information, should be referred to the Graduate School.
                  • All other requests for student educational information by anyone other than the individual student, or for lists of individual student educational information, should be referred to the Registrar’s office.
                  • Requests for individual employee personnel information by anyone other than the individual employee, or for lists of individual employee personnel information, should be referred to the Human Resources office.
                  • Requests for summary University information should be referred to the Office of Institutional Research.
                  • Requests for information concerning University purchases and procurement contracts should be referred to the Purchasing Department.
                  • Requests for information on funded research should be referred to the Office of Sponsored Programs.
                  • Requests for financial University data should be directed to the Chief Financial Officer.
                  • Requests for information concerning University facilities should be directed to the Chief Operating Officer.
                  • Requests for all other University Data should be directed to the appropriate Data Custodian.

                  2. External Requests for Information:

                  • All external disclosures of University Data not defined as Publicly Available must comply with federal and state laws, as well as University policies.  University employees are only permitted to disclose University data to an external individual or entity that is Publicly Available except when permission has been given by those individuals whose information is being requested or under the exceptions listed below.
                  • All requests for information from the news media should contact the Office of University Communications/University Relations, which will coordinate the response.
                  • All requests for educational records concerning individuals other than oneself should be forwarded to the appropriate office:

                  –     University of Connecticut School of Medicine or School of Dentistry for records involving medical or dental students;

                  –    Law School for records involving law school students;

                  –    Registrar’s Office for records involving undergraduate or graduate students.

                  • All requests for Student Employment Verifications and Student Job References should be directed to the Student Employment Office.
                  • All requests for External Job References should be directed to Human Resources.
                  • All court orders, subpoenas, warrants, or other legal instruments should be immediately forwarded to the Office of the Attorney General.
                  • All other external requests for such information must be made in writing and referred to the University’s Privacy Officer.
                  • A log of all external requests for information will be maintained by those offices that respond to such requests.

                  3. Exceptions:

                  • Offices and employees who are responsible for regularly supplying the public with information pursuant to inquiries or requests need only refer the request to the University’s Privacy Office or the Attorney General’s office if the information is not usually communicated through that office or employee, or if the office or employee is unsure of the propriety of releasing the information.
                  • Responses to questionnaires and surveys that require the provision of University aggregated data that has not been published should be directed to the Office of Institutional Research (OIR).  Each year, the OIR publishes statistical information which contain official University data and which is available from the OIR website.  Employees receiving such requests should use this published information as a primary source of information for completing questionnaires and surveys before sending them to the OIR for review.
                  • If a request for information can be answered in its entirety from publicly-available information, the information may be provided by an employee or office.

                  Responsibilities:

                  The President, and/or their designee(s), has overall responsibility for implementation and enforcement of this policy.

                  Review of this policy by the President and/or their designee(s) will occur biennially.

                  Violations of this policy will result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

                  Electronic Privacy and Disclaimer Notice

                  Title: Electronic Privacy and Disclaimer Notice
                  Policy Owner: Information Technology Services
                  Applies to: Faculty, Staff, Students
                  Campus Applicability:  Storrs and Regionals
                  Effective Date: June 14, 2007
                  For More Information, Contact Information Technology Services
                  Contact Information: (860) 486-4357
                  Official Website: https://its.uconn.edu/

                   

                  Background and reason for the policy: The University of Connecticut maintains the University of Connecticut website (http://www.uconn.edu/) as a service to its students, employees and external constituencies.

                  It is the policy of the University of Connecticut to respect and protect the privacy of its website users consistent with Federal and State laws such as:

                  • Family Rights and Privacy Act (FERPA),
                  • the Health Insurance Portability and Accountability Act (HIPAA),
                  • the Electronic Communications Privacy Act (ECPA),
                  • the Gramm-Leach-Bliley Act (GLB),
                  • the Children’s Online Privacy Protection Act (COPPA),
                  • the Connecticut Freedom of Information Action (FOIA), and
                  • the Connecticut Personal Data Act.

                  Purpose of Policy: The purpose of this policy is to ensure that all official University of Connecticut websites include an electronic privacy statement about the information that is collected by their website (both automatically and voluntarily) and how that information is used.

                  Expected Institutional Outcome: It is expected that this policy will result in better protection of visitor’s privacy by clarifying the University’s commitment to privacy and to address concerns about the types of information gathered during the course of visiting any official website, and how the University uses that information.

                  Applicability of Policy: This policy applies to all information collected by or submitted to official websites of the University of Connecticut and to all visitors to these websites.

                  Definitions:

                  Official University Websites: Websites that are sponsored by the University of Connecticut, whether they are stored on the University’s central server, on a University distributed server, or on a hosted or managed web server provided by a third party.

                  Official University Webpages: Official University of Connecticut webpages are those that have been created by the University, its campuses, colleges, schools, departments or other administrative unit, for University business. Official University webpages clearly convey a relationship to the entire University and support and advance the University’s mission.

                  Statement of Policy:

                  All official University of Connecticut websites will be required to adhere to the terms and conditions employed at the University of Connecticut as outlined in this policy and inform visitors of how information at that site is managed through the posting of an electronic privacy and disclaimer statement. Individual web sites may either link to the University’s Electronic Privacy and Disclaimer Notice (University’s Notice) or develop specific notices about the collection and use of any information associated with their pages consistent with the University’s policies.

                  Terms and Conditions Governing Official University of Connecticut websites:

                  1.      Use of Social Security Number: As indicated by the Social Security Number policy, the University of Connecticut considers the social security number as registered confidential and legally protected data. Collection, storage and use of the social security number will be in accordance with the Social Security Number policy.

                  2.      Public and Non-Public Information: The University of Connecticut designates certain information pertaining to students as public or “Directory Information.”  The specific data that is classified as “Directory Information” can be obtained from the Registrar’s Office FERPA web page (http://ferpa.uconn.edu/). Except when requested in writing by the individual, “Directory Information” may be distributed electronically and/or made available on the web without providing any security protection for the information. Non-public information (or when requested by the individual, public information) must not be made available via the web, nor stored for internal use via the web, nor transmitted electronically, even to those who are entitled to the information, without utilizing adequate security measures.

                  3.      Use of Cookies: Cookies are small pieces of data passed from a web site to your hard drive usually to enable some online services to work more efficiently or to make the use of services more convenient. The University of Connecticut generally will not use cookies to track and/or retain personally-identifiable information without proper notification. However, the University reserves the right to associate personally- identifiable information with cookies. Such information will not be disclosed to outside parties unless legally required to do so in connection with legal proceedings or law enforcement investigations.

                  4.      Use of Email: In spite of the good intentions of the University to respect the privacy of individuals, it should be understood that it is impossible to assure the privacy of email. Not only may email be sent to someone other than the intended recipient (either through mis-addressing or forwarding), but email sent as plain text may also be intercepted as it travels over the network. In addition, as part of the University’s backup and archival practices, email may continue to exist in spite of the owner’s belief that the message had been deleted.

                  5.    Use of Forms: The University of Connecticut respects your privacy and does not condone providing any of your personal information to third parties without your permission, unless compelled by law or court order to do so, or to sell any personal information to third parties for purposes of marketing, advertising, or promotion.

                  6.    Collection and Use of Information: In the course of visiting a web site, the University of Connecticut permits the following information to be collected, stored and used:

                  a.       Automatic Information Collected

                  i.      Routing information such as IP address. Routing information is used to route the requested web page to your computer for viewing.

                  ii.      Essential technical information including, but not limited to: page accessed; time and date accessed; operating system used; type of browser used; information about the web site from which you accessed a University of Connecticut web site and connection statistics (e.g. ports, number of bytes, number of packets, time of 1st and last packet, etc.). Essential technical information is used for such purposes as helping to respond to your request in an appropriate format and helping to plan website improvements.

                  This information is not to be reported or used in any manner that would reveal personally identifying information or to be released to any outside (third) parties unless legally required. However, it should be noted that when required by law, this information, along with other information that might be available, may enable us to identify an individual involved in a specific transmission.

                  b.      Personal Information Voluntarily Provided by the Individual

                  In the course of visiting a web site (e.g. sending an email message, filling in an on-line form, etc.), individuals may choose to provide additional personally- identifying information such as name, address, email address, social security number, password, bank account information, credit card information, or any combination of data that can be used to identify an individual. Optional information, including any email communications, is retained in accordance with the University’s records retention schedules and may be subject to public inspection and copying if not protected by federal or state law.

                  7.      Links: The provision of links from official University of Connecticut web sites to other sites does not imply endorsement of the information or services offered by these linked sites nor does the University’s privacy policies apply to these other sites. Individuals who choose to link to any third party site should review the privacy practices of that site before providing any personally identifiable information to that site.

                  8.      Limits to Privacy: The use of University resources, including computing and networking equipment and services, purchased with University funds, are intended for University business. While it is not the intention of the University to actively monitor communications or files stored or transmitted on University systems or devices, individuals must understand that under certain circumstances they may not have a right to privacy to such information. Such circumstances include but are not limited to: compliance with legal requirements or process; investigation of suspected violations of law, regulation or University policy; maintaining the integrity of the University’s computing systems.

                  9. Freedom of Information Requests: Under the “Connecticut Freedom of Information Act,” except as otherwise provided by federal law or state statute, all records maintained or kept on file by or at the University of Connecticut are considered public records and are subject to inspection by members of the public.  As a member of the University community, your email and any information collected in the course of visiting a web site are considered public records and may be subject to Freedom of Information disclosure. In some cases, email messages about students may fall under the FERPA definition of  “education records” and therefore may be subject to the provisions of FERPA regarding the release of the information and the student’s right to inspect and review the information.

                  10.  Disclosure of Personal Data to Third Parties: In some cases the University may share personal data with third parties with whom we have a business arrangement. In all cases, the department entering into the agreement will ensure that the third party has formally agreed to protect the security of that data in compliance with the University’s Confidential Electronic Data Security Standard.

                  Responsibilities:

                  The Chief Information Officer has overall responsibility for this policy.

                  Questions concerning this policy may be directed to the IT Security Officer or to the University Privacy Officer.

                  The Chief Information Officer will review this policy on a bi-annual basis and respond to formal complaints resulting from the implementation of this policy.
                  Violations of this policy will result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

                  Electronic (E-mail) Communication Policy

                  Title: Electronic (E-mail) Communication Policy
                  Policy Owner: Information Technology Services
                  Applies to: Faculty, Staff, Affiliates and Student Employees
                  Campus Applicability: Storrs and Regionals, except UConn Health
                  Approval Date: August 30, 2023
                  Effective Date: October 1, 2023
                  For More Information, Contact: UConn Information Technology Services
                  Contact Information: techsupport@uconn.edu
                  Official Website: https://its.uconn.edu

                  DEFINITIONS

                  University Provided Email Services – University-provided email services refers to the email accounts and related services that educational institutions offer to their students, faculty, and staff. These email services can be hosted on the University’s servers or in the cloud and come with an email address in the form of username@uconn.edu

                  PURPOSE

                  This policy applies to all uses and users of University provided email services, including faculty, staff, volunteers, contractors and affiliates. The purpose of this policy is to describe the permitted and appropriate use of University provided email to ensure compliance with relevant laws, regulations and policies, including those concerning the retention and protection of emails and attendant data.

                  POLICY STATEMENT

                  The University provides email services to support activities associated with academic, administrative, research and philanthropic functions in support of its overall mission. The University recognizes and has established email as an official means of communication. All faculty and staff are provided a UCONN.EDU email account which is the official address to which the University will send email communications. All communications related to University functions shall use the University provided email services to ensure compliance with University policies and regulatory compliance.

                  Individual Users are expected to read in a timely manner all official University email messages sent to their University email address.

                  University email services are provided solely for the purpose of conducting University business and are subject to all applicable University policies including the Code of Conduct as well as state and  federal laws.  Occasional use of email services for personal, non-University related purposes is allowed but subject to the Code of Conduct.

                  University email accounts and information sent via University email services are the property of the University.  As a public institution, with limited exceptions, virtually all University records, including email communications, are subject to laws governing public records.  Because University email accounts are University property, the University has the right to access such accounts for legitimate business purposes as may be required and/or authorized by appropriate parties.  This includes but is not limited to access necessary to respond to requests made pursuant to the Connecticut Freedom of Information Act (FOIA), the Family Educational Rights and Privacy Act (FERPA),and/or subpoenas. Individuals are prohibited from directly accessing the email accounts of others unless they are authorized to do so for University business purposes.

                  Users of University email services are responsible for safeguarding the privacy and security of information sent electronically in accordance with applicable laws and policies. Automated copying or forwarding of email from University accounts to non-University accounts is prohibited. Any user who moves a copy of email sent to a University email account to a non-University email account expressly assumes personal responsibility for the security and privacy of that email and any information contained therein.  Moving a University email into a non-University account may subject the non-University account to review in response to a subpoena, FOIA request or other legal process.

                  RELATED UNIVERSITY POLICIES

                  Code of Conduct

                  Electronic Privacy and Disclaimer Notice

                  FERPA Policy

                  General Rules of Conduct

                  Records Management Policy

                  University Guide to the State Code of Ethics

                  POLICY HISTORY

                  Policy adopted: November 14, 2003

                  Revisions:
                  June 1, 2005
                  June 19, 2007
                  March 13, 2015
                  August 30, 2023 (Approved by the Senior Policy Council and the President)