ITS

Data Roles and Responsibilities Policy

Title: Data Roles and Responsibilities Policy, Information Technology
Policy Owner: Information Technology Services / Chief Information Security Officer 
Applies to:  All students, faculty, and staff  
Campus Applicability:  All campuses except UConn Health 
Effective Date: August 30, 2021
For More Information, Contact UConn Information Security Office 
Contact Information: techsupport@uconn.edu or security@uconn.edu 
Official Website: https://security.uconn.edu/

PURPOSE 

To define the responsibilities of individuals within the organization in protecting the University of Connecticut’s data assets. 

APPLIES TO 

This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to or have been assigned one of the roles defined in this policy. 

POLICY STATEMENT  

Through the normal course of operations of the University, ever increasing amounts of data are created, processed, modified, and eventually disposed of as part of daily activities. To ensure the proper management of the various data sets, the University has defined the following roles and responsibilities to ensure data is properly protected, used, and managed throughout its lifecycle. 

Data Stewards are employees of the university responsible for the overall use and proper handling of administrative, academic, public engagement, or research data. Data Stewards must classify data according to the University’s Data Classification Policy. Data Stewards ensure that appropriate steps are taken to protect data and implement policies and agreements that define appropriate use of data.  

The Data Steward or their designated representatives are responsible for: 

  • Ensuring the information they are responsible for is accurate 
  • Authorizing the specific use of information across the organization 
  • Working with other Data Stewards to resolve conflicting data issues 
  • Specify appropriate controls, based on data classification, to protect the data from unauthorized modification, deletion, or disclosure 
  • Ensuring access rights are evaluated on a regular basis 

    Data Administrators are usually system administrators who are responsible for applying appropriate controls to data based on its classification level and required protection level. Data Administrators are also responsible for securely processing, storing, and recovering data. The Data Administrator is accountable for: 

    • Implementing the appropriate controls specified by the Data Stewards 
    • Removing access rights to specific data resources due to a job change or separation from the University 
    • Implementing the appropriate monitoring techniques and procedures for detecting, reporting, and investigating incidents 
    • Assisting Data Stewards in evaluating the overall effectiveness of controls and monitoring  

    Data Users are individuals who receive authorization from the Data Steward/Administrator to access, enter, or update information. Data Users  must use the resource only for the purpose specified by the Data Steward, complying with controls established by the Steward, and preventing disclosure or confidential or protected information. 

    ENFORCEMENT 

    Failure to properly fulfill the roles and responsibilities articulated in this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code. 

    Questions about this policy or suspected violations may be reported to any of the following: 

    Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

    Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

    Information Security Office – https://security.uconn.edu 

     

    POLICY HISTORY 

    Policy created:  May 16, 2012 

    Revisions: August 30, 2021 [Approved by President’s Senior Team]

    Acceptable Use, Information Technology

    Title: Acceptable Use, Information Technology
    Policy Owner: Information Technology Services/Chief Information Security Officer
    Applies to: All University Information Technology Users
    Campus Applicability: All campuses except UConn Health
    Effective Date: August 30, 2021
    For More Information, Contact UConn Information Security Office
    Contact Information: techsupport@uconn.edu or security@uconn.edu
    Official Website: https://security.uconn.edu/

    BACKGROUND 

    The University’s IT resources support many systems to fulfill the academic, research and administrative needs of the University’s constituents, including students, faculty, staff, and guests. These resources must be used in a responsible manner consistent with Federal and State laws and University policies. 

    PURPOSE 

    To define expectations of appropriate use and inform all users of information technology (IT) resources at UConn of their obligation to comply with all existing laws and institutional policies in their use of IT resources. 

    APPLIES TO 

    This policy applies to all constituents (students, faculty, staff, affiliates and guests) who use UConn’s information technology resources, including but not limited to wired and wireless networks, computer-based systems and services, printers/copiers, and cloud-based services. 

    DEFINITIONS  

    Access Point (AP): A networking hardware device that allows other Wireless (Wi-Fi) devices to connect to the University network. 

    Information Technology (IT) Resources: Include but are not limited to: 

    • Systems and equipment such as computers, hard drives, printers, scanners, video and audio recorders, cameras, photocopiers and other related devices.  
    • Software such as computer software, including open-source and purchased software, and all cloud-based software including infrastructure-based cloud computing and software as a service.  
    • Networks such as all voice, video, and data systems, including both wired and wireless network access across the institution. 

      IoT: Internet of Things are devices that communicate across a network without direct human interaction. These include but are not limited to smart assistants, lightbulbs, appliances, and televisions. 

      POLICY STATEMENT  

      The appropriate use of UConn IT Resources focuses on three primary areas including: (1) the fair and equitable use of limited resources by all constituents; (2) individual responsibilities in the use of UConn IT resources; and (3) the appropriate use of IT resources in compliance with all applicable federal and state laws, university rules, regulations and policies. 

      All activities involving the use of UConn IT resources are not personal or private; therefore, users should have no expectation of privacy in the use of these resources.  Information stored, created, sent or received via UConn systems, including cloud-based systems, may be accessible when required by law, including requests made under the Freedom of Information Act (FOIA), the Family Educational Rights and Privacy Act (FERPA), subpoena, or other legal process, statute, or regulation. 

      ACCEPTABLE USE 

      • UConn provides IT resources to enable faculty, students, and staff to accomplish their university-related work and support the University’s mission. University equipment is to be used primarily in support of the University’s mission and may not be used to conduct commercial activities or any activity prohibited by state and federal law or University policy.  
      • UConn IT Resources may not be used for the illegal download, copying, or distribution of copyright materials without the copyright owner’s permission or where not permitted by fair use standards under the TEACH Act. 
      • Actions that negatively impact the ability of the University to operate or cause undue stress on IT resources are prohibited. These actions include but are not limited to interfering with the legitimate use of IT resources by others, introducing additional software or devices to any IT resource without appropriate authorization, or the mass mailing of unapproved email or other electronic communication. 
      • Do not intentionally seek or provide information or access to IT resources to which one is not authorized, nor assist others in doing so. Do not attempt to subvert or circumvent University systems’ security measures nor use University IT resources to subvert or circumvent other systems’ security measures for any purpose. 
      • Do not publish, post, transmit or otherwise make available content that is in violation of law or policy. The University cannot protect individuals against the existence or receipt of material that may be offensive to them. As such, those who make use of electronic communications are warned they may come across or be recipients of material they find offensive or objectionable. 
      • Do not violate the privacy of other individuals. This includes viewing, monitoring, copying, altering, or destroying any file, data, transmission or communication unless you have been given explicit permission by the owner. 
      • Do not forge, maliciously disguise or misrepresent your personal identity. This policy does not prohibit users from engaging in anonymous communications, providing that such communications do not otherwise violate the Acceptable Use Policy. University technology resources may not be used by employees of the University for partisan political purposes or presenting the impression the University has a particular political position except for those individuals authorized by the University as part of their formal responsibilities. 

        INDIVIDIUAL RESPONSIBILITIES 

        • Protect your data and the institution’s data 
        • Do not share your password with ANYONE or allow anyone else to use your account(s).  
        • Do not use anyone else’s account. 
        • Be vigilant in identifying and reporting various types of phishing attacks to gain access to your information. Store confidential and/or sensitive data on appropriate University approved services only. 
        • While UConn owned computers often are maintained by ITS and other University IT organizations, any personally owned devices connecting to the University network (including tablets, cell phones and IoT devices) are expected to be kept up to date with current operating system and software patches, as well as employing appropriate security measures which are automatically updated. 
        • Do not utilize UConn computing resources, including personally owned computers connected to UConn’s network for non-University related commercial activity.  
        • Users who connect personally owned computers to UConn’s network that are used as servers, or who permit others to use their computers, whether directly or through user accounts, have the additional responsibility to respond to any use of their server that is in violation of the Acceptable Use Policy. IT Resource administrators and those who permit the use of the computers by others are responsible for the security and actions of others on their systems. 

              ENFORCEMENT 

              Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

              Individual or system access may be revoked at any time based on the decision of the Chief Information Security Officer or the Chief Information Officer to protect the confidentiality, integrity, and/or availability of UConn IT Resources.  

              PROCEDURES/FORMS 

              Questions about this policy or suspected violations may be reported to any of the following: 

              Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

              Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

              Information Security Office – https://security.uconn.edu 

              POLICY HISTORY 

              Policy created:  05/16/2012 

              Revisions: 08/24/2015; 08/30/2021 [Approved by President’s Senior Team]  

               

              Use of the Social Security Number at the University of Connecticut, Policy on

              Title: Use of the Social Security Number, Policy on
              Policy Owner: Information Technology Services / Chief Information Security Officer
              Applies to: Faculty, Staff, Students
              Campus Applicability: All campuses except UConn Health 
              Effective Date: August 30, 2021
              For More Information, Contact Director of IT Security, Policy and Quality Assurance
              Contact Information: techsupport@uconn.edu or security@uconn.edu 
              Official Website: https://security.uconn.edu

              PURPOSE 

              To protect the confidentiality and privacy of students and employees of the University of Connecticut regarding the collection, use, and disclosure of Social Security numbers. Social Security numbers have been used to uniquely identify students and employees in various University systems. As systems are updated and replaced, the reliance on Social Security numbers should be used only as required. 

              APPLIES TO 

              This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to or have been assigned one of the roles defined in this policy. 

              POLICY STATEMENT  

              In order to protect the Social Security number of its students, staff, faculty and affiliates, the University of Connecticut will: 

              1. Discontinue the collection of Social Security numbers, except where necessary for employment records, financial aid records, and other business and governmental transactions as required by law or to satisfy a business requirement when permitted by law. 
              2. Develop a University of Connecticut identifier to be assigned to all students, faculty, staff and other individuals associated with the University, to uniquely and permanently identify the individual. This identifier will be considered public information and be assigned and distributed to the individual upon initial association with the University. It will be used in all electronic and paper data systems to identify, track and service the individual. 
              3. Ensure that no new systems or technology purchased or developed by the University of Connecticut  use the Social Security number as its primary key to the database, except where required by law. Any exemption to this policy must be approved by the Office of University Compliance. 
              4. Ensure that new systems or technologies purchased or developed by the University of Connecticut will use Social Security numbers as data elements only (not as keys to databases) when required by law or business necessity. Approval by the Council of Data Stewards is required for inclusion of the Social Security number in databases. 
              5. Ensure that all requests, either verbal or written, for which faculty, staff or students are required to provide their Social Security number contain or have appended to them a statement explaining the University’s request (i.e., the legal obligation on which the request is based, if there is one, and how the Social Security Number will be used).  
              6. Ensure that all requests, either verbal or written, for which faculty, staff or students are requested to voluntarily provide their Social Security number contain or have appended to them a statement explaining the University request and its purpose. The statement must indicate that no service or privilege will be withheld upon failure to provide the Social Security number and that the person may use the identifier provided by the University of Connecticut in place of the Social Security number. 
              7. Ensure that any request for any form or document that contains the Social Security number, where the Social Security number is not the primary reason for the request, be accompanied by a statement indicating that the Social Security number is not required and should be blanked out on the form or document prior to being provided. 
              8. Ensure that no new systems purchased or developed by the University of Connecticut display Social Security number visually, whether on computer monitors or on printed forms or other output, unless required by law. 
              9. Access to Social Security numbers in online systems must be restricted as appropriate and visible only for required or approved uses. 

              ENFORCEMENT 

              Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

              Questions about this policy or suspected violations may be reported to any of the following: 

              Office of University Compliance:  https://compliance.uconn.edu (860-486-2530) 

              Information Technology Services Tech Support:   https://techsupport.uconn.edu (860-486-4357) 

              Information Security Officehttps://security.uconn.edu 

              POLICY HISTORY 

              Policy created: 08/2008   

              Revisions: August 30, 2021  [Approved by President’s Senior Team]

              Use of Official Email Lists

              Title: Use of Official Email Lists
              Policy Owner: Information Technology Services
              Applies to: Faculty, Staff, Students
              Campus Applicability:  Storrs and Regionals
              Effective Date: December 15, 2008
              For More Information, Contact Information Technology Services
              Contact Information: (860) 486-4357
              Official Website: https://its.uconn.edu/

               

              Background and Reasons for the Policy: In January 2001, as part of the University’s ongoing activities to improve communication and leverage its investment in technology, University ITS created Official Email Lists to help the University conduct its business with targeted audiences. In order to ensure that faculty, staff and students would not be inundated with mass e-mailings, oversight procedures were put in place to monitor the email messages being sent via the official email lists.

              Purpose of Policy: The purpose of this policy is to ensure that the Official Email Lists are used in a manner consistent with the Electronic Communication policy and that email users are aware of the types of official lists available, the criteria to be used when communicating via the official lists, and the procedures for using the official lists.

              Expected Institutional Outcome: It is expected that this policy will insure proper use of Official Email Lists and reduce costs and improve efficiency of information exchange with our students and employees.

              Applicability of Policy: This policy applies to all members of the University community.

              Definitions:

              Official Email Lists: Official Email Lists are involuntary, closed membership, moderated lists created by University ITS. These lists are intended to provide a method for addressing official University announcements to targeted populations of students (undergraduate and graduate), faculty, employees, at Storrs, Regional campuses, School of Social Work and Law School via their officially assigned University of Connecticut email address (Personal name). These lists are not intended as discussion (“open forum”) lists.

              Subscription to these lists is based on information in either the Student database or the Human Resources database. These lists are refreshed automatically on a regular basis to ensure that membership remains current.

              List Moderator: List Moderator is an individual whose job it is to approve or reject messages sent to a moderated list.

              Policy Statement: Official Email Lists are available for use by any University unit (department, office, center, etc.) or recognized University organization for the purpose of sending messages that pertain to university work or typical university information such as

              • Normal everyday work activities of the University
              • Messages concerning emergency, health and safety announcements
              • Messages pertaining to matters of university-wide policy
              • Messages of a timely nature having direct impact on large numbers of one or all of the following groups: University faculty, staff and students.

              Messages sent to any of the Official Email Lists must emanate from within the UConn domain and be created by an individual with appropriate responsibility to the topic.

              Messages submitted for transmission to any of the Official Email Lists will be reviewed for adherence to the criteria for that list by one of the list moderators designated by the Chief Information Officer. To be accepted for posting, messages should adhere to the General Formatting Guidelines. Moderators will not approve any message that does not adhere to the guidelines.

              Messages sent to any of the Official Email Lists will be archived and made available for 1 year.

              Responsibilities:

              The Chief Information Officer is responsible for the oversight of these lists. Technical management of the lists resides in University ITS.

              Individuals utilizing official email lists are expected to adhere to all applicable Federal and State statutes and University policies, including the University’s Electronic Communication policy, the Electronic Privacy and Disclaimer Notice policy and the University’s Individual Responsibilities with Respect to Appropriate Use of Information Technology Resources policy.

              Moderators for the Official Email Lists are responsible for insuring that messages submitted for transmission meet the criteria for the list and adhere to the General Formatting Guidelines

              Enforcement and Review:

              This policy will be reviewed on a bi-annual basis.

              Responding to Requests for University Information, Policy on

              Title: Responding to Requests for University Information, Policy on
              Policy Owner: Information Technology Services
              Applies to: Faculty, Staff
              Campus Applicability:
              Effective Date: October 22, 2007
              For More Information, Contact Assistant VP for IT Security, Policy & Quality Assurance
              Contact Information: (860) 486-4357
              Official Website: https://its.uconn.edu/

              Background and Reason for the Policy:

              The University of Connecticut views University data, in all its forms and throughout its life cycle, as an asset of the University.  As an asset, University data must be protected to meet both Federal and State laws such as:

              • the Family Rights and Privacy Act (FERPA),
              • the Health Insurance Portability and Accountability Act (HIPAA),
              • the Electronic Communications Privacy Act (ECPA),
              • the Gramm-Leach-Bliley Act and
              • the Freedom of Information Action (FOIA),

              as well as to comply with the policies of the institution.

              However, many employees may not understand all of the confidentiality rules for the data to which they have access.  In addition, there has not been a clear protocol for dealing with requests for University data.

              Purpose of Policy:

              This policy is intended to direct employees of the University of Connecticut to whom requests for information may be made.

              Expected Institutional Outcome: It is expected that this policy will provide the University community with a protocol for handling internal and external requests for University data.

              Definitions:

              • Data Classification Policy:  See Data Classification Policy
              • Data Custodian: The entity/entities or office/offices that is/are delegated with the day-to-day operational-level responsibility of performing management functions for a defined portion of University data (i.e. specific administrative data sets) based on the definitions, procedures and guidelines developed by the Data Steward.
              • University Data:  Any recorded data or information relating to the University’s business prepared, owned, used, received, or retained by the University and its employees and agents, whether such data or information is handwritten, typed, tape-recorded, printed, photostatted, photographed or recorded by any other method.
              • External Requests: External requests are those made by individuals, agencies, groups or other entities outside of the University or by University members not acting in their official University capacity.
              • Internal Requests:  Internal requests are those made by a University office, a University employee, or a student.
              • Legitimate Business Purpose: A University Official has a Legitimate Business Purpose if the disclosure is relevant and necessary in the ordinary course of the requestor’s official duties and is related to the purpose for which the information was acquired.  Any University official who needs University Data in the course of performing instructional, supervisory, advisory, or administrative duties for the University has a Legitimate Business Purpose.
              • Official University Webpages: Official University of Connecticut webpages are those that have been created by the University, its campuses, colleges, schools, departments or other administrative unit, for University business.  Official University webpages clearly convey a relationship to the entire University and support and advance the University’s mission.
              • Publicly-Available:  Any information that is either published on one of the Official University webpages, the Undergraduate or Graduate Catalog, or other official University publication.
              • Non-publicly Available: Information that the employee gains by reason of employment with the University and that he/she knows or reasonably should know has not been made available to the general public.
              • University Official: A University Official is a University employee, administrator, officer, staff, professional, and any other individual who has been authorized by the University to act on behalf of the University.

              Statement of Policy:

              1. Internal Requests for Information:

              • Employees are permitted to disclose Publicly-Available University Data or to disclose Non-Publicly Available Data to a University Official with a Legitimate Business Purpose.  Employees may release information regarding individual student to that individual student.  All other requests should be referred as indicated below.
              • Requests for individual law student educational information or for lists of individual Law School student educational information should be referred to the Law School.
              • Requests for individual medical or dental student educational information or for lists of individual Medical School or Dental School student educational information should be referred to the University of Connecticut School of Medicine or School of Dentistry, respectively.
              • Requests for individual graduate student educational information by anyone other than the individual student, or for lists of individual graduate student educational information, should be referred to the Graduate School.
              • All other requests for student educational information by anyone other than the individual student, or for lists of individual student educational information, should be referred to the Registrar’s office.
              • Requests for individual employee personnel information by anyone other than the individual employee, or for lists of individual employee personnel information, should be referred to the Human Resources office.
              • Requests for summary University information should be referred to the Office of Institutional Research.
              • Requests for information concerning University purchases and procurement contracts should be referred to the Purchasing Department.
              • Requests for information on funded research should be referred to the Office of Sponsored Programs.
              • Requests for financial University data should be directed to the Chief Financial Officer.
              • Requests for information concerning University facilities should be directed to the Chief Operating Officer.
              • Requests for all other University Data should be directed to the appropriate Data Custodian.

              2. External Requests for Information:

              • All external disclosures of University Data not defined as Publicly Available must comply with federal and state laws, as well as University policies.  University employees are only permitted to disclose University data to an external individual or entity that is Publicly Available except when permission has been given by those individuals whose information is being requested or under the exceptions listed below.
              • All requests for information from the news media should contact the Office of University Communications/University Relations, which will coordinate the response.
              • All requests for educational records concerning individuals other than oneself should be forwarded to the appropriate office:

              –     University of Connecticut School of Medicine or School of Dentistry for records involving medical or dental students;

              –    Law School for records involving law school students;

              –    Registrar’s Office for records involving undergraduate or graduate students.

              • All requests for Student Employment Verifications and Student Job References should be directed to the Student Employment Office.
              • All requests for External Job References should be directed to Human Resources.
              • All court orders, subpoenas, warrants, or other legal instruments should be immediately forwarded to the Office of the Attorney General.
              • All other external requests for such information must be made in writing and referred to the University’s Privacy Officer.
              • A log of all external requests for information will be maintained by those offices that respond to such requests.

              3. Exceptions:

              • Offices and employees who are responsible for regularly supplying the public with information pursuant to inquiries or requests need only refer the request to the University’s Privacy Office or the Attorney General’s office if the information is not usually communicated through that office or employee, or if the office or employee is unsure of the propriety of releasing the information.
              • Responses to questionnaires and surveys that require the provision of University aggregated data that has not been published should be directed to the Office of Institutional Research (OIR).  Each year, the OIR publishes statistical information which contain official University data and which is available from the OIR website.  Employees receiving such requests should use this published information as a primary source of information for completing questionnaires and surveys before sending them to the OIR for review.
              • If a request for information can be answered in its entirety from publicly-available information, the information may be provided by an employee or office.

              Responsibilities:

              The President, and/or their designee(s), has overall responsibility for implementation and enforcement of this policy.

              Review of this policy by the President and/or their designee(s) will occur biennially.

              Violations of this policy will result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

              Electronic Privacy and Disclaimer Notice

              Title: Electronic Privacy and Disclaimer Notice
              Policy Owner: Information Technology Services
              Applies to: Faculty, Staff, Students
              Campus Applicability:  Storrs and Regionals
              Effective Date: June 14, 2007
              For More Information, Contact Information Technology Services
              Contact Information: (860) 486-4357
              Official Website: https://its.uconn.edu/

               

              Background and reason for the policy: The University of Connecticut maintains the University of Connecticut website (http://www.uconn.edu/) as a service to its students, employees and external constituencies.

              It is the policy of the University of Connecticut to respect and protect the privacy of its website users consistent with Federal and State laws such as:

              • Family Rights and Privacy Act (FERPA),
              • the Health Insurance Portability and Accountability Act (HIPAA),
              • the Electronic Communications Privacy Act (ECPA),
              • the Gramm-Leach-Bliley Act (GLB),
              • the Children’s Online Privacy Protection Act (COPPA),
              • the Connecticut Freedom of Information Action (FOIA), and
              • the Connecticut Personal Data Act.

              Purpose of Policy: The purpose of this policy is to ensure that all official University of Connecticut websites include an electronic privacy statement about the information that is collected by their website (both automatically and voluntarily) and how that information is used.

              Expected Institutional Outcome: It is expected that this policy will result in better protection of visitor’s privacy by clarifying the University’s commitment to privacy and to address concerns about the types of information gathered during the course of visiting any official website, and how the University uses that information.

              Applicability of Policy: This policy applies to all information collected by or submitted to official websites of the University of Connecticut and to all visitors to these websites.

              Definitions:

              Official University Websites: Websites that are sponsored by the University of Connecticut, whether they are stored on the University’s central server, on a University distributed server, or on a hosted or managed web server provided by a third party.

              Official University Webpages: Official University of Connecticut webpages are those that have been created by the University, its campuses, colleges, schools, departments or other administrative unit, for University business. Official University webpages clearly convey a relationship to the entire University and support and advance the University’s mission.

              Statement of Policy:

              All official University of Connecticut websites will be required to adhere to the terms and conditions employed at the University of Connecticut as outlined in this policy and inform visitors of how information at that site is managed through the posting of an electronic privacy and disclaimer statement. Individual web sites may either link to the University’s Electronic Privacy and Disclaimer Notice (University’s Notice) or develop specific notices about the collection and use of any information associated with their pages consistent with the University’s policies.

              Terms and Conditions Governing Official University of Connecticut websites:

              1.      Use of Social Security Number: As indicated by the Social Security Number policy, the University of Connecticut considers the social security number as registered confidential and legally protected data. Collection, storage and use of the social security number will be in accordance with the Social Security Number policy.

              2.      Public and Non-Public Information: The University of Connecticut designates certain information pertaining to students as public or “Directory Information.”  The specific data that is classified as “Directory Information” can be obtained from the Registrar’s Office FERPA web page (http://ferpa.uconn.edu/). Except when requested in writing by the individual, “Directory Information” may be distributed electronically and/or made available on the web without providing any security protection for the information. Non-public information (or when requested by the individual, public information) must not be made available via the web, nor stored for internal use via the web, nor transmitted electronically, even to those who are entitled to the information, without utilizing adequate security measures.

              3.      Use of Cookies: Cookies are small pieces of data passed from a web site to your hard drive usually to enable some online services to work more efficiently or to make the use of services more convenient. The University of Connecticut generally will not use cookies to track and/or retain personally-identifiable information without proper notification. However, the University reserves the right to associate personally- identifiable information with cookies. Such information will not be disclosed to outside parties unless legally required to do so in connection with legal proceedings or law enforcement investigations.

              4.      Use of Email: In spite of the good intentions of the University to respect the privacy of individuals, it should be understood that it is impossible to assure the privacy of email. Not only may email be sent to someone other than the intended recipient (either through mis-addressing or forwarding), but email sent as plain text may also be intercepted as it travels over the network. In addition, as part of the University’s backup and archival practices, email may continue to exist in spite of the owner’s belief that the message had been deleted.

              5.    Use of Forms: The University of Connecticut respects your privacy and does not condone providing any of your personal information to third parties without your permission, unless compelled by law or court order to do so, or to sell any personal information to third parties for purposes of marketing, advertising, or promotion.

              6.    Collection and Use of Information: In the course of visiting a web site, the University of Connecticut permits the following information to be collected, stored and used:

              a.       Automatic Information Collected

              i.      Routing information such as IP address. Routing information is used to route the requested web page to your computer for viewing.

              ii.      Essential technical information including, but not limited to: page accessed; time and date accessed; operating system used; type of browser used; information about the web site from which you accessed a University of Connecticut web site and connection statistics (e.g. ports, number of bytes, number of packets, time of 1st and last packet, etc.). Essential technical information is used for such purposes as helping to respond to your request in an appropriate format and helping to plan website improvements.

              This information is not to be reported or used in any manner that would reveal personally identifying information or to be released to any outside (third) parties unless legally required. However, it should be noted that when required by law, this information, along with other information that might be available, may enable us to identify an individual involved in a specific transmission.

              b.      Personal Information Voluntarily Provided by the Individual

              In the course of visiting a web site (e.g. sending an email message, filling in an on-line form, etc.), individuals may choose to provide additional personally- identifying information such as name, address, email address, social security number, password, bank account information, credit card information, or any combination of data that can be used to identify an individual. Optional information, including any email communications, is retained in accordance with the University’s records retention schedules and may be subject to public inspection and copying if not protected by federal or state law.

              7.      Links: The provision of links from official University of Connecticut web sites to other sites does not imply endorsement of the information or services offered by these linked sites nor does the University’s privacy policies apply to these other sites. Individuals who choose to link to any third party site should review the privacy practices of that site before providing any personally identifiable information to that site.

              8.      Limits to Privacy: The use of University resources, including computing and networking equipment and services, purchased with University funds, are intended for University business. While it is not the intention of the University to actively monitor communications or files stored or transmitted on University systems or devices, individuals must understand that under certain circumstances they may not have a right to privacy to such information. Such circumstances include but are not limited to: compliance with legal requirements or process; investigation of suspected violations of law, regulation or University policy; maintaining the integrity of the University’s computing systems.

              9. Freedom of Information Requests: Under the “Connecticut Freedom of Information Act,” except as otherwise provided by federal law or state statute, all records maintained or kept on file by or at the University of Connecticut are considered public records and are subject to inspection by members of the public.  As a member of the University community, your email and any information collected in the course of visiting a web site are considered public records and may be subject to Freedom of Information disclosure. In some cases, email messages about students may fall under the FERPA definition of  “education records” and therefore may be subject to the provisions of FERPA regarding the release of the information and the student’s right to inspect and review the information.

              10.  Disclosure of Personal Data to Third Parties: In some cases the University may share personal data with third parties with whom we have a business arrangement. In all cases, the department entering into the agreement will ensure that the third party has formally agreed to protect the security of that data in compliance with the University’s Confidential Electronic Data Security Standard.

              Responsibilities:

              The Chief Information Officer has overall responsibility for this policy.

              Questions concerning this policy may be directed to the IT Security Officer or to the University Privacy Officer.

              The Chief Information Officer will review this policy on a bi-annual basis and respond to formal complaints resulting from the implementation of this policy.
              Violations of this policy will result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

              Electronic (E-mail) Communication Policy

              Title: Electronic (E-mail) Communication Policy
              Policy Owner: Information Technology Services
              Applies to: Faculty, Staff, Affiliates and Student Employees
              Campus Applicability: Storrs and Regionals, except UConn Health
              Approval Date: August 30, 2023
              Effective Date: October 1, 2023
              For More Information, Contact: UConn Information Technology Services
              Contact Information: techsupport@uconn.edu
              Official Website: https://its.uconn.edu

              DEFINITIONS

              University Provided Email Services – University-provided email services refers to the email accounts and related services that educational institutions offer to their students, faculty, and staff. These email services can be hosted on the University’s servers or in the cloud and come with an email address in the form of username@uconn.edu

              PURPOSE

              This policy applies to all uses and users of University provided email services, including faculty, staff, volunteers, contractors and affiliates. The purpose of this policy is to describe the permitted and appropriate use of University provided email to ensure compliance with relevant laws, regulations and policies, including those concerning the retention and protection of emails and attendant data.

              POLICY STATEMENT

              The University provides email services to support activities associated with academic, administrative, research and philanthropic functions in support of its overall mission. The University recognizes and has established email as an official means of communication. All faculty and staff are provided a UCONN.EDU email account which is the official address to which the University will send email communications. All communications related to University functions shall use the University provided email services to ensure compliance with University policies and regulatory compliance.

              Individual Users are expected to read in a timely manner all official University email messages sent to their University email address.

              University email services are provided solely for the purpose of conducting University business and are subject to all applicable University policies including the Code of Conduct as well as state and  federal laws.  Occasional use of email services for personal, non-University related purposes is allowed but subject to the Code of Conduct.

              University email accounts and information sent via University email services are the property of the University.  As a public institution, with limited exceptions, virtually all University records, including email communications, are subject to laws governing public records.  Because University email accounts are University property, the University has the right to access such accounts for legitimate business purposes as may be required and/or authorized by appropriate parties.  This includes but is not limited to access necessary to respond to requests made pursuant to the Connecticut Freedom of Information Act (FOIA), the Family Educational Rights and Privacy Act (FERPA),and/or subpoenas. Individuals are prohibited from directly accessing the email accounts of others unless they are authorized to do so for University business purposes.

              Users of University email services are responsible for safeguarding the privacy and security of information sent electronically in accordance with applicable laws and policies. Automated copying or forwarding of email from University accounts to non-University accounts is prohibited. Any user who moves a copy of email sent to a University email account to a non-University email account expressly assumes personal responsibility for the security and privacy of that email and any information contained therein.  Moving a University email into a non-University account may subject the non-University account to review in response to a subpoena, FOIA request or other legal process.

              RELATED UNIVERSITY POLICIES

              Code of Conduct

              Electronic Privacy and Disclaimer Notice

              FERPA Policy

              General Rules of Conduct

              Records Management Policy

              University Guide to the State Code of Ethics

              POLICY HISTORY

              Policy adopted: November 14, 2003

              Revisions:
              June 1, 2005
              June 19, 2007
              March 13, 2015
              August 30, 2023 (Approved by the Senior Policy Council and the President)