Data ManagementTechnology Services

Purpose

The purpose of this policy is to outline the procedures and responsibilities concerning data storage, backup retention, and electronic waste disposal.

Scope

This policy pertains to all Gustavus account holders, as well as any devices they are issued (computers, tablets, etc.) and any online or cloud based services they utilize in the performance of their work or study.

Overview

Electronic storage is allocated to every employee, student, and courtesy account holder. Some of this storage is maintained in the College’s data center, and the rest is provided through various cloud-based services and systems that have been formally approved by Technology Services, and are contractually bound by the College to preserve and protect institutional data. As this storage is a limited resource, it is important that each individual actively manages usage in accordance with College policy and prescribed limits set forth by Technology Services. 

Electronic data is routinely backed up by the College, retained in the cloud as emails, documents, and system records, or stored on computers and other devices. In some instances, data backups, cloud-based services, and electronic hardware may retain data beyond the schedule set forth in the College’s Record Retention and Destruction Policy. Additionally, it is important to ensure that backups, cloud services, and hardware containing information that is considered to be Highly Confidential according to the College’s Data Classification Policy be properly handled and/or destroyed.

Managing Data

Students and employees are allocated electronic storage to facilitate their teaching, learning, and working at Gustavus. Stored data is the responsibility of the individual account holder. If stored data contains sensitive information, such as nonpublic personal information (NPI) or personally identifiable information (PII) that would be deemed Highly Confidential according to the College’s Data Classification and Handling Policy, it is the individual’s responsibility to ensure that its use conforms to all applicable College policies, as well as state and federal law.

Allocated electronic storage must be actively managed by the individual user to ensure proper data handling and to avoid exceeding prescribed allotment limits. Anyone who mishandles Highly Confidential data could be subject to disciplinary action from the College, and in more egregious cases, prosecution in a court of law. 

Backups

Backups, or archived data, automatically occur on a scheduled basis in the College’s data center, on shared drives, Google Drive, and on most College-issued desktops and laptops. These backups may contain copies of data that have previously been destroyed in accordance with the College’s Record Retention and Destruction Policy. To ensure that such data is properly disposed of, data center backups should not be kept for a period longer than six months, and all other backups, including backups of College-owned computers, should be limited to a period of one year or less.

In situations where an individual account holder has backed up, or archived College data in another location, such as an external drive, thumb drive, or cloud storage service, it is the user’s responsibility to ensure that such data is appropriately handled and/or destroyed in accordance with all College policies and applicable law. If an account holder notices any issues with the College-provided backups of their computer data, they should notify Technology Services as soon as possible.

Electronic Waste (E-Waste)

All College-owned electronic waste that may contain institutional data must be returned to Technology Services for proper processing prior to reuse or recycling. In addition to proprietary data, electronic waste may contain hazardous materials that are regulated under environmental, and health and safety laws. It is important that all electronic waste is disposed of through College-approved processes.

Technology Services manages contracts and related operations for decommissioning College-owned, data-bearing electronics and peripherals. These items are collected by Technology Services for reuse or disposal through a variety of standardized procedures. Technology Services will securely store, process, and schedule the pickup of items with the recycling vendor when needed. A list of common items that should be returned to Technology Services can be found below:

  • Desktop computers
  • Laptop computers
  • Tablets
  • Mobile phones
  • Keyboards and mice
  • Computer monitors
  • Lab or clinical equipment containing data
  • Printers and fax machines
  • Thumb drives and memory cards/sticks
  • Optical media containing data, such as CDs and DVDs
  • Portable external hard drives
  • Other devices that may contain institutional data

Discarded data-bearing devices that are found unsecured in public areas should be reported to Technology Services immediately at 507-933-6111 or helpline@gustavus.edu.

Policy Implementation Assistance

Contact the Chief Technology Officer with questions or comments related to this policy.

Policy Authority

The XLT has responsibility for this policy and will obtain necessary approvals for changes.