Memorandum #320 Community College of Philadelphia Personal Information Privacy and Protection Policy

Policyholder(s):  Associate Vice President, Information Technology; General Counsel
Effective Date: August 24, 2022
Approved By: President

Purpose

Community College of Philadelphia (“College”) is committed to maintaining the privacy and security of Personal Information obtained in the course of its operations.  This policy sets forth guidelines that all individuals must follow when handling Personal Information on behalf of the College.  This policy will also help to ensure that the College is compliant with applicable privacy and data security laws, rules, and regulations.  This policy does not replace or supersede any law, rule, or regulation governing the treatment of Personal Information.

This policy applies to all employees, student workers, trustees, directors, interns, vendors, contractors, volunteers, or any other individual acting on behalf of the College, or any other individual or entity who is otherwise granted access to Personal Information by the College, whether such access occurs on campus or remotely.

Definitions

• Personal Information: Any information or data that relates to an identified individual or can identify an individual; including a collection of information, which, if taken together, can identify an individual (e.g., a College employee, student, applicant, research subject, donor, alumni, partner, board member, or any other individual with whom the College does business or provides services) which, if compromised, could lead to harm or legal consequences to the individual or entity to whom the information belongs and/or the College; including information that the College is required to keep confidential by law or pursuant to agreement. 
  • Examples of Personal Information include education records, payroll or financial records, personnel records, contact information, birth dates, background checks, health information; etc. 
  • Personal Information does not include information which is lawfully publicly available, or directory information as defined by the College pursuant to the Family Educational Rights and Privacy Act (“FERPA”). 

• Restricted Personal Information: While all Personal Information must be treated confidentiality in accordance with this policy, certain Personal Information is classified as Restricted Personal Information, which will be subject to additional security protocols.  Restricted PersonalInformation is information which, if compromised could lead to substantial or severe harm or legal consequences to the individual or entity to whom the information belongs and/or the College. Examples include social security numbers; debit or credit card numbers; driver’s license or other government-issued identification numbers; financial account information; or system credentials (e.g., log-in or password information). 

Questions regarding whether information qualifies as Personal Information and/or Restricted Personal Information may be directed to the Office of General Counsel or the Associate Vice President, Information Technology.

Encryption: any method of encoding Personal Information so that it cannot be easily accessed by unauthorized individuals.

Complying with Applicable Privacy and Data Security Laws, Rules, Regulations

Personal Information must be treated in accordance with all applicable privacy and data security laws, rules, and regulations such as the Family Educational Rights and Privacy Act (“FERPA”); the Health Insurance Portability and Accountability Act (“HIPAA”); the Pennsylvania Breach of Personal Information Notification Act; and the Gramm-Leach Bliley Act.

Collection and Use of Personal Information

Any individual who collects Personal Information on behalf of the College shall limit the Personal Information collected to the minimum amount of information necessary to reasonably serve the College’s purpose and/or comply with applicable law.  Collecting the minimum information necessary minimizes the Personal Information for which the College is responsible, and minimizes the risk to the information owner.  Once collected, access to Personal Information must be limited to only those individuals acting on behalf of the College who require access to fulfill their duties to the College.  Any individual acting on behalf of the College may use the Personal Information only for the purpose for which the information has been collected, and may not re-disclose Personal Information to any third party unless authorized by this policy and applicable law. 

Social Security Numbers should only be requested when essential to the College’s operations or educational purposes.  Except as required by applicable law or regulation, Social Security Numbers shall not be used as an identifier for any individual in any system or application.      

Protecting Personal Information

Any Personal Information obtained or used by an individual on behalf of the College, or that is stored on any College equipment, computer, device, or in the cloud, must be appropriately protected, in accordance with its classification. 

Electronically Stored Personal Information

• Personal Information stored electronically may only be stored on the College’s secure network (or, if in accordance with this policy, on a contractor’s secure network). 
• Access to Personal Information stored electronically must require a password. 
• Devices that provide access to Personal Information must be locked when unattended. 
• Personal Information may not be stored on portable computing devices such as portable hard drives, USB drives, CD’s, etc.
• Personal Information may not be stored on any individual’s personal device. 
• Restricted Personal Information must be stored in an encrypted format. For questions regarding encryption, please contact 4itsupport@ccp.edu.
• If an individual needs to discard electronically stored Personal Information, they must contact 4itsupport@ccp.edu to assist with secure deletion.

 Personal Information in Hard Copy

• Personal Information stored in hard copy form should be stored in a locked file cabinet or drawer when not in use or not attended (e.g., at the end of each work day, during any breaks, or when the employee will be gone for an extended period). 
• Print outs or faxes containing Personal Information should be immediately removed from the printer or fax machine if it is in an unsecured area.
• Hard copies of Personal Information should not be taken off campus. 
• If an individual needs to discard Personal Information stored in hard copy form, it must be shredded.  

Transmitting or Sharing Personal Information

• Personal Information shall only be shared with third parties to meet a legitimate business or educational need, and only to the extent permitted by and in compliance with applicable law, including obtaining any applicable required consents.
• Employees should only travel with Personal Information if absolutely necessary.  Whenever possible, the information should only be stored on the College’s network where it can be accessed via MyCCP at the destination, and should not be carried in paper form or stored on any device which could be misplaced in the course of traveling. 
• Restricted Personal Information may not be shared via email.  Restricted Personal Information must be transmitted using encrypted methods only.  For encryption options contact 4itsupport@ccp.edu.  
• Restricted Personal Information should not be transmitted or shared with third parties vendors absent a contract which includes appropriate confidentiality and data security protocols in accordance with this Policy, industry standards, and applicable law. 

Breach of Personal Information

Anyone who becomes aware that a computer, laptop, mobile device, or other equipment, paper, or hard copies containing Personal Information has been breached, lost, stolen, or misplaced, or anyone who suspects that Personal Information may have been accessed by unauthorized individuals, must immediately notify the Office of General Counsel and the Associate Vice President, Information Technology to report the issue.  The breach or potential breach will be handled in accordance with the College’s data breach protocols.