University Advancement Data Confidentiality and Usage
|Policy Title||University Advancement Data Confidentiality and Usage Policy|
|Policy Owner||Vice President for University Advancement|
|Responsible Office||University Advancement, Advancement Programs and Services|
|Contact Information||Questions concerning this Policy or its intent should be directed to the Associate Vice President for Advancement Programs and Services in the Division of University Advancement; 412-268-2620.|
|Pertinent Dates||This Policy was approved on August 18, 2016.|
|Approved By||The president of Carnegie Mellon University.|
|Entities Affected By This Policy||Carnegie Mellon faculty, staff, and volunteers.|
|Who Needs To Know About This Policy||This Policy governs University Advancement staff and other Carnegie Mellon University employees who use Advancement-managed data. It also applies to volunteers and contractors working on behalf of the university.|
|Definitions||Confidential information: All alumni, student, parent, friend, organization, donor, and prospect information in any format (database record, e-mail, any other electronic format, hard copy, voicemail, or conversation) and information about employees, including compensation, date of birth, and other personal information that is not considered publishable.|
|Forms / Instructions||n/a|
|Related Information||Information Security Policy
|Reason for Policy / Purpose||
University Advancement is committed to safeguarding the confidential information of Carnegie Mellon alumni, students, parents, friends, donors, prospects, employees, and other members of the university community. The purpose of this policy is to outline who can access Advancement-owned data, the steps required to receive that access, and the acceptable use of that data.
This Policy complements broader university policies related to information security and computing.
This Policy outlines University Advancement (UA) information confidentiality and usage, including access to UA data by university employees and non-employees.
- Information Confidentiality and Usage
- All confidential information must be used for university business purposes only, as approved by University Advancement leadership.
- The actions of collecting, accessing, using, destroying, or disclosing confidential information may only occur within the scope of employee responsibilities. Supervisors must approve all use of confidential information that falls outside normal employee responsibilities. If employees discover that they have access to information outside the scope of their normal responsibilities, they must notify their supervisors immediately.
- Unless specifically authorized to do so by the Vice President for University Advancement, information from University Advancement data sources must not be used in separate persistent databases, "shadow databases," and/or reporting platforms, as they undermine the primacy and integrity of Advancement’s central information resources. Information generated from Advancement’s database of record should be used quickly or refreshed periodically to ensure validity.
- Employees must exercise reasonable effort to secure and protect from disclosure any confidential information downloaded to or stored on any type of electronic device (e.g., computer, mobile device, etc.) or peripheral (e.g., memory card, external hard drive, etc.). Information on physically securing electronic devices is available from Advancement Information Systems (AIS) at email@example.com and from the Information Security Office at firstname.lastname@example.org. Data downloaded from Advancement’s database of record and other systems, including the fileserver, must be deleted when no longer needed.
- Employees must exercise reasonable effort to secure and protect from disclosure any confidential information in hard copy. Materials containing confidential information should not be removed from the Advancement offices of the university, except when within the scope of the responsibilities of employment. All hard copy confidential information marked for disposal must be shredded.
- Passwords act as a signature to access confidential information. Employees are required to read and follow the policy on "Selecting a More Effective Password." If employees have reason to believe that the confidentiality of passwords has been violated, they are required to notify their supervisors immediately and ensure that the passwords are promptly changed. Employees will not share login ID and/or password information with anyone.
- Upon termination of university employment, the rights and access associated with a user ID and password will also be terminated. Employees must immediately return all documents and/or materials containing confidential information to Carnegie Mellon, including methods of providing access to such information (e.g., training documentation). It is further expected that, following cessation of employment at Carnegie Mellon, the individual will continue to treat confidential information as confidential and that they will refrain from disclosing it or using it for any purpose.
- Access to University Advancement Data by Employees
- Individuals employed by Carnegie Mellon who have a demonstrable university-related business requirement to access Advancement data will be granted access restricted to that requirement. Such access will only be granted after a formal request is submitted and the employee signs and returns the Advancement Data Confidentiality and Usage Form.
- Questionable or unusual requests by employees for access to Advancement data will be reviewed by the Vice President for University Advancement, in consultation with the Associate Vice President for Advancement Programs and Services.
- Access to University Advancement Data by Non-Employees
- Subject to the approval of the Vice President for University Advancement, non-employees working on behalf of the university (e.g., volunteers and contractors) will be permitted to access Advancement data restricted to the requirements of their roles.
- These individuals must sign any agreement(s) required by the university (i.e., related to confidentiality, usage, etc.) prior to receiving such access, and will be subsequently bound by the requirements set forth in this policy.
- Donors to the university may request and receive a list of the charitable gifts they have made to the university. Otherwise, Advancement data will be unavailable to non-employees and non-volunteers, unless approved by the Vice President for University Advancement.