Scope
This policy applies to all SUNY Geneseo employees, contractors, and systems that create, access, store, or transmit institutional data.
Policy Statement
This policy establishes a framework for classifying and protecting institutional data at SUNY Geneseo. It supports compliance with applicable laws and regulations, including the New York SHIELD Act, FERPA, HIPAA, and NY Labor Law §203-d, and promotes responsible data stewardship across the college.
Definitions
Policy
Data Classification Levels
|
Classification Level |
Definition |
Examples |
|
Confidential |
Regulated data requiring strict controls. Unauthorized disclosure could result in legal or financial penalties. |
Private information such as SSNs, bank account numbers, health records, driver’s license numbers, disciplinary records |
|
Sensitive |
Internal data with reputational or operational risk. |
Grades, G-numbers, performance reviews |
|
General |
Information not intended for public release but not subject to regulatory or contractual confidentiality. May be shared with Geneseo accounts and select external collaborators with a legitimate need. |
Syllabi, meeting agendas, internal procedures |
|
Public |
Information intended for external audiences and unrestricted sharing. |
Press releases, recruitment materials, published research |
Safeguards
Safeguards for institutional data are applied based on its classification level and include administrative, technical, and physical controls. These controls are designed to ensure appropriate protection of data across its lifecycle: from creation and access to storage and disposal. Specific requirements for each classification level (Confidential, Sensitive, General, and Public) are detailed in the .
Incident Response
Any suspected data breach must be to CIT. Breaches involving private information as defined by the SHIELD Act will trigger notification procedures in accordance with state law and the College’s cybersecurity incident response plan.
Roles and Responsibilities
- Data Stewards: Ensure proper classification, access controls, and compliance within their data domain. In most cases the data steward of a department is the director or department head.
- CIT: Implement technical safeguards, monitor systems, and respond to incidents.
- Compliance Office: Ensure alignment with legal and regulatory requirements.
- End Users: Apply appropriate sensitivity labels and follow data handling procedures.
Compliance
This policy supports compliance with the New York SHIELD Act, FERPA, HIPAA, NY Labor Law §203-d, and other applicable regulations.
Inappropriate disclosure of information pertaining to students, faculty, staff and other college constituents may violate applicable law and regulations and is considered a violation of ethics and a breach of trust placed in employees by the College. Upon finding of a violation of this policy by an employee in a collective bargaining unit, the College may initiate disciplinary action pursuant to the applicable collective bargaining agreement, up to and including termination of employment.
For employees not covered by a collective bargaining agreement, sanctions may include actions up to and including termination of employment.
Student employees who have violated these provisions may be referred to the student disciplinary process.
Volunteers who have violated these provisions may have their voluntary appointments terminated.
Employees who deal with confidential material on a regular basis will be required to sign a .
Frequency of Review and Update
Every 3 years.
Approval
Date of Approval