Departments shall decide on a unit-by-unit basis whether to allow University employees, agents, affiliates or workforce members to use personally owned devices to access or maintain sensitive Institutional Data. Deans and department heads authorizing the use of personal devices are responsible to communicate the boundaries of personal use and raise awareness of appropriate regulations and risk.
University employees shall maintain up-to-date, device-appropriate security safeguards and follow the policies, standards, and guidance provided by the University, as well as comply with appropriate safeguards required by state and federal regulations. In addition, the University or individual units may require that specific security settings and/or software be put in place and maintained on the device to protect sensitive Institutional Data.
Most regulations require the securing of devices used to store data. Securing your devices doesn’t just mean keeping them in a safe place. It means setting a strong password, encrypting file storage, keeping your software up-to-date, backing up your data, choosing appropriate privacy and access settings, deciding what networks to connect to, and more.
All mobile devices accessing University employee email are required to have a pass-code or use bio-metric security (finger print, facial-recognition, etc) enabled to protect against unauthorized access.
Records or data maintained by the University or University employees and affiliates may be the subject of document requests (e.g., Freedom of Information Act or Family Educational Rights and Privacy Act) or document production (e.g., warrants, subpoenas, court orders, etc.). University employees, agents and affiliates must produce these records or data (or the devices on which they are stored) upon request of the University.
In the course of an incident investigation, the University reserves the right to inspect any personally owned device that accesses or maintains sensitive Institutional Data. Any access to a personally owned device will be carried out in accordance with other relevant University protocols, and legal or law enforcement requirements.
Any records request requires the written approval of the president, the provost, or the area vice president.
Users shall return or delete Institutional Data maintained on personally owned devices upon request from the University or when their role or employment status changes such that they are no longer an authorized user of that data.
The University characterizes certain activities related to misuse of sensitive data as unethical and unacceptable. Violations of this policy may result in disciplinary action up to and including restricting the ability to use a personally owned device for work-related activities, lost of data and systems access, dismissal, and/or legal action.