Skip to content
[New School IT logo]

Standard for Handling Institutional Information

Introduction

Information can exist in many forms, both electronic (e.g., computer hard drives and any removable and/or transportable digital memory medium, such as magnetic tape or disk, optical disc, “flash” drive, or digital memory card) and non-electronic (e.g., paper, microfilm, microfiche).

The Protection Level at which Institutional Information is Classified determines, along with any applicable laws and regulations, the rules for handling that information.

“Handling” information refers to any action related to acquiring, storing, using, transmitting, archiving, deleting, or destroying information.

Purpose

This standard defines the minimum requirements for handling Institutional Information in any format. Individual offices and departments of the university may establish more stringent information handling procedures that augment these minimum requirements when appropriate. Users of Institutional Information are urged to contact the relevant Data Owner or the Information Security and Privacy Office for guidance in cases that present handling questions or security concerns.

Scope

This standard applies to all university Institutional Information and IT Resources, irrespective of whether they are maintained by The New School or a third party on the university’s behalf or whether they are accessed from on-campus or off-campus locations, and to any individual who accesses or in any way makes use of them, regardless of affiliation. This includes, but is not limited to, Workforce Members, students, and alumni.

Definitions

Special terms used in this document will be Capitalized and underlined, signifying that they have special meaning. A comprehensive glossary of terms, with examples, can be found at https://ispo.newschool.edu/glossary/.

Requirements

This standard defines the techniques and tools that should be used when:

  • Handling printed documents (including printing, storing, duplicating, mailing, and faxing)
  • Handling electronically stored information (including storage on internal servers, use of external cloud storage and collaboration services, storage on removable/transportable media, and storage on mobile devices)
  • Handling electronically transmitted information (including electronic mail, file transfer, web services, and collection of information via web forms)
  • Handling regulated information (including Education Records, Cardholder Data, Personal Financial Information, Protected Health Information, and Controlled Unclassified Information

Disclosing information to third parties

Institutional Information Classified at Protection Levels PL-3 or PL-4 may only be disclosed to third parties (vendors, consultants, etc.) if all of the following are true:

  • A clear business purpose for the disclosure exists.
  • The Data Owner has provided written approval of the disclosure.
  • A written confidentiality agreement or non-disclosure agreement is in effect between The New School and the third party.
  • A written agreement is in effect between The New School and the third party describing the security controls the third party will use to protect the information (including how it will delete or destroy the information at the conclusion of the agreement).

Additional requirements may apply if the information to be disclosed includes Personal Data; see the Data sharing section of the Data Protection Handbook.

Note

Only senior managers of the university (president, provost, executive vice president, deans, and officers) have the authority to sign the agreements referenced above, and then only after they have been reviewed and approved by the Office of the General Counsel.

Handling printed documents

Printed documents, including paper, microfiche, and microfilm, should be handled according to the highest Classification of information contained in the document. For example, if a document contains both PL-2 and PL-4 information, then the document should be handled according to the handling requirements for PL-4 information.

Printing hard copies of information

Many software applications (including web browsers) and databases allow printing of data and/or reports. Once the information is in a hardcopy format, information users should follow the handling requirements for printed documents.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Unattended printing allowed if access controls are in place to prevent unauthorized viewing of a printout.
PL-4 Unattended printing allowed if access controls are in place to prevent unauthorized viewing of a printout.

Printouts should be picked up immediately.

Storing printed documents

This requirement covers the day-to-day storage of printed documents in an office environment. It does not include long-term (usually off-site) storage of documents for record retention or archival purposes.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Documents must be put away (out of sight) when not in use. Storage in a secured location is recommended.
PL-4 Documents must be put away (out of sight) and stored in a secured location when not in use.

Duplication and distribution of printed documents

Copies of printed documents containing Sensitive Institutional Information should be made on an as-needed basis only. Copies should not be distributed unless there is a business need to do so, and document recipients should be advised not to further distribute it unless there is a business need to do so. It is also important for information users to ascertain how the materials will be used and disposed of.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 The receiver of the document must not distribute further without permission of the document sender.

When necessary, the Data Owner should designate information that must not be further duplicated or distributed.
PL-4 The receiver of the document must not distribute further without permission of the document sender.

When necessary, the Data Owner should designate information that must not be further duplicated or distributed.

Sending printed documents via campus mail or external carrier

This requirement covers sending printed documents via New School Campus Mail or via an external carrier such as the U.S. Postal Service or FedEx. Documents containing Sensitive Institutional Information should only be sent via these methods when there is a business need to do so.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 There should be no classification markings on the external envelope. The envelope must be sealed in such a way that tampering would be evident upon receipt.
PL-4 There should be no classification markings on the external envelope. The envelope must be sealed in such a way that tampering would be evident upon receipt.

Faxing printed documents

When sending faxes, documents may be sent either directly from their electronic form, or more traditionally, by sending a paper document through a fax machine. This requirement applies to both methods. Documents containing Sensitive Institutional Information should only be transmitted over fax when there is a business need to do so.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Receiving faxes: Unattended printing is allowed if access controls are in place to prevent unauthorized viewing of a printout.

Sending faxes: Prior to faxing, verify access controls or recipient presence at the time the fax is sent.
PL-4 Receiving faxes: Unattended printing is allowed if access controls are in place to prevent unauthorized viewing of a printout. Received faxes should be picked up immediately.

Sending faxes: Prior to faxing, verify access controls or recipient presence at the time the fax is sent. Follow up with a telephone call or email to confirm receipt.

Labeling printed documents

In addition to the labeling requirements of this section, individual departments may choose to label their documents to ensure appropriate handling within their area.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Certain documents must be labeled “Confidential” regardless of internal or external use.
PL-4 Documents must be labeled “Confidential” regardless of internal or external use.

Disposal of printed documents

Printed documents should be properly disposed of when there is no longer a business need to keep them.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Destroy the document according to hard copy disposal guidelines.
PL-4 Destroy the document according to hard copy disposal guidelines.

Handling electronically stored information

Information stored electronically, whether on servers, removable media, mobile devices, or “in the cloud,” should be handled according to the highest Classification of information contained in the file. For example, if a file contains both PL-2 and PL-4 information, then the file should be handled according to the handling requirements for PL-4 information.

Storage on servers

This category includes New School central and departmental file storage servers. It may also include storage on servers hosted or operated by third party vendors with whom The New School has contracted for services. This category does not include cloud storage and collaboration services (see Storage on cloud storage and collaboration services).

Servers requiring authentication

This subcategory includes servers where access is protected via New School authentication credentials. These credentials include the New School NetID and password, or a username and password combination issued by an application administrator when the New School NetID and password cannot be reasonably used. Examples of storage scenarios in this subcategory include:

  • Information stored on servers that can be accessed from a campus workstation as part of a user’s workstation profile (“share drives”).
  • Information stored on servers that can be accessed remotely via a file transfer protocol where New School authentication credentials must be provided before a user can access the files.
  • Information stored on servers that can be accessed remotely via the use of an application through the Internet where New School authentication credentials must be provided before a user can access the files.
  • New School web servers containing information intended for New School dissemination only and where New School authentication credentials must be provided before a user can access the information.
  • Information stored on third party hosted servers where the university has determined that there is a business need for the vendor’s solution, the university has entered into a contract with the vendor, and New School authentication credentials are used to access the vendor’s solution. (This situation is usually documented extensively through New School business practices.)

University-provided central and departmental servers are among the most secure places to store Sensitive Institutional Information. However, some Sensitive Institutional Information types may be subject to laws or regulations that require additional security and/or privacy safeguards to be implemented. These information types are usually Classified at Protection Level PL-4. Special requirements for regulated information discusses these requirements in more detail.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Personal Data: Must be Pseudonymized and encrypted, either at the file level or the database column level.

Other PL-3 data: No special requirements.
PL-4 Special Categories of Personal Data: Must be Pseudonymized and encrypted, either at the file level or the database column level.

Other types of regulated information: See Special requirements for regulated information.

Other PL-4 data: No special requirements.
Servers not requiring authentication

This subcategory includes servers where the information stored on those servers can be accessed via the Internet, and where that access does not require the use of New School authentication credentials. Examples of storage scenarios in this subcategory include:

  • New School web pages with information intended for public dissemination
  • Files on servers that can be accessed remotely via the use of an application through the Internet where New School authentication credentials are not required before access.

Application Owners and Data Owners are urged to use caution when providing access to Institutional Information without appropriate New School authentication. For instance, when allowing non-New School users to access New School data, an Application Owner or Data Owner must ensure that there are adequate protections (such as password protection, encryption, and secure communication channels) in place to protect that data.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 Not permitted.
PL-3 Not permitted.
PL-4 Not permitted.

Storage on cloud storage and collaboration services

The New School-branded version of Google’s G Suite (formerly Google Apps) applications (reachable through MyNewSchool or {calendar,drive,docs}.newschool.edu) is the official university general-purpose cloud storage and collaboration platform.

Canvas is the official university learning management system.

Starfish is the official university student success network.

New School G Suite

Google, Inc. hosts the New School G Suite collection of applications on behalf of the university in accordance with a specially negotiated end-user license agreement designed to protect the privacy and security of information owned by The New School and the members of its community. The agreement ensures that Google will not access or reuse information stored in these applications for its own commercial purposes, and adds special protection for Education Records subject to the Family Educational Rights and Privacy Act (FERPA).

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Education Records: Limit sharing to individuals with a “legitimate educational interest;” do not share externally (outside the newschool.edu domain).

N-numbers: Limit sharing to authorized individuals; do not share externally (outside the newschool.edu domain).

Other types of Personal Data: Restrictions apply; see Appropriate and inappropriate uses of the New School G Suite platform, below.

Other PL-3 information: Generally not permitted; consult with the Data Owner or the Information Security and Privacy Office.
PL-4 Not permitted.
Appropriate and inappropriate uses of the New School G Suite platform

The New School G Suite platform is appropriate for many types of business communication and collaboration, but the nature and sensitivity of some types of information, as well as applicable security and privacy policies, laws, regulations, or other restrictions must be carefully considered before choosing to store information there.

  1. The New School G Suite platform may be used to store and share Institutional Information Classified at Protection Levels PL-1 and PL-2.

  2. The New School G Suite platform may be used to store and share Education Records and N-numbers.

    Traditionally, grades, class rosters, and other information about students was shared via email, spreadsheets, and hard copy documents. All of those methods have security concerns and deficiencies. The use of a Google document or spreadsheet for these purposes has several advantages over these methods. However, care must be taken to ensure that only those individuals with a “need to know” have access to the information. In particular, class rosters and other documents that include identifying information about students should never be “published to the web,” since FERPA prohibits the release of such information outside the confines of the university.

  3. The New School G Suite platform may be used to store and share Personal Data about Workforce Members, but only those attributes that would typically be present in the job-related documentation sections of their personnel files (those sections accessible to HR Partners, managers, and supervisors).

    Traditionally, less sensitive information about Workforce Members was shared via email, spreadsheets, and hard copy documents. All of those methods have security concerns and deficiencies. The use of a Google document or spreadsheet for these purposes has several advantages over these methods. However, care must be taken to ensure that only those individuals with a “need to know” have access to the information. In particular, documents that include Personal Data about Workforce Members should never be “published to the web.”

    More sensitive Personal Data, such as attributes that would typically only be present in the confidential sections of Workforce Members’ personnel files (those sections accessible only to “Central HR”) and especially those attributes considered Special Categories of Personal Data, must never be stored or shared on the New School G Suite platform.

  4. Except for Education Records and some types of Personal Data as described above, the New School G Suite platform is generally not appropriate for storing or sharing information Classified at Protection Level PL-3. Consult with the Data Owner and/or the Information Security and Privacy Office before engaging in any such activity.

  5. The New School G Suite platform is not appropriate for storing or sharing information Classified at Protection Level PL-4. Information in this category includes data subject to state, federal, and international privacy laws and regulations, such as Social Security Numbers, Individual Taxpayer Identification Numbers, Personal Financial Information, Protected Health Information, and Special Categories of Personal Data.
  6. Although Google maintains multiple copies of all information stored on the New School G Suite platform to ensure that it is always available even in the event of a hardware or software failure within the Google infrastructure, the New School G Suite platform should not be used as the sole storage location for business critical university records. Although such records may be kept on the New School G Suite platform for ease of use and collaboration, a primary copy should be kept internally on a network file share where it can be regularly backed up.
Guidelines for sharing information on the New School G Suite platform

One of the key benefits of the New School G Suite platform is the ease with which information can be shared with others. However, care must be taken, especially when sharing Education Records, to ensure that information is not shared too broadly.

  1. Check the email address. Be sure that you are choosing the proper email address, as there are many similar and duplicate names in the newschool.edu domain. It is also possible to share a document with individuals outside the university by entering an email address. In these scenarios, make sure you are certain that the email address you enter is that of the colleague you intend to share the data with, and that they will use it responsibly.
  2. Check the scope of distribution. Choose wisely as to whether you want those you are sharing a document with to have the ability to edit the document (the default), or to only be able to view the document without making changes. When you provide someone with the ability to edit the document, they also have the ability to share it with others.
  3. Use “publish to the web” carefully. The “publish to the web” sharing option makes a document visible to anyone on the Internet. Although some information may be appropriate for that view, carefully evaluate the use of this option. In particular, documents that contain Personal Data must never be “published to the web.”
Canvas

Instructure, Inc. hosts the Canvas learning management system on behalf of The New School in accordance with a license agreement designed to protect the privacy and security of information owned by The New School and the members of its community. The agreement ensures that Instructure will not access or reuse information stored in Canvas for its own commercial purposes, and includes protection for Education Records subject to the Family Educational Rights and Privacy Act (FERPA).

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Education Records: Limit sharing to individuals with a “legitimate educational interest.”

Other PL-3 information: Not permitted.
PL-4 Not permitted.
Starfish

Starfish Retention Solutions (a subsidiary of Hobsons, Inc.) hosts the Starfish suite of applications (the “New School Student Success Network”) on behalf of The New School in accordance with a license agreement designed to protect the privacy and security of information owned by The New School and the members of its community. The agreement ensures that Starfish Retention Solutions and Hobsons will not access or reuse information stored in Starfish applications for its own commercial purposes, and includes protection for Education Records subject to the Family Educational Rights and Privacy Act (FERPA).

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Education Records: Limit sharing to individuals with a “legitimate educational interest.”

Other PL-3 information: Not permitted.
PL-4 Not permitted.
Other services

With the exception of the services identified above, the license agreements for most other cloud services, regardless of whether they are offered through The New School, do not provide legal protection or accountability for New School Institutional Information. They also generally do not comply with the information security and privacy safeguards required by state, federal, and international laws and regulations or university policies. Some of the more common services in this category include, but are not limited to, Dropbox.com, Box.com, Apple iCloud, Microsoft OneDrive, Office 365, Adobe Creative Cloud, and the consumer Google G Suite platform.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 Not permitted.
PL-3 Not permitted.
PL-4 Not permitted.

Storage on removable/transportable media

This category includes any type of removable/transportable media on which electronic information can be stored, such as external and portable hard drives, magnetic tapes, diskettes, CDs, DVDs, digital memory cards (SD, Compact Flash, Memory Stick, etc.), and USB storage devices.

This category is intended to apply to a person‘s direct use of removable/transportable media and does not apply to archival, disaster recovery, and backup media used by the New School Office of Information Technology as part of normal operational activities. Such archival electronic media must be properly secured from loss, theft, and unauthorized access.

Information users are reminded that internal servers, where New School authentication is required (see Servers requiring authentication), are the best place to store all categories of Institutional Information, particularly information Classified at Protection Level PL-4. Information users are urged to consult the relevant Data Owner if Sensitive Institutional Information must be stored on removable/transportable media.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Not advised; limit to situations where operationally necessary.

Personal Data must be Pseudonymized and encrypted, either at the file level or the database column level.

Media must be put away (out of sight) when not in use. Storage in a secured location is recommended.
PL-4 Not permitted unless no reasonable alternative is available.

Special Categories of Personal Data must be Pseudonymized and encrypted, either at the file level or the database column level.

Media must be put away (out of sight) and stored in a secured location when not in use.

Storage on mobile devices

This category includes all devices, regardless of name, that serve as a stand-alone and mobile computing device. Devices such as laptop computers, tablet computers, smart phones, cell phones, e-readers, and personal digital assistants fall into this category. This requirement is concerned with storage of Institutional Information on mobile devices when the information is not actively being used; it is not concerned with the short-term incidental storage of such information while that information is being processed on the device (e.g., as a file is being edited).

Information users should exercise caution and common sense when storing Institutional Information on personally owned computing devices, including electronic media. In almost all instances, Sensitive Institutional Information should never be stored on personally owned computing devices.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Not advised; limit to situations where operationally necessary.

Personal Data must be Pseudonymized and encrypted, either at the file level or the database column level.

Secure the device according to mobile device security guidelines.
PL-4 Not permitted unless no reasonable alternative is available.

Special Categories of Personal Data must be Pseudonymized and encrypted, either at the file level or the database column level.

Secure the device according to mobile device security guidelines.

Disposal of electronic media and electronic devices

Any electronic media (server hard drive, desktop or laptop hard drive, removable/transportable media, etc.) or electronic device used to process or store Institutional Information, regardless of Classification, must be properly Sanitized before it can be reused, resold, recycled, or discarded. See the Standard for Disposing of Institutional Information for details on Sanitization procedures.

Voicemail

The New School uses a computerized messaging system for voicemail services. Voicemail messages are stored on the messaging system and can be accessed from a telephone. Voicemail messages can also be forwarded to an email address as an audio file attachment.

Information users must exercise care in using the messaging system and in forwarding voicemail messages to email as an attachment, because such messages may contain Sensitive Institutional Information.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Do not leave PL-3 information in a voicemail message. Ask the recipient to call back.

If PL-3 information is received in a voicemail message, delete the message immediately upon receipt.
PL-4 Do not leave PL-4 information in a voicemail message. Ask the recipient to call back.

If PL-4 information is received in a voicemail message, delete the message immediately upon receipt.

Handling electronically transmitted information

Information should be transmitted in a manner acceptable for use with the highest Classification of information contained in the message or file. For example, if a transmission contains both PL-2 and PL-4 information, then the information should be transmitted according to the handling requirements for PL-4 information.

Electronic mail

The New School-branded version of Gmail (reachable through MyNewSchool or mail.newschool.edu) is the official university email system.

The New School Secure File Transfer Service is the official university system for sending Sensitive Institutional Information.

New School Gmail

Google provides this version of Gmail to The New School under a specially negotiated end-user license agreement designed to protect the privacy and security of information owned by The New School and the members of its community. This license agreement also includes special protections for Education Records subject to the Family Educational Rights and Privacy Act (FERPA). Faculty and staff should use their official university email address for all university business-related email that does not involve sending or receiving Sensitive Institutional Information.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Personal Data: Not permitted; use securesend instead.

Education Records: Limit recipient list to individuals with a “legitimate educational interest;” do not transmit externally (outside the newschool.edu domain).

N-numbers: N-numbers may not be sent in aggregate form (e.g., as a list of N-numbers and grades, a class roster, a list of employees, etc.). When operationally necessary and there is no reasonable alternative, individual student, alumni, or employee N-numbers may be sent to their owners by electronic mail:

  • Any such process must be approved in advance by the University Registrar or the Chief Legal and Human Resources Officer (as appropriate) or their designate.
  • If the student, alum, or employee has a newschool.edu or alumni.newschool.edu email address, that address must be used.
  • If the student, alum, or employee does not have a New School email address, another email address may be used, so long as that address was provided directly by the student, alum, or employee.

Other types of PL-3 data: Not recommended; use securesend instead. If securesend cannot be used and sending is operationally necessary, limit recipient list to authorized individuals and do not transmit externally (outside the newschool.edu domain).
PL-4 Not permitted; use securesend instead.
New School Secure File Transfer Service (SecureSend)

The New School secure file transfer service (reachable through securesend.newschool.edu) is the best way to send messages and files containing Sensitive Institutional Information to internal and/or external recipients. Faculty and staff should always use securesend to send information Classified at Protection Level PL-4, even when the recipient(s) are also within the university (newschool.edu) domain. In most cases, securesend should also be used to send information Classified at Protection Level PL-3, unless there is an operational reason not to do so.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Recommended.
PL-4 Required.
Other email providers

External email service providers, including Google’s consumer Gmail platform (@gmail.com), do not provide legal protection or accountability for New School Institutional Information, and they generally do not comply with the information security and privacy safeguards required by state, federal, and international laws and regulations or university policies. New School Workforce Members may not automatically forward or redirect messages from an official university email address (containing @newschool.edu) to a non-university email address (containing anything other than @newschool.edu). Doing so may put that individual and The New School at risk of violating GDPR, FERPA, GLBA, HIPAA, or other laws and regulations. Workforce Members may manually forward individual messages (i.e., one at a time) only if they do not contain Sensitive Institutional Information and such forwarding is permitted by applicable laws and regulations.

File transfer (FTP) and web-based upload/download

The File Transfer Protocol (FTP) and its secure variants, the SSH File Transfer Protocol (SFTP) and FTP-over-SSL/TLS (FTPS), are often used to transfer large amounts of data from one system to another. Generally, FTP is more appropriate for unattended (computer-to-computer) transfers; transfers in which either the sender or the recipient is a person are usually better accomplished using the New School Secure File Transfer service.

Some third parties with which The New School does business may require that files be exchanged with them by uploading or downloading the file through a web browser. Although this process is typically performed manually rather than by automated means, it is essentially equivalent to FTP and is therefore subject to the same handling requirements.

git diff
Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 FTP (or web) server access must be protected by username and password or other secure credential.

Secure protocol (SFTP or FTPS for file transfer; HTTPS for web-based) must be used.

Files containing Personal Data must be encrypted before they are uploaded and/or before they are placed on the server to be downloaded; encryption of other files is also recommended.
PL-4 FTP (or web) server access must be protected by username and password or other secure credential.

Secure protocol (SFTP or FTPS for file transfer; HTTPS for web-based) must be used.

Files must be encrypted before they are uploaded and/or before they are placed on the server to be downloaded.

Web services (SOAP/REST)

Some cloud-based software-as-a-service providers offer web services based on either the Simple Object Access Protocol (SOAP) or representational state transfer (REST) to retrieve data from or submit data to their services, as well as to execute various application functions.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Web services access must be protected by username and password or other secure credential.

Transport Layer Security (TLS) must be used.
PL-4 Web services access must be protected by username and password or other secure credential.

Transport Layer Security (TLS) must be used.

Collecting information via web forms

Many New School offices use web-based forms to collect information from current and prospective students, alumni, employees, and the public. Web-based forms platforms frequently used at The New School include:

  • Google Forms. See New School G Suite for details on the types of information that may be collected with Google Forms in the newschool.edu domain. Google Forms outside the newschool.edu domain (e.g., on the consumer G Suite platform) may only be used to collect information Classified at Protection Level PL-1.
  • Qualtrics. Forms created under the New School Qualtrics academic instance (reachable through MyNewSchool or newschool.qualtrics.com) may be used to collect information Classified at Protection Levels PL-1 and PL-2. They may also be used to collect information Classified at Protection Level PL-3 or PL-4, provided the requirements below are met. Forms created outside the New School Qualtrics instance (e.g., in a personal Qualtrics account) may only be used to collect information Classified at Protection Level PL-1.
  • JotForm. JotForm forms managed under the New School account may be used to collect information Classified at Protection Levels PL-1 and PL-2. They may also be used to collect information Classified at Protection Level PL-3 or PL-4, provided the requirements below are met. JotForm forms not managed under the New School account may only be used to collect information Classified at Protection Level PL-1. (Access to create forms under the New School account is managed by Marketing & Communications.)

Other web form platforms (SurveyMonkey, etc.) may only be used to collect information Classified at Protection Level PL-1.

Prot. Level Requirements
PL-1 No special requirements.
PL-2 No special requirements.
PL-3 Information must be submitted over an encrypted (TLS) connection.

Submitted information must be encrypted when stored on the form’s back end platform. At a minimum, Sensitive fields on the form must be encrypted; encryption of all fields is preferable.
PL-4 Information must be submitted over an encrypted (TLS) connection.

All submitted information must be encrypted when stored on the form’s back end platform.

Special requirements for regulated information

In addition to the requirements set forth in the previous sections, some types of information have special handling requirements established by law and/or regulation.

Education Records

The New School often relies on software-as-a-service providers to handle services that it cannot efficiently provide itself. In some cases, these providers need access to Personally Identifiable Information (PII) from students’ Education Records in order to deliver the agreed-upon services. FERPA’s school official exception to consent is most likely to apply to The New School’s relationships with service providers. When The New School outsources institutional services or functions, FERPA permits The New School to disclose PII from Education Records to contractors, consultants, volunteers, or other third parties provided that the outside party

  • performs an institutional service or function for which The New School would otherwise use employees;
  • has been determined to meet the criteria set forth in The New School’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records;
  • is under the direct control of The New School with respect to the use and maintenance of Education Records; and
  • uses Education Records only for authorized purposes and may not re-disclose PII from Education Records to other parties, unless the provider has specific authorization from The New School to do so and it is otherwise permitted by FERPA.

When PII from Education Records is disclosed to the provider, FERPA still governs its use, and The New School is responsible for its protection. PII from Education Records disclosed under FERPA’s school official exception to consent may only be used for the purposes authorized by The New School. A contract or formal written agreement between The New School and the service provider is necessary to ensure that these requirements are met.

Important!

Do not disclose Education Records to any third party except as approved by the University Registrar, Office of the General Counsel, and/or Information Security and Privacy Office.

Personal Data

The Data Protection Handbook provides information about the factors that must be considered, and the actions that must be taken, to ensure that Processing of Personal Data by The New School meets the requirements of all applicable laws and regulations.

Important!

Do not store, process, or transmit Personal Data without first completing all actions required by the Data Protection Handbook (including determination of legal basis for processing, creation of a privacy notice, and completion of a Data Protection Impact Assessment). Contact the Information Security and Privacy Office for assistance.

Payment card data

Credit and debit card data (including primary account number, cardholder name, expiration date, and “security” codes) is high-risk confidential information that The New School is obligated to protect under state, federal, and international law. Additionally, credit card associations require that all entities accepting payment cards (“merchants”) comply with the Payment Card Industry Data Security Standard (PCI DSS), a set of technical and operational requirements designed to protect Cardholder Data and guard against fraud and identity theft.

The New School requires that any school, department, student organization, or individual that wants to accept credit or debit card payments obtain advance approval from the Office of Finance and Business and the Information Security and Privacy Office before offering this service. Once approved, the school, department, student organization, or individual may only use university-approved payment processing systems, vendors, and devices to accept payments. Credit and debit card payment information—whether from students, employees, donors, conference or workshop attendees, or the general public—must never be solicited or accepted through:

  • Email (including New School Gmail and securesend)
  • Web-hosted forms (including New School Google Forms, Qualtrics, and JotForm)
  • Non-university approved Internet-based payment processors (including PayPal, Authorize.net, Dwolla, Stripe, etc.)
  • Non-university approved mobile card readers (including Square, PayPal Here, Clover Go, etc.)

Important!

Do not accept payments via credit or debit cards, or handle payment card data, except as approved by the Office of Finance and Business and the Information Security and Privacy Office.

Health and human subject information

The Health Insurance Portability and Accountability Act (HIPAA), through its Privacy and Security Rules, defines policies, procedures, and guidelines for maintaining the privacy and security of individually identifiable health information. HIPAA primarily applies to “covered entities” (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions). The New School, with the exception of the New School Health Plan, is not a covered entity.

Compliance with the HIPAA Privacy and Security Rules would require The New School to implement special administrative, technical, and physical safeguards on the environment where protected health information is processed. These safeguards include the establishment of specific administrative staff roles, creation of specialized employee training programs, installation of physical security measures in offices and computer data centers, and implementation of specialized security measures in its information technology environment.

As of this writing, The New School does not have the policies, protocols, or infrastructure in place to conduct HIPAA-compliant research at the university. Furthermore, the administrative, technical, and physical safeguards required by the New School Human Research Protection Program (HRPP) to protect data and samples may not be provided by all components of the New School information technology environment. Researchers should consult with the Office of Research Support, Information Technology, and the Information Security and Privacy Office before embarking on research using these categories of data to ensure that all information security requirements for their project can be met.

Important!

Do not store, process, or transmit HIPAA-regulated information or human subject research data except as approved by the Institutional Review Board (IRB).

Controlled unclassified information

U.S. government agencies routinely generate, use, store, and share information that, while not meeting the standards for classified national security information, requires safeguarding and dissemination controls. Historically, this information (sometimes referred to as “Sensitive But Unclassified” (SBU) information) has been shared using an ad hoc ungoverned body of policies and practices. Across the federal government, there are a variety of markings and different labeling or handling procedures for SBU information, resulting in confusion for both its producers and its users.

In 2010, the White House issued Executive Order 13556, which defined Controlled Unclassified Information (CUI) to gather these various information categories into a single definition for all federal agencies, placing the National Archives in the role of creating the definitions, which can be found in the Controlled Unclassified Information (CUI) Registry. Some types of CUI that New School researchers might receive from (or produce under contract for) a federal agency include student records or personally identifiable information, export control-research data, critical infrastructure information, and controlled technical information.

When the federal government shares CUI with The New School, there may be particular federal laws or regulations that specify how that information must be protected. To address situations in which there is no applicable federal law or regulation addressing how the CUI must be protected, the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, applies. In either case, The New School would be required to implement the prescribed administrative, technical, and physical safeguards in the environment where CUI is processed.

As of this writing, The New School does not have the policies, protocols, or infrastructure in place to conduct NIST 800-171-compliant research at the university. Furthermore, the administrative, technical, and physical safeguards required by other federal laws and regulations governing the protection of CUI may not be provided by all parts of The New School information technology environment. Researchers should consult with the Office of Research Support, Information Technology, and the Information Security and Privacy Office before embarking on research using these categories of data to ensure that all information security requirements for their project can be met.

Important!

Do not store, process, or transmit Controlled Unclassified Information except as approved by the Institutional Review Board (IRB).

Special handling instructions

The special handling instructions referenced in the requirements above are provided in the following sections.

Documents that must be labeled “Confidential”

If a document is concealed in an envelope, then Confidential is only needed on the envelope. If the envelope is being sent via campus mail or external carrier, it should be enclosed in a second, outer envelope that does not bear any label. If a document is not concealed in an envelope, then the document itself must be labeled Confidential.

Documents/envelopes that must be labeled Confidential include (but are not limited to) those that contain:

  • Americans with Disabilities Act (ADA) records
  • Background/credit checks of employees and applicants
  • Bank account/direct deposit/wire transfer information for individuals
  • Benefits selection information (including beneficiary selections)
  • Controlled Unclassified Information
  • Credit/debit card numbers and other Cardholder Data
  • Employee Assistance Program records
  • Employee disability information
  • Employee disciplinary information
  • Equal Employment Opportunity case records
  • Family Medical Leave Act documents
  • Financial and/or tax information for students and/or parents
  • Grievance cases and related investigative information
  • Information Classified at Protection Level PL-4
  • Information disclosed to or created by the University Ombuds
  • Medical and/or psychological diagnoses
  • N-numbers of students or employees
  • Personal Data / Personally Identifiable Information of students or employees
  • Social Security Numbers or Individual Taxpayer Identification Numbers
  • Student disability information
  • Student disciplinary information
  • Subpoenas for student records

Generally, when documents that must be labeled Confidential are collected together (e.g., as part of a student’s or employee’s file), it is sufficient to label the folder or other container that holds the entire collection, without labeling the individual documents, so long as those documents are not circulated outside the department where they are kept. However, if a document is removed from the container to be sent outside the department (by mail, fax, or otherwise), it should be labeled prior to sending.

Hard copy disposal guidelines

Paper documents containing Sensitive Institutional Information must be disposed of by placing them in secure, locked recycling bins designed for confidential materials (available from Facilities Management) or by shredding them in a crosscut or micro cut shredder (strip cut shredders are not acceptable). See the Standard for Disposing of Institutional Information for details on acceptable shredder parameters.

Documents containing Sensitive Institutional Information must not be placed in normal office trash cans or non-secure waste paper / recycling bins.

Microforms (microfilm, microfiche, or other reduced image photo negatives) must be destroyed by burning. See the Standard for Disposing of Institutional Information for details.

Mobile device security guidelines

  • Mobile devices must not be left unattended and must be stored in a secured location when not in use.
  • Mobile devices should be protected by a secure password (PIN or pattern are also acceptable) and auto lockout should be enabled.
  • If the device has a “remote wipe” feature, that feature should be enabled. This also includes features that delete data stored on the device if a password or other security code is not entered correctly after a certain number of tries.
  • If the device has a remote location feature (“Find My Phone” or similar), that feature should be enabled.
  • Mobile devices should be wiped and/or data should be securely deleted from them prior to disposal or reuse (see Disposal of electronic media and electronic devices).
  • If a device containing Sensitive Institutional Information is lost, stolen, or misplaced, the Information Security and Privacy Office and the Data Owner(s) should be notified immediately.

Sealed

Sealed means that an envelope is secured in such a way that tampering would be evident upon receipt of the envelope. For example, using tape across the envelope flap, sealing a self-adhesive envelope, placing a stamp or other sealing object across the envelope closure, etc. An information user who receives a document containing Sensitive information in an envelope that appears to have been tampered with should immediately notify the sender of the document.

Secured location

A secured location means placing information in locked office furniture (desk drawers, file cabinets, etc.), locked offices, and other locations specifically dedicated to secure storage of university records and other Institutional Information (such as a departmental safe).

Note that a locked office, by itself, may not be sufficiently secure if personnel not authorized to access the information, such as maintenance and custodial staff, have access to the office. In this situation, the information should also be put away in a desk drawer or file cabinet, rather than left out in plain sight.

Unattended printing

Unattended printing is permitted for Sensitive Institutional Information so long as controls are in place to prevent unauthorized viewing or pick-up of the printouts. Printouts containing information Classified at Protection Level PL-4 should be picked up immediately. Access controls for unattended printing or faxing include:

  • delayed output of printing and faxing until the recipient “releases” the printout or fax,
  • utilization of a lock box for storage of unattended printouts and faxes, and
  • purchase and utilization of a fax server to queue fax printouts.

For example, an acceptable practice is to send documents to a shared printer where a small group of people has access to the printer. A best practice would be to send documents to a shared printer that requires users to enter a PIN/password or swipe their ID card to release the printout (initiate printing).

Tip

All New School Konica-Minolta multifunction office printers offer secure printing by accessing Printer Properties > Basic > User Settings > Secure Print.

References

Review

This standard is reviewed on a periodic basis and updated as necessary by the Information Security and Privacy Office to ensure it remains accurate, relevant, and fit for purpose.

Document history
Date Author Description
Jun 2020 D. Curry
  • Initial publication
Jul 2020 D. Curry
  • Removed reference to record retention guideline (there isn't one)
Aug 2020 D. Curry
  • Replaced oppressive and gender-specific terms with better alternatives
Sep 2020 D. Curry
  • Replaced references to obsolete “sendfiles” service with “securesend”