Information Privacy at Bentley

 

I. Scope

Bentley College exercises care and prudence in the handling of personal information and conducts its business in ways that demonstrate respect for personal privacy.

This document outlines principles and practices surrounding the confidentiality of personal information in academic and administrative systems, in reporting environments, on the web, and in digital and hardcopy formats. It contains information of relevance to a variety of campus audiences and in certain instances, the general public. It also establishes appropriate expectations in the use of Bentley phone and email resources. We reserve the right to change our privacy policy as changing circumstances and evolving technology standards require. Such changes will be incorporated in future releases of this document, and/or posted to our website as appropriate.

This document is the single best general source for information on this subject. It incorporates privacy-related content previously contained in the IT Users' Guide, and synthesizes the material in two policy documents that provide detailed information about standards of conduct in using computing and network resources and the data warehouse respectively:

A third document, the Privacy Statement is a distillation of the principles contained in Information Privacy at Bentley that deals exclusively with web privacy. Information privacy policies dealing with our website apply to the www.bentley.edu domain, and not to internal and external websites that might be linking to it. The policy protects no portion of sites connecting from www.bentley.edu.

Return to Top

II. Management of Information Privacy

In consultation with faculty, staff and information technology professionals, Bentley's information privacy policies are promulgated by senior officers and approved by the Board of Trustees. The Chief Information Officer communicates them to the Bentley community and to the general public, monitors compliance on a regular basis, and initiates their periodic review and revision consistent with accepted standards and with federal, state and local laws.

Two committees participate in aspects of this work: the Committee on Information Privacy comprised of faculty, administrative staff and technical professionals, and the Information Use and Standards Group comprised of data stewards, data experts and technical professionals. Both meet as needed under the chairmanship of the Dean for Information Resources and Systems.

Responsibility for the stewardship of institutional data is lodged with administrative officers with responsibility for significant business operations. Bentley has defined the information management responsibilities of various administrative roles within the organizational hierarchy.

The Gramm Leach Bliley Act (GLBA) deals with information privacy protection in the handling of financial records. Detailed information on Bentley's processes and procedures in compliance with GLBA is available from the Executive Director of Financial Operations.

Return to Top

III. The Information We Collect

Information in Administrative and Academic Systems: The attached chart outlines the types of information that Bentley collects from various constituencies.

In addition, web pages and other communication vehicles may offer individuals the opportunity to express opinions and to vote in elections or polls. Web users may subscribe to online newsletters, forums and chat communities, and may seek additional information about Bentley; in these connections, information collected to support these activities includes, but is not limited to, name, address, e-mail address, phone number, academic and recreational interests, citizenship, gender, high school name and location. Credit card number and expiration date are required in the context of purchasing goods or services online. If purchasing goods or services as gifts or on behalf of others and/or to forward information about Bentley to others, visitors to the Bentley website will be asked to provide personal information about others, such as name, address, email address and/or telephone number.

Images of Students, Faculty and Staff: Bentley maintains a database of photos for use on ID cards, to aid faculty in constructing seating charts, viewing class lists, and managing other instructional activities. Under no circumstances should faculty or staff post student images to web sites, nor should they use these images in any publication without the written consent of each student to be posted/published. Users should always be mindful that the World Wide Web is an unregulated environment and that individual security and safety considerations should be paramount.

E-Mail: E-mail is the communication medium of choice for the Bentley community. It is an official vehicle by which Bentley communicates with students, faculty, and staff. All are expected to read e-mail regularly to glean the critical information that is routinely conveyed.

Bentley provides electronic mail services to the campus community at its expense, for use on institutional business and academic endeavors; incidental personal use is also permitted, so long as the use does not violate federal or state laws, or institutional policy. Customers, suppliers and other third parties may use Bentley's electronic mail system under certain circumstances, if they agree to abide by all applicable rules.

Electronic mail transmitted via Bentley's network and residing on its servers is considered institutional property. Employees and students should not expect that any electronic mail sent and received using Bentley's computer resources is confidential or private. Individuals who send an e-mail message must note that any recipient may forward the message to others without permission.

Bentley's ability to protect privacy is limited to Outlook accounts and the on-campus network; the ability does not extend to organizations or parties outside Bentley (i.e., through the Internet). In other words, it is quite possible to compromise privacy if e-mail is forwarded from a Bentley Outlook account to an external account, or viewed on the Web using other network resources. The content of such messages is not protected during transmission beyond the Bentley network. Neither can Bentley control the network and database security or privacy policies of external systems.

The institution copies e-mail files to backup tapes daily. These tapes may be retained indefinitely. Please be aware that deleting e-mail messages from a mail folder or in-box does not delete a previously archived copy of that message. (See also Section VII, Disclosure.)

Exiting employees should delete all personal e-mail messages prior to their departure. Bentley reserves the right to review any remaining active email messages of exiting employees for their value in carrying out college business. This access and review are performed after obtaining the approval of the VP for IT and the appropriate divisional VP.

E-mail accounts of terminated employees may be deleted immediately. Student e-mail accounts are deleted when the individual is no longer registered for a course. Student accounts are removed twice a year: in late October for the previous spring registration period, and in late April for the preceding fall registration period. For example, the e-mail accounts of graduating seniors are removed during the October cycle following May commencement.

Phone Privacy: Bentley will not listen to, or enable anyone else to listen to, any employee's phone and voice mail messages without the permission of the user, unless reasonable grounds exist for doing so. Such grounds might include, but are not limited to the maintenance of phone system integrity (such as diagnosing problems) and complying with legal obligations (such as subpoenas). (See also Section VII, Disclosure.)

Return to Top

IV. Principles and Practices of Information Collection

Methods of Data Collection in Administrative and Academic Systems: We collect personal information directly from individuals using online forms, traditional hardcopy means, and by email, phone and fax. Where applicable, we distinguish between required and optional information.

Data Collection on the Web: Most academic and administrative department web pages are found within Bentley's extranet (www.bentley.edu). Department web sites that collect data of any type are required to abide by, and provide a link to, this Privacy Statement. Failing to do so may result in temporary removal of the web site, without prior warning. In these instances, Web Services will make every effort to contact the departmental page master prior to such temporary removal of the site.

Personal web sites located on Bentley-owned servers, whether created by students or employees, may not collect personal information from visitors without abiding by and linking to this Information Privacy Statement. In addition, individuals may not post images of any member(s) of the Bentley community, or provide personal information about them, without their prior written permission. Web sites that violate the policy may be removed without advance warning. Federal, state and local laws, regulations, and judicial decisions may also apply in cases where a person's privacy is violated.

As a matter of practice, we use common internet technologies such as "cookies," IP addresses and server logs to manage and administer our website. Cookies are small files placed onto a visitor's computer and used to evaluate traffic throughout a website. In the course of your e-commerce session, we will set a "cookie" in your web browser that keeps track of your shopping session. We may also use cookies to track session information, but such tracking is not personally identifiable and is used only in aggregate form to assess site effectiveness and to examine the frequency of hits to specific pages. You are not obliged to accept cookies to visit our site.

The Bentley website neither targets persons who are less than 13 years of age nor knowingly collects personal information online from them.

Receiving Data from Third Parties: On the initiative of individual applicants for admission, we receive information about them from third parties. Examples of data supplied by external sources include high schools references and transcripts, admission application data from externally hosted online admission application sites, SAT scores and results on other standardized tests, financial information in relation to applications for financial aid, visa information for international students and scholars from the INS and health information from physicians and health care providers in compliance with public health requirements. Bentley also makes use of external data sources in identifying prospective applicants and communicating with them about the institution.

Return to Top

V. Access and Choices

Educational Records: In accordance with institutional policy, Bentley College complies with the Family Educational Rights and Privacy Act of 1974 (FERPA). In brief, the act requires that colleges and universities allow individual students the right to review all official records, files and data directly related to them and the right to challenge the accuracy of the contents of such records. Further, the act prohibits colleges and universities from releasing confidential information about students without their written consent, except as allowed by law. This policy applies to all students regardless of their citizenship.

Copies of Bentley students' rights regarding educational records are available from the offices of the Chief Student Affairs Officer (781.891.2161). Students have the right to complain to the Family Educational Rights and Privacy Office concerning any alleged failure on the part of Bentley College to comply with the Family Educational Rights and Privacy Act of 1974.

Web-deployed Administrative Services: In the course of doing business, Bentley performs numerous administrative functions and services via its website and reserves the right to require participation in them by students and staff.

Web Visitors' Choices:

  • You are not required to provide personal information to visit our website.
  • If you choose to provide personal information such as your e-mail address, home address, and phone number, Bentley may contact you.
  • If you receive unwanted contacts and wish to be excluded from future contacts, please inform us at the address below, specifying the source and providing a description of the unwanted materials. We will notify the appropriate office accordingly.

Return to Top

VI. Institutional Use of Personal Information

Bentley collects only the information necessary to satisfy the purpose for which it is being supplied. Generally, information collected for one purpose is not made available for another. At present, Bentley does not make alternate uses of information collected through e-commerce transactions. In the future, however, we may elect to send you information about the institution, its programs and events. We do use personal information to generate statistical reports for institutional planning and research purposes and for release to external parties, but such reports do not contain personally identifiable information. We also measure the volume, variety, timing and other characteristics of our web traffic in general or our e-commerce transactions in particular, but again such statistics contain no personally identifiable information.

We do not share, trade, or sell personal information to third parties without your consent except in limited ways, as required by law in response to a duly authorized information request from governmental authorities. We may also exchange information for purposes of fraud protection and credit risk reduction.

Finally, personal information about Bentley employees, students and alumni may be shared with vendors, contractors or partners in connection with services that these individuals or entities perform for or with the institution. These individuals and entities are restricted from using these data in any way other than the purpose for which they were intended. E-mail distribution lists are institutional property. They may be furnished to an external third party only in conjunction with a legitimate academic or administrative initiative, approved by a division head. In such cases, contractual arrangements with the external party must include language that prevents the vendor from furnishing, duplicating or selling the list to another party.

Faculty members serving as editors of scholarly publications, professional conference coordinators or in other professional capacities involving communication with third parties may use Bentley's computing resources to support such activities, so long as the would-be participants are mindful of the nature and extent of information sharing involved and of the nature of the privacy protections afforded.

Culture of Responsible Use: Institutional policies and standards of practice govern the conduct of employees who in the course of their work have access to personal information about students, faculty, staff and others. Such access is limited to information required for the employee to perform his/her job. Data use standards aim to protect personally-identifiable information from inappropriate disclosure. The approach includes reasonable data protection techniques and sanctions for irresponsible conduct, but depends more substantially on education, elevated consciousness, mutual trust and shared responsibility about responsible data use.

Access to information in administrative systems is granted to employees by relevant data stewards on a need-to-know basis, and only for legitimate institutional purposes. Data stewards may delegate this responsibility to divisional keys users. Department heads are encouraged to execute confidentiality agreements (PDF, 21k) with student employees. Applications developers in Management Information Systems do not have update privileges in the production system. Their visual access to information is normally limited to those applications they support.

Access to the reporting environment is governed by the Committee on Information Use and Standards and is limited to employees of Bentley. Access will not be granted to outside contractors or consultants, or to student-employees. Normally, access is not be granted to support individual faculty or student research projects, but access is granted to institutional researchers, technical professionals and officers of the institution to access such data for research and planning purposes. Access to others is approved by the Committee on Information Use and Standards upon the recommendation of the applicable data steward. The breadth and depth of access is determined by the role of the individual and may be contingent upon training on applicable data policies and responsibilities. Security and privacy will be prioritized over access, except as required by business needs. Consequently, there are obligations incurred by users of our data warehouse.

Employee access privileges to all systems and accounts end upon termination of employment.

Return to Top

VII. Information Security

Personal Responsibility and Sanctions: Individuals must take reasonable precautions to protect account(s), password(s), and access to Bentley-provided computing resources, both within and outside the Bentley community. Sharing individual IDs and passwords is prohibited. All members of the Bentley community are expected to exercise care in logging out of networked resources, in regularly changing their individual password(s), and in maintaining password confidentiality.

With the exception of specific instructional activities conducted under the aegis of the CIS Department, Bentley will not tolerate hacking by students, employees, contractors, consultants, volunteers, visitors, or any other person or device. Responsible parties include those who instigate, plan, initiate and/or participate in or perform hacking offenses. Students, employees, volunteers, consultants and contractors suspected of engaging in hacking are expected to cooperate fully with Bentley and legal authorities in the investigation of such incidents. This cooperation may include, but is not limited to, providing transaction logs, copies of electronic mail messages, data files, usage records, account and password information and hardware, and others as required by those authorities. Those who are financially responsible for the perpetrators, such as parents or guardians, may also be held accountable.

Employees are expected to report to their supervisor, and students are expected to report to a faculty member or the Computer Resource center, any violations, flaws or other deficiencies in the security of any and all Bentley computer resources.

Whether in hardcopy or electronic form, users shall organize, distribute, print, store, maintain, analyze, and/or transfer data, under their control in such a manner as to reasonably prevent loss, unauthorized access or divulgence of confidential information. Data files containing personally-identifiable information and/or supporting research findings shall be stored and archived securely.

Those who violate policies on individual access, hacking, adverse effect or commercial use may incur temporary or permanent loss of access rights, fines, assignment of financial responsibility, discipline up to and including termination of employment, expulsion as a student, and legal action. For contractors and other external vendors, sanctions may include loss of contractual rights and legal action.

Production Control: Information Technology personnel have heightened awareness of the need for confidentiality and security, and readily promote, devise, implement and evaluate internal procedures to insure appropriate technical and ethical standards. In accordance with production control standards, program changes are developed and tested in a test environment. They are then subjected to user acceptance testing. Prior to being moved to the production environment, for quality assurance purposes proposed changes are subjected to substantive review by another technical colleague, normally one serving as group leader. Data administration staff, who have extensive privileges and ultimate responsibility for the security of administrative databases, move the proposed change to the production environment, after first determining that accountability and documentation requirements have been met. The program change procedure is a self-documenting one that generates a permanent audit trail of all changes to administrative systems.

Network Security: Bentley has both an active and redundant firewall in place. While we remain committed to protecting the privacy of our users, we cannot ensure or warrant the security of any information you transmit to us, and you do so at your own risk.

Once we receive your transmission, we make our best effort to ensure its security on our systems. We do so by using secure technology, privacy protection controls, and restrictions on employee access.

Bentley follows industry-standard precautions and procedures in the transmission and storage of electronic data. When you make online payments, Secure Socket Layer (SSL) server software in conjunction with your SSL-enabled-browser software prevents unauthorized access to the information you submit by encrypting it during transmission. Once we receive your transmission, we make our best effort to ensure its security on our systems. We do so by using secure technology, privacy protection controls, and restrictions on employee access.

Return to Top

VIII. Disclosure of Personal Information

Directory Information: Bentley (information desk, Registrar's Office, deans' offices, etc.) may release to the public student data considered "directory information." If a student desires that directory information not be released, he or she must notify the Registrar's Office in writing. Students do not have the flexibility to select particular items to release or withhold. Bentley will not sell or give directory information to external parties for commercial purposes.

Directory information, as defined by the Family Education Rights and Privacy Act of 1974, includes the following student information: Name, Address, Telephone number, Date and place of birth, Class, Major field of study, Participation in officially recognized activities and sports, Weight and height of members of athletic teams, Dates of attendance, Degrees and awards received, ID Photo, Most recent previous educational agency or institution attended.

Otherwise, personal information shall not be allowed to appear in reports, spreadsheets, e-mail messages or other media that are intended for release within the campus community or beyond it.

E-mail Disclosure: As a general rule, Bentley will not read or make available the contents of any individual's electronic mail. But we may, upon reasonable grounds approved by two vice presidents, access e-mail files at any time, without prior notice to the student or employee; reasonable grounds for doing so may include but are not limited to:

  • ensuring system integrity (such as tracking viruses or corrupt messages)
  • complying with legal obligations (such as subpoenas)
  • maintaining the continuity of business operations (such as when employees are terminated or leave the institution)
  • investigating complaints of possible violation of college policy
  • resolving disputes between individuals at the college involving complaints filed with Human Resources, the Office of Equal Opportunity, or Campus Safety
  • performing certain system-management functions (such as resolving quota issues, disabling agents, or migrating data to alternate servers)
  • conducting judicial review cases

Faculty, staff and students must exercise caution in using e-mail distribution lists to conduct internal surveys, as most recipients find unsolicited surveys tantamount to spam. Using distribution lists for surveys is allowed only for legitimate academic or administrative purpose. Faculty should seek approval from their dean for academic surveys, and employees should seek approval from their division head for administrative surveys.

Under no circumstances may Bentley distribution lists be sold to an external party, nor may the lists be used for individual gain (for example, marketing a product or service). Violations of this policy may result in temporary or permanent loss of access rights, fines, assignment of financial responsibility, disciplinary action up to and including termination of employment, expulsion as a student, and legal action. For contractors and other external vendors, sanctions may include loss of contractual rights and legal action.

Phone Disclosure: There may be extraordinary circumstances in which the contents of a user's phone or voice mailbox may be accessed and disclosed on a need-to-know basis. This action requires approval of the Vice President for Information Technology and the appropriate divisional vice president. In such cases, the user will be notified as soon as it is practical to do so.

Return to Top

IX. Quality Assurance, Data Integrity and Data Standards

Bentley regularly monitors its website to promote compliance with information privacy policies, and quality assurance standards.

Data Stewards are responsible for assuring that applications that capture and update data incorporate edit and validation checks to protect the integrity of the data. Data Experts are responsible for correcting data problems and inaccuracies. Data Users are responsible for supplying as much detailed information as possible about the nature of the erroneous data.

To protect the integrity of information in the reporting environment, upon written identification and notification of erroneous data to the Data Stewards by data warehouse technical professionals, corrective measures should be taken as soon as possible to evaluate and appropriately correct the data at the source, report corrective action in writing to the Committee on Information Use and Standards for review, and to notify Divisional Key Users and Data Experts who have received or accessed erroneous data.

All information provided on the official Bentley website is for informational purposes only and does not constitute a legal contract between the institution and any other person or entity otherwise specified. Although every reasonable effort is made to present current and accurate information, Bentley makes no guarantees of any kind. Information on www.bentley.edu is subject to change without prior notice.

Return to Top

X. Data Destruction and Archiving

If materials containing personal data are to be destroyed, the method of destruction shall be appropriate. Such materials shall not go into normal trash or recycling bins. Destruction should be by shredding or other protective disposal technique. Electronic records are subject to comparable controls. Unless stored and archived securely as necessary to support research findings, data files should be destroyed promptly after serving their purpose. Special care shall apply to the control, management and destruction of various export formats offered by standard query tools including but not limited to spreadsheet, comma-delimited, pdf and html. All reasonable means shall be employed to prevent irrevocable loss of data and documentation during its immediate useful life, and materials of value in documenting the history of Bentley College shall be suitably preserved and archived.

Appropriate standards are supported by the Records Management Program of the Purchasing and Contract Services Office. The program consists of training in records management standards, funding for record review and preparation, and funding for suitable disposal or archiving.

Return to Top