Information Privacy Statement

 

Bentley's Information Privacy Statement 

 

I. Scope

Bentley University exercises care and prudence in the handling of personal information and conducts its business in ways that demonstrate respect for personal privacy.

This document outlines principles and practices surrounding the confidentiality of personal information in academic and administrative systems, in reporting environments, on the web, and in digital and hard copy formats. It contains information of relevance to a variety of campus audiences and in certain instances, the general public. It also establishes appropriate expectations in the use of Bentley phone and email resources. We reserve the right to change our privacy policy as changing circumstances and evolving technology standards require. Such changes will be incorporated in future releases of this document, and/or posted to our website as appropriate.

This document incorporates privacy-related content contained in the Policies Governing Technology Resources at Bentley and Bentley’s formal Privacy Statement.

II. Management of Information Privacy

In consultation with faculty, staff and information technology professionals, Bentley's information privacy policies are promulgated by senior officers and approved by Bentley's Information Privacy Committee. The Chief Security Administrator communicates them to the Bentley community and to the general public, monitors compliance on a regular basis, and initiates their periodic review and revision consistent with accepted standards and with federal, state and local laws.

Responsibility for the stewardship of institutional data is lodged with administrative officerswith responsibility for significant business operations. Bentley has defined the information management responsibilities of various administrative roles within the organizational hierarchy.

III. The Information We Collect

Information in Administrative and Academic Systems: The attached chart outlines the types of information that Bentley collects from various constituencies.

In addition, web pages and other communication vehicles may offer individuals the opportunity to express opinions and to vote in elections or polls. Web users may subscribe to online newsletters, forums and chat communities, and may seek additional information about Bentley; in these connections, information collected to support these activities includes, but is not limited to, name, address, e-mail address, phone number, academic and recreational interests, citizenship, gender, high school name and location. Credit card number and expiration date are required in the context of purchasing goods or services performed through third party vendors.

Images of Students, Faculty and Staff: Bentley maintains a database of photos for use on ID cards, to aid faculty in constructing seating charts, viewing class lists, and managing other instructional activities. Under no circumstances should faculty or staff post student images to web sites, nor should they use these images in any publication without the written consent of each student to be posted/published. Users should always be mindful that the World Wide Web is an unregulated environment and that individual security and safety considerations should be paramount.

E-Mail: E-mail is the communication medium of choice for the Bentley community. It is an official vehicle by which Bentley communicates with students, faculty, and staff. All are expected to read e-mail regularly to glean the critical information that is routinely conveyed.

Bentley provides electronic mail services to the campus community at its expense, for use on institutional business and academic endeavors; incidental personal use is also permitted, so long as the use does not violate federal or state laws, or institutional policy. Customers, suppliers and other third parties may use Bentley's electronic mail system under certain circumstances, if they agree to abide by all applicable rules.

Electronic mail transmitted via Bentley's network and residing on its servers is considered institutional property. Employees and students should not expect that any electronic mail sent and received using Bentley's computer resources are confidential or private. Individuals who send an e-mail message must note that any recipient may forward the message to others without permission.

Bentley's ability to protect privacy is limited to Outlook accounts and the on-campus network; the ability does not extend to organizations or parties outside Bentley (i.e., through the Internet). In other words, it is quite possible to compromise privacy if e-mail is forwarded from a Bentley Outlook account to an external account, or viewed on the Web using other network resources. The content of such messages is not protected during transmission beyond the Bentley network.

The institution copies e-mail files to backup tapes daily, and the tapes are retained in accordance with Bentley’s retention and destruction policies. Please be aware that deleting e-mail messages from a mail folder or in-box does not delete a previously archived copy of that message. (See also Section VII, Disclosure.)

Exiting employees should delete all personal e-mail messages prior to their departure. Bentley reserves the right to review any remaining active email messages of exiting employees for their value in carrying out college business. This access and review are performed after obtaining the approval of two Vice Presidents.

E-mail accounts of terminated employees may be deleted immediately. Student e-mail accounts are deleted when the individual is no longer registered for a course. Student accounts are removed twice a year: in December for the previous spring registration period, and in late June for the preceding fall registration period. For example, the e-mail accounts of graduating seniors are removed during the December cycle following May commencement.

Phone Privacy: Bentley will not intentionally listen to, or enable anyone else to listen to, any employee's phone and voice mail messages without the permission of the user, unless reasonable grounds exist for doing so. Such grounds might include, but are not limited to the maintenance of phone system integrity (such as diagnosing problems) and complying with legal obligations (such as subpoenas). (See also Section VII, Disclosure.)

IV. Principles and Practices of Information Collection

Methods of Data Collection in Administrative and Academic Systems: We collect personal information directly from individuals using online forms, traditional hard copy means, and by email, phone and fax. Where applicable, we distinguish between required and optional information.

Data Collection on the Web: Most academic and administrative department web pages are found within Bentley's extranet (www.bentley.edu). Department web sites that collect data of any type are required to abide by, and provide a link to, Bentley's Privacy Statement. Failing to do so may result in temporary removal of the web site, without prior warning. In these instances, Web Services will make every effort to contact the departmental page master prior to such temporary removal of the site.

Personal web sites located on Bentley-owned servers, may not collect personal information from visitors without abiding by and linking to this Information Privacy Statement. In addition, individuals may not post images of any member(s) of the Bentley community, or provide personal information about them, without their prior written permission. Web sites that violate the policy may be removed without advance warning. Federal, state and local laws, regulations, and judicial decisions may also apply in cases where a person's privacy is violated.

As a matter of practice, we use common internet technologies such as "cookies," IP addresses and server logs to manage and administer our website. Cookies are small files placed onto a visitor's computer and used to evaluate traffic throughout a website. In the course of your visit to the Bentley web site, we will set a "cookie" in your web browser that keeps track of your session.  Such tracking is not personally identifiable and is used only in aggregate form to assess site effectiveness and to examine the frequency of hits to specific pages. You are not obliged to accept cookies to visit our site.

The Bentley website neither targets persons who are less than 13 years of age nor knowingly collects personal information online from them.

Receiving Data from Third Parties: On the initiative of individual applicants for admission, we receive information about them from third parties. Examples of data supplied by external sources include high schools references and transcripts, admission application data from externally hosted online admission application sites, SAT scores and results on other standardized tests, financial information in relation to applications for financial aid, visa information for international students and scholars from the INS and health information from physicians and health care providers in compliance with public health requirements. Bentley also makes use of external data sources in identifying prospective applicants and communicating with them about the institution.

V. Access and Choices

Educational Records: In accordance with institutional policy, Bentley University complies with the Family Educational Rights and Privacy Act of 1974 (FERPA). In brief, the act requires that colleges and universities allow individual students the right to review all official records, files and data directly related to them and the right to challenge the accuracy of the contents of such records. Further, the act prohibits colleges and universities from releasing confidential information about students without their written consent, except as allowed by law. This policy applies to all students regardless of their citizenship.

Copies of Bentley students' rights regarding educational records are available from the Student Affairs Office (781.891.2161). Students have the right to complain to the Family Educational Rights and Privacy Office concerning any alleged failure on the part of Bentley University to comply with the Family Educational Rights and Privacy Act of 1974.

Web-deployed Administrative Services: In the course of doing business, Bentley performs numerous administrative functions and services via its website and reserves the right to require participation in them by students and staff.

Web Visitors' Choices:

  • You are not required to provide personal information to visit our website.
  • If you choose to provide personal information such as your e-mail address, home address, and phone number, Bentley may contact you.
  • If you receive unwanted contacts and wish to be excluded from future contacts, please inform us at the address below, specifying the source and providing a description of the unwanted materials. We will notify the appropriate office accordingly.

VI. Institutional Use of Personal Information

Bentley collects only the information necessary to satisfy the purpose for which it is being supplied. Generally, information collected for one purpose is not made available for another. At present, Bentley does not make alternate uses of information collected through e-commerce transactions. In the future, however, we may elect to send you information about the institution, its programs and events. We do use personal information to generate statistical reports for institutional planning and research purposes and for release to external parties, but such reports do not contain personally identifiable information. We also measure the volume, variety, timing and other characteristics of our web traffic in general or our e-commerce transactions in particular, but again such statistics contain no personally identifiable information.

We do not share, trade, or sell personal information to third parties without your consent except in limited ways, as required by law in response to a duly authorized information request from governmental authorities. We may also exchange information for purposes of fraud protection and credit risk reduction.

Finally, personal information about Bentley employees, students and alumni may be shared with vendors, contractors or partners in connection with services that these individuals or entities perform for or with the institution. These individuals and entities are restricted from using these data in any way other than the purpose for which they were intended. E-mail distribution lists are institutional property. They may be furnished to an external third party only in conjunction with a legitimate academic or administrative initiative, approved by a division head. In such cases, contractual arrangements with the external party must include language that prevents the vendor from furnishing, duplicating or selling the list to another party.

Faculty members serving as editors of scholarly publications, professional conference coordinators or in other professional capacities involving communication with third parties may use Bentley's computing resources to support such activities, so long as the would-be participants are mindful of the nature and extent of information sharing involved and of the nature of the privacy protections afforded.

Culture of Responsible Use: Institutional policies and standards of practice govern the conduct of employees who in the course of their work have access to personal information about students, faculty, staff and others. Such access is limited to information required for the employee to perform his/her job. Bentley’s Data Classification Policy aims to protect confidential information from inappropriate disclosure. The approach includes reasonable data protection techniques and sanctions for irresponsible conduct.

Access to information in administrative systems is granted to employees by relevant data stewards on a need-to-know basis, and only for legitimate institutional purposes. Data stewards may delegate this responsibility to divisional keys users. Department heads are encouraged to execute confidentiality agreements with student employees. All employees are also required to execute Confidentiality Agreements.

Employee access privileges to all systems and accounts end upon termination of employment.

VII. Information Security

Personal Responsibility and Sanctions: Individuals must take reasonable precautions to protect account(s), password(s), and access to Bentley-provided computing resources, both within and outside the Bentley community. Sharing individual IDs and passwords is prohibited. All members of the Bentley community are expected to exercise care in logging out of networked resources, in regularly changing their individual password(s), and in maintaining password confidentiality.

With the exception of specific instructional activities conducted under the aegis of the CIS Department, Bentley will not tolerate hacking by students, employees, contractors, consultants, volunteers, visitors, or any other person or device. Responsible parties include those who instigate, plan, initiate and/or participate in or perform hacking offenses. Students, employees, volunteers, consultants and contractors suspected of engaging in hacking are expected to cooperate fully with Bentley and legal authorities in the investigation of such incidents. This cooperation may include, but is not limited to, providing transaction logs, copies of electronic mail messages, data files, usage records, account and password information and hardware, and others as required by those authorities. Those who are financially responsible for the perpetrators, such as parents or guardians, may also be held accountable.

Employees are expected to report to their supervisor, and students are expected to report to a faculty member or the Computer Resource center, any violations, flaws or other deficiencies in the security of any and all Bentley computer resources.

Whether in hard copy or electronic form, users shall organize, distribute, print, store, maintain, analyze, and/or transfer data, under their control in such a manner as to reasonably prevent loss, unauthorized access or divulgence of confidential information; data files containing confidential information and/or supporting research findings shall be stored and archived securely in accordance with Bentley's Data Classification Policy.

Those who violate policies on individual access, hacking, adverse effect, commercial use or other items outlined in the Policies Governing Technology Resources at Bentley may incur temporary or permanent loss of access rights, fines, assignment of financial responsibility, discipline up to and including termination of employment, expulsion as a student, and legal action. For contractors and other external vendors, sanctions may include loss of contractual rights and legal action.

Production Control: Information Technology personnel have heightened awareness of the need for confidentiality and security, and readily promote, devise, implement and evaluate internal procedures to insure appropriate technical and ethical standards. In accordance with production control standards, program changes are developed and tested in a test environment. They are then subjected to user acceptance testing. Prior to being moved to the production environment, for quality assurance purposes proposed changes are subjected to substantive review by another technical colleague, normally one serving as group leader. Data administration staff, who have extensive privileges and ultimate responsibility for the security of administrative databases, move the proposed change to the production environment, after first determining that accountability and documentation requirements have been met. The program change procedure is a self-documenting one that generates a permanent audit trail of all changes to administrative systems.

Network Security: Bentley has both an active and redundant firewall in place. While we remain committed to protecting the privacy of our users, we cannot ensure or warrant the security of any information you transmit to us, and you do so at your own risk.

Once we receive your transmission, we make our best effort to ensure its security on our systems. We do so by using secure technology, privacy protection controls, and restrictions on employee access.

Bentley follows industry-standard precautions and procedures in the transmission and storage of electronic data. When you make online payments, Secure Socket Layer (SSL) server software in conjunction with your SSL-enabled-browser software prevents unauthorized access to the information you submit by encrypting it during transmission. Once we receive your transmission, we make our best effort to ensure its security on our systems. We do so by using secure technology, privacy protection controls, and restrictions on employee access.

VIII. Disclosure of Personal Information

Directory Information: Bentley (information desk, Registrar's Office, deans' offices, etc.) may release to the public student data considered "directory information." If a student desires that directory information not be released, he or she must notify the Registrar's Office in writing. Students do not have the flexibility to select particular items to release or withhold. Bentley will not sell or give directory information to external parties for commercial purposes.

Directory information, as defined by the Family Education Rights and Privacy Act of 1974, includes the following student information: Name, Address, Telephone number, Date and place of birth, Class, Major field of study, Participation in officially recognized activities and sports, Weight and height of members of athletic teams, Dates of attendance, Degrees and awards received, ID Photo, Most recent previous educational agency or institution attended.

Otherwise, personal information shall not be allowed to appear in reports, spreadsheets, e-mail messages or other media that are intended for release within the campus community or beyond it.

E-mail Disclosure: As a general rule, Bentley will not read or make available the contents of any individual's electronic mail. But we may, upon reasonable grounds approved by two vice presidents, access e-mail files at any time, without prior notice to the student or employee; reasonable grounds for doing so may include but are not limited to:

  • ensuring system integrity (such as tracking viruses or corrupt messages)
  • complying with legal obligations (such as subpoenas)
  • maintaining the continuity of business operations (such as when employees are terminated or leave the institution)
  • investigating complaints of possible violation of college policy
  • resolving disputes between individuals at the college involving complaints filed with Human Resources, the Office of Equal Opportunity, or Campus Safety
  • performing certain system-management functions (such as resolving quota issues, disabling agents, or migrating data to alternate servers)
  • conducting judicial review cases

Faculty, staff and students must exercise caution in using e-mail distribution lists to conduct internal surveys, as most recipients find unsolicited surveys tantamount to spam. Using distribution lists for surveys is allowed only for legitimate academic or administrative purpose. Faculty should seek approval from their dean for academic surveys, and employees should seek approval from their division head for administrative surveys.

Under no circumstances may Bentley distribution lists be sold to an external party, nor may the lists be used for individual gain (for example, marketing a product or service). Violations of this policy may result in temporary or permanent loss of access rights, fines, assignment of financial responsibility, disciplinary action up to and including termination of employment, expulsion as a student, and legal action. For contractors and other external vendors, sanctions may include loss of contractual rights and legal action.

Phone Disclosure: There may be extraordinary circumstances in which the contents of a user's phone or voice mailbox may be accessed and disclosed on a need-to-know basis. This action requires approval of the Vice President for Information Technology and the appropriate divisional vice president. In such cases, the user will be notified as soon as it is practical to do so.

IX. Quality Assurance, Data Integrity and Data Standards

Bentley regularly monitors its website to promote compliance with information privacy policies, and quality assurance standards.

Data Stewards are responsible for assuring that applications that capture and update data incorporate edit and validation checks to protect the integrity of the data. Data Experts are responsible for correcting data problems and inaccuracies. Data Users are responsible for supplying as much detailed information as possible about the nature of the erroneous data.

All information provided on the official Bentley website is for informational purposes only and does not constitute a legal contract between the institution and any other person or entity otherwise specified. Although every reasonable effort is made to present current and accurate information, Bentley makes no guarantees of any kind. Information on www.bentley.edu is subject to change without prior notice.

X. Data Destruction and Archiving

If materials containing Level 1 and 2 data are to be destroyed, they should be rendered unreadable in paper or electronic form. Such materials shall not go into normal trash or recycling bins. Destruction should be performed by shredding or other protective disposal techniques. Electronic records are subject to comparable controls, and should be destroyed using electronic shredding methods that render files unreadable.

Appropriate standards are supported by Bentley’s Records Management Program of the Purchasing and Contract Services Office. The program consists of training in records management standards, funding for record review and preparation, and funding for suitable disposal or archiving.