Confidential information

The purpose of this policy is to provide university employees with a basic understanding of their responsibilities to protect and safeguard the confidentiality of institutional data to which they have access as a result of their employment and to establish guidelines for the use and dissemination of such information.

Lynn University’s confidential and proprietary records and information relating to Lynn University or its students, vendors, business partners, donors and employees (hereinafter “institutional data”), must be treated accordingly. No Lynn University related institutional data, including without limitation, documents, notes, files, records, oral information, computer files or similar materials (except in the ordinary course of performing duties on behalf of Lynn University) may be removed from Lynn University’s premises without permission from Lynn University. Additionally, the contents of Lynn University’s institutional data otherwise obtained in regard to business may not be disclosed to anyone, except where required for a business purpose or where the records or information have previously been disclosed to the public by the university. Employees must not disclose any institutional data, purposefully or inadvertently (through casual conversation), to any unauthorized person inside or outside the university.

Examples of proprietary and confidential institutional data include, but are not limited to, any system, information or process that gives the university an opportunity to gain an advantage over its competitors; information about the university’s strategies, business plans, forecasts, operations, and results; information about students and vendors; information about the university’s systems, technology, products and services; and employee medical and other records. See also the university's data classification and data governance policy.

Employees are responsible for safeguarding institutional data under their control in accordance with the university's information security program, the acceptable use of technology, and other applicable university data protection policies and procedures, as well as applicable laws and regulations. This includes taking steps to ensure documents are produced, handled and discarded in a manner that minimizes the risk that unauthorized persons might obtain access to them. Employees should also ensure that access to work areas and computers is properly controlled. Moreover, employees may not discuss proprietary or confidential institutional data in public places or remove from campus such information and data without permission from the university (except in the ordinary course of performing duties on behalf of Lynn).

Employees who are unsure about the confidential and proprietary nature of specific information must ask their supervisor for clarification. Employees will be subject to appropriate corrective action, up to and including termination of employment, for knowingly or unknowingly revealing information of a confidential and proprietary nature.

The unauthorized use or release of confidential information relating to Lynn or any of its students is prohibited both during and after employment with the university. Unauthorized use includes, but is not limited to, personal gain, providing advantage to others, etc.

This policy is not intended, and should not be construed, to limit or prevent an employee from exercising rights allowed by law, rule, and/or regulations.

Institutional data: any information collected, manipulated, stored, reported, or presented in any format, on any medium, at any location by any unit, program or office of the university in support of Lynn University’s mission. There are three types of institutional data: high risk; medium risk; and low risk. See the university's data classification and data governance policy for additional information.

Guidelines related to institutional data

Employees are expected to:

1. Identify institutional data to which they are entrusted.
2. Understand their responsibilities related to information and data security.
3. Attend training relevant to the information/materials being handled.
4. Notify the University of any misuses or such information and data in accordance with the reporting process set forth below.

Reporting misuses of institutional data

In the event an individual observes or becomes aware of the misuse of institutional data, the individual must report this to an immediate supervisor or Employee Services.

In the event of a possible or suspected institutional data security incident, the university’s information security officer must be notified immediately. The university will respond to such reports in accordance with the procedures set forth in the IT incident response plan.

To learn more about this policy or the supporting procedures, please contact Employee Services.