The Information Stewardship Policy (ISP) outlines the actions all members of the Tufts community are expected to follow when working with institutional data and systems. The ISP is supported by three additional policies that assist in providing a framework for required behaviors and roles and responsibilities. They are the Use of Institutional Systems Policy, the Information Classification and Handling Policy, and the Information Roles and Responsibilities Policy.
Information Stewardship Policy Summary
This policy sets forth the core principles for information stewardship at Tufts University.
Institutional data is defined as information that is created, collected, licensed, maintained, recorded, used, or managed by the University, its employees, and agents working on its behalf, regardless of ownership or origin.
Institutional systems are the electronic and physical systems owned or licensed by Tufts University used to store and access institutional data.
Members of the Tufts community are required to responsibly maintain and use institutional data to ensure that Tufts’ data and systems are protected from misuse, unauthorized access, damage, alteration or disclosure.
Use of institutional data and systems must be in compliance with the law and all policies. Individuals who violate this policy may be denied access and face penalties or other disciplinary actions both within and outside of the University.
Use of Institutional Systems Policy Summary
This policy sets the manner in which Tufts’ institutional systems are to be used in general, and particularly when creating, using, disseminating, and disposing of institutional data.
Use of institutional systems that provide access to institutional data is subject to all applicable laws, regulations, university policies, procedures, standards, contracts, and licenses.
Access to institutional systems and associated data must be managed and controlled to ensure authorized access is consistent with individual roles and job responsibilities. Only authorized individual users are permitted to extend access to institutional data or systems to any other person. Users are expected to take reasonable steps to prevent unauthorized access.
Managers have the authority to limit the personal use of institutional systems. Such personal use cannot involve access to confidential data, interfere with work responsibilities, or place an undue burden on institutional systems.
Tufts does not routinely monitor individual usage of systems. However, overall operation and maintenance of computing resources requires logging of activity, backup of data, and other activities necessary to ensure adherence to the law. Without notice, Tufts may monitor employee activity if there is reason to believe that a law, contract or other Tufts policy is being violated. The results of any monitoring activities, including individual communications, may be used in legal proceedings and disclosed to appropriate parties for legal purposes.
Although Tufts uses its own centralized controls to protect institutional systems and institutional data, security cannot be guaranteed solely with these controls. School, division, department, and individual controls and policies should also maintain appropriate access to institutional data.
Employees are in violation of this policy if they attempt to disable, circumvent, probe or test the security and management controls that are in place to enforce responsible use of institutional systems and data.
Management may temporarily restrict access to systems that have been compromised prior to, during or upon completion of an investigation.
In order to ensure equitable access to all users, Tufts may require employees to limit, schedule, coordinate or refrain from use of institutional systems.
Information Classification and Handling Policy Summary
This policy establishes the requirement of maintaining the integrity, confidentiality, and availability of institutional data. It also provides a framework for classifying institutional data into three levels, as follows:
Confidential Institutional Data – This data is available only to Tufts employees on a strictly need to know basis. This data includes personally identifiable information such as social security numbers or personal health information.
Sensitive Institutional Data – This refers to data that is meant for limited distribution and available to Tufts employees who need it to support their work. Examples of this kind of data are internal memos, research notes, and planning documents.
Public Institutional Data – This type of data does not contain confidential information and may be shared across the Tufts community and in some cases to the public. Examples of this type of data are press releases, information posted on and meant for websites, and licensed software.
All information owners, managers, and custodians are responsible for maintaining the integrity, availability, and confidentiality of the institutional data under their care. Information managers and custodians are also responsible for implementing and operating institutional systems that support the integrity, availability, and confidentiality of the institutional data under their care.
Members of the Tufts community who violate this policy may be denied access to institutional data and systems and subject to further disciplinary action within and outside of the University.
Information Roles and Responsibilities Policy Summary
This policy establishes the roles and responsibilities for the appropriate management, use, and stewardship of institutional data.
Rights and Responsibilities
There are seven rights and responsibilities as follows:
Respect for Individual Privacy – Members of the Tufts community must respect the privacy of others and not place confidential or sensitive institutional data on institutional systems or engage in activities that may expose this data to harm.
Compliance – All members of the Tufts community are obligated to manage and use institutional data in a manner that is compliant with all applicable laws and regulations.
Requirements of Other Jurisdictions – All members of the Tufts community working with persons in other states or countries should ensure that their particular use of an electronic resource is consistent with laws within those other jurisdictions.
Respect for Copyright – All members of the community must respect the work product and copyrights of others.
Priority of University Business – The personal use of institutional systems must be kept to a minimum. Managers have the authority to limit the personal use of institutional systems.
Prohibition on Testing of Security Controls – It is in violation of this policy to test the security controls in place to protect institutional data and institutional systems.
Policy Violation – Members of the Tufts community who violate this policy may be denied access to institutional data and systems and be subject to other penalties and disciplinary action.
The responsibilities associated with the use and management of institutional data vary based on an individual’s information role. There are five information roles at Tufts, as follows:
Information Owners – Generally speaking, Tufts University is the information owner of institutional data. Faculty members are often information owners of their faculty materials. Information Owners may delegate their management of data to information managers.
Information Managers – Information managers ensure the responsible management and use of institutional data. They make decisions and take actions on behalf of the information owners to ensure the responsible and appropriate management and use of institutional data.
Information Custodians – The entities or individuals charged by information managers to execute aspects of managing institutional data.
Information Users – individuals who access and use institutional data in support of their research, teaching, service, and administrative work.
Information Subjects – The individuals who have information about them in institutional data.