photo from Tufts archives

Developing IT or Information Policies

The Information Stewardship Policy and its three supporting polices provide a framework and syntax managers can use to construct more detailed local policies or university-wide policies about particular information systems.

The four policies fit within a four-level information policy framework:

Level 1 Information Stewardship Policy
This policy, also referred to as the ISP, is the top capstone information policy at Tufts. The policy sets establishes the core principles for information stewardship at Tufts University. It also defines key policy terms. The policy states that “members of the Tufts community are expected to responsibly maintain and use institutional data regardless of the resource used to access or store the data—whether an institutional system, a privately owned resource, or a third-party resource.”
Level 2 Although sitting below the ISP, these are still high-level policies that lay the policy foundation for using and managing information and IT resources at Tufts.

Information Roles and Responsibilities Policy
This policy establishes the roles and responsibilities that all members of Tufts community have for the appropriate management, use, and stewardship of institutional data at Tufts University. It can be thought of as the people policy.

Information Classification and Handling Policy
This policy establishes a framework for classifying the level of confidentiality for institutional data. It also establishes the requirement for maintaining the integrity and availability of institutional data. It can be thought of as the information policy.

Use of Institutional Systems Policy
This policy sets forth the manner in which Tufts institutional systems are to be used in general, and particularly when creating, using, disseminating, retaining, and disposing of institutional data. It can be thought of as the machines policy.

Level 3 University-wide, narrowly focused policies
These are university-wide policies that focus on particular systems, such as email or the Tufts network.
Level 4 Local policies
These are information policies that are limited to a particular school, division, department, or office within Tufts.

The policy framework provides a structure and syntax that gives managers the flexibility to develop information and IT policies that meet the needs of a particular system or administrative unit while enabling connections to terminology and frameworks common to the entire University. For example, in a drafting a policy focused on the use of an application, a manager could reference provisions of these higher-level policies and focus the policy on the particulars of the application. The Information Stewardship Policy and three supporting policies also allow other information policies to speak a common language and logically “hang together” as a broader information policy framework.

Key Terms

Institutional Data
All information that is created, collected, licensed, maintained, recorded, used, or managed by the University, its employees, and agents working on its behalf, regardless of ownership or origin.

Institutional Systems
The electronic and physical systems owned or licensed by Tufts University used to store and access institutional data.

Levels of Confidentiality
Level A: Regulated Institutional Data
Institutional data that is governed by privacy or information protection requirements articulated by law, regulation, contract, binding agreement, or industry requirements. Examples include, but are not limited to personal, financial, or other types of records with social security numbers or financial account information. Student records governed by FERPA. Records with protected healthcare information governed by HIPAA. Credit card data governed by PCI data security standards, data use agreements for research, data covered under FISMA, information covered by nondisclosure agreements and other formal usage arrangements.

Level B: Confidential Institutional Data
Institutional data that is meant for a very limited distribution—available only to members of the Tufts community on a strictly need-to-know basis.

Level C: Administrative Institutional Data
Institutional data that is meant for a limited distribution; available only to members of the Tufts community that need the institutional data to support their work. This institutional data derives its value for Tufts in part from not being publically disclosed.

Level D: Public Institutional Data
Institutional data that is meant for members of the Tufts community and in some cases wide and open distribution to the public at large. This institutional data does not contain regulated or confidential information.

Information Owners Generally speaking, Tufts University is the information owner of institutional data. Faculty members are often information owners of their faculty materials. See the Policy on Rights and Responsibilities with Respect to Intellectual Property for more details on ownership rights.

Information Managers The individuals charged by information owners to ensure the responsible management and use of institutional data. Information managers are typically senior managers, senior administrators, and directors of schools, divisions, offices, and departments. Faculty members are the information managers of their faculty materials.

Information Custodians The entities or individuals charged by information managers to execute aspects of managing institutional data. Information custodians are typically IT units that maintain and operate institutional systems in order to manage institutional data on behalf of information managers.

Information Users Individuals that access and use institutional data in support of their research, teaching, service, and administrative work. Typically, information users are faculty, staff, and affiliates.

Information Subjects The individuals that have information about them in institutional data. Nearly all members of the Tufts community—students, faculty, staff, affiliates, alumni, and donors, plus non-matriculated students—are information subjects.