Back to the index

St. Bonaventure University
Confidentiality and Security Policy

St. Bonaventure University regards security and confidentiality of data and information to be of utmost importance. As such, the University requires all users of data and information to follow the procedures outlined below:


Policy on Confidentiality of Data

Each employee, consultant, student, or person granted access to data and information holds a position of trust and must preserve the security and confidentiality of the information he/she uses. Users of University data and information are required to abide by all applicable Federal and State guidelines and University policies regarding confidentiality of data, including, but not limited to the Family Education Rights and Privacy Act (FERPA). All users of University data and information should read and understand how the FERPA policy, located at fpco/ ferpa/index.html, applies to their respective job functions. [Policies located within St. Bonaventure University Health Services cover the university’s implementation of  Health Insurance Portability and Accountability Act of 1996 (HIPAA).]

Any employee or person with authorized access to St. Bonaventure University’s computer resources, information system, records, or files is given access to use the University’s data or files solely for the business of the University. Specifically, individuals should:

a)      Access data solely in order to perform their job responsibilities.

b)      Not make or permit unauthorized use of any information in the University’s information services or data.

c)      Not enter, change, delete or add data to any information system or files outside of the scope of their job responsibilities.

d)      Not include, or cause to be included in any record or report, a false, inaccurate or misleading entry.

e)      Not alter, delete, or cause to be altered or deleted, a true and correct entry from any record, report or information system.

f)       Not release University data other than that which is required in completion of job responsibilities.

g)      Not exhibit or divulge the contents of any record, file or information system to any person except as it relates to the completion of job responsibilities.

In addition, individuals are not permitted to operate or request others to operate any University data equipment for personal business or to make unauthorized copies of University software or related documentation.

It is the employee's responsibility to report immediately to his/her supervisor any violation of this policy or any other action, which violates confidentiality of data.

Procedures & Security Measures to Help Ensure Confidentiality of Data

All users of University information systems are supplied with a network account to access the data necessary for the completion of their job responsibilities. Users of the University information systems are required to follow the procedures outlined below:

1)      All transactions processed by a user ID and password are the responsibility of the person to whom the user ID was assigned. The user's ID and password must remain confidential and must not be shared with anyone.  Technology Services should be contacted in the event an administrative assistant requires access to a supervisor’s account. Users should consider the following tips:

·         Do not use anyone else’s password. Using someone else’s password is a violation of policy, no matter how it was obtained.

·         Do not share your password with anyone. Your password provides access to information that has been granted specifically to you. Technology Services will never ask for your password. To reduce the risk of shared passwords – remember not to post your password on or near your workstation. Also, be sure that your computer is not set to automatically remember your password.

·         Do not save your account password on any system so that it does not need to be entered manually.

·         Do not respond to any requests for your password.

·         It is your responsibility to change your password immediately if you believe someone else has obtained it.

2)      Access to any student or employee information (in any format) is to be determined based on specific job requirements. The appropriate Director, Dean, Provost, and/or Vice President are responsible for ensuring that access is granted only to an authorized individual, based on the performance of his/her job. Technology Services must receive documented authorization prior to granting system access.

3)      In order to prevent unauthorized use, users shall lock their computers when leaving the workstations, or shall establish an automatic screen saver to lock the computers, especially during breaks, lunch, and at the end of the workday. Users needing assistance with setting up these features should contact Technology Services.

4)      Passwords should be changed if there is a reason to believe they have been compromised or revealed inadvertently. Users who suspect unauthorized use of a password should immediately notify their supervisors.   

5)      Upon termination or transfer of an employee, Human Resources will notify Technology Services.  Technology Services will then take appropriate action to either terminate or modify the employee’s computer access.

6)      Generally, students and temporary employees should not have access to the University database (Datatel) system. Documented approval of the Director, Dean, Vice President or Provost in charge of the respective department is required if it is determined that access is required. Students or temporary employees are to be held to the same standards as all University employees, and must be made aware of their responsibilities to protect student and employee privacy rights and data integrity.

7)      Employees who are granted access to process transactions via Datatel have access to a secure information area. Any information entered or changed will be effective immediately. Employees are responsible for any changes made using their ID.


Approved 08/08