This policy works to establish best institutional practice regarding access, security of data and standards. The Freedom of Information and Protection of Privacy Policy 501 addresses regulations around what information can be collected and public disclosure of information.
VCC is committed to ensuring the integrity of College information and will develop and maintain clear and consistent procedures for access to all College data.
VCC is the owner of all data collected, stored and/or managed by College employees or using institutional resources.
VCC will apply the “least privilege” data management approach. Employees will only have access to the information they need in order to perform the job duties assigned to them.
VCC will ensure that industry standard management and oversight of College data is in place. This information will be maintained and updated through the VCC Data Standards, Data Integrity and Security Guidelines.
Data security is a shared concern and responsibility throughout the College. Users share responsibility and are accountable for their use and access of data and shall be aware of the restrictions, regulations and other usage provisions that apply to the data they handle and shall participate in education as necessary to appropriate use and care of data.
IT will document the security of all digital data assets.
Security access audit and assessment will be carried out on a scheduled basis to ensure compliance.
VCC will perform audit on a regular basis to ensure compliance and risk assessment.
The College will comply with BC Privacy Legislation.

Term	Description
College Data	Information that is collected, maintained and utilized by the College for the purpose of carrying out institutional business. College data will fall into one of three classifications: a. Public data – All data intended for public use and poses no risk to the College. An example would be a listing of courses offered by the College and the rooms in which they are taught. b. Protected data – All data which, if released, altered or destructed in an uncontrolled fashion, could cause moderate risk to the College or its affiliates. By default, the data that is not classified as public or restricted is considered as protected data. c. Confidential data – All data which, if released, altered or destructed could cause significant risk to the College or its affiliates. Examples include personal data containing elements such as Social Insurance Numbers, health/disability related records, student grades and personnel records.
College Data Resource	The mechanism by which all data owned and/or managed on behalf of the College is accessed.
Data Custodian	The College designate responsible for providing secure access to protected and confidential data including, but not limited to: providing physical security; backup and recovery processes; providing access to users as authorized by the Data Stewards; and implementing and administering appropriate levels of control over the information. This can also include individuals in physical possession of data for the College. This role owns the technical accountability of data assets.
Data Standards, Data Integrity and Security Guidelines	An institutional set of data standards and security guidelines by which data integrity and security is maintained. This document is reviewed on a regular basis, is accessible by the College community and the oversight group will provide an annual report to Operations Council, or delegate.
Data Steward	College official or designate having direct operational-level responsibility for information management. Data Stewards are responsible for data access model and policy implementation. This role owns the business accountability of data assets.
Data User	Individuals who need and use College data as part of their assigned duties or in fulfillment of assigned roles or functions within the College community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of that data. Any College employee with access to College data can be considered a Data User.
Least Privilege Protocol	The extent of access privileges for Data Users is defined and implemented according to the role and job function of the Data User’s position/job description rather than on an individual basis. If a Data User changes positions or job function, e.g. through promotion, transfer, separation, etc., that individual’s privileges will be eliminated or changed according to the new position.
Shared Resource	A shared resource is generally something like address information. The information itself is not owned by a specific department of the College as a staff member could also be a student or a donor. As such, those specific data elements are shared between the different functional areas.

Term

Description

College Data

Information that is collected, maintained and utilized by the College for the purpose of carrying out institutional business.

College data will fall into one of three classifications:
a. Public data – All data intended for public use and poses no risk to the College. An example would be a listing of courses offered by the College and the rooms in which they are taught.
b. Protected data – All data which, if released, altered or destructed in an uncontrolled fashion, could cause moderate risk to the College or its affiliates. By default, the data that is not classified as public or restricted is considered as protected data.
c. Confidential data – All data which, if released, altered or destructed could cause significant risk to the College or its affiliates. Examples include personal data containing elements such as Social Insurance Numbers, health/disability related records, student grades and personnel records.

College Data Resource

The mechanism by which all data owned and/or managed on behalf of the College is accessed.

Data Custodian

The College designate responsible for providing secure access to protected and confidential data including, but not limited to: providing physical security; backup and recovery processes; providing access to users as authorized by the Data Stewards; and implementing and administering appropriate levels of control over the information. This can also include individuals in physical possession of data for the College. This role owns the technical accountability of data assets.

Data Standards, Data Integrity and Security Guidelines

An institutional set of data standards and security guidelines by which data integrity and security is maintained. This document is reviewed on a regular basis, is accessible by the College community and the oversight group will provide an annual report to Operations Council, or delegate.

Data Steward

College official or designate having direct operational-level responsibility for information management. Data Stewards are responsible for data access model and policy implementation. This role owns the business accountability of data assets.

Data User

Individuals who need and use College data as part of their assigned duties or in fulfillment of assigned roles or functions within the College community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of that data. Any College employee with access to College data can be considered a Data User.

Least Privilege Protocol

The extent of access privileges for Data Users is defined and implemented according to the role and job function of the Data User’s position/job description rather than on an individual basis. If a Data User changes positions or job function, e.g. through promotion, transfer, separation, etc., that individual’s privileges will be eliminated or changed according to the new position.

Shared Resource

A shared resource is generally something like address information. The information itself is not owned by a specific department of the College as a staff member could also be a student or a donor. As such, those specific data elements are shared between the different functional areas.

VCC Policies	Policy Number
Appropriate and Responsible Use of Educational and Information Technology	505
Electronic Mail (Employees)	503
Emergency Management	220
Freedom of Information and Protection of Privacy	501
Records Management	520
Standards of Employee Conduct & Conflict of Interest	202

VCC Policies

Policy Number

Appropriate and Responsible Use of Educational and Information Technology

505

Electronic Mail (Employees)

503

Emergency Management

220

Freedom of Information and Protection of Privacy

501

Records Management

520

Standards of Employee Conduct & Conflict of Interest

202

History

Viewing: Sharing & Stewardship of Information

Last approved: Fri, 24 Nov 2023 01:43:02 GMT

Last edit: Fri, 24 Nov 2023 01:43:00 GMT

Policy

Procedures

References and Resources

Rationale and Additional Information

ADMINISTRATIVE INFORMATION

Category 1: College Operations

Category 2: Employees

Category 3: Students