H.3. Privacy and Security Policy
PURPOSE
Handling confidential and private information appropriately is a core Middlebury value. The Information Technology Privacy and Security policy outlines how Middlebury balances legitimate expectations for personal privacy with compelling institutional interests to ensure the safety and security of our community, compliance with various legal and regulatory requirements, and the reliable delivery and security of essential technology services and associated data.
SCOPE
This policy applies to all students, faculty, and staff, as well as retirees, emeriti, contractors, guests, and other parties authorized to interact with Middlebury’s technology services.
Definitions
Please refer to H.1 Information Technology - Overview for explanations of phrases and terms used throughout the Information Technology policies.
Policy
ITS is committed to responsible behavior in its management and maintenance of technology services and makes every reasonable effort to respect personal privacy within the constraints of supporting Middlebury’s academic mission and facilitating administrative operations.
Your Rights and Responsibilities
Consent
By choosing to interact with Middlebury technology services, including with your personally-owned devices, you consent to Middlebury’s monitoring and management practices as described in this policy.
Protecting Privacy
Per Middlebury’s Information Technology Responsible Use Policy, you are obligated to protect sensitive information that you have access to and you must not abuse your privileges to access sensitive information for reasons other than fulfilling your official responsibilities. See: Information Technology Responsible Use Policy and Banner Security Procedures.
Marketing Data
Middlebury will not share your personal data to third-parties for marketing purposes. Data is collected for the purposes outlined below. For additional information on website analytics, including options to opt-out of website analytic tracking, please refer to the ITS Website Privacy Policy.
Preservation of Information
Middlebury may be compelled, either to protect its own interests, or as part of legal proceedings, to perverse information for an indefinite period.
If you receive a Notice of Data Preservation from the Office of General Counsel, you are required to comply. Do not destroy records that are subject to data preservation requests.
Middlebury’s Rights and Responsibilities
Data Collection
Middlebury collects technology service usage data to ensure the reliability, performance, and security of Middlebury technology services, as well as to comply with various legal and regulatory requirements. Data collected can typically be associated with identifiable individual account holders. Types of data collected include, but are not limited to:
- Internet traffic logs
- Network traffic logs
- Wireless network data
- Authentication and access records
- Technology service access log, activity logs, and audit logs
- Email communications and associated message logs
- Telephone, instant messaging, and online conferencing usage logs
- Printing logs
- File access logs
- Geographic location data, inferred from the sources above and others
Log Retention
Logs are retained as long as legally required or for legitimate business reasons including usage trending, performance monitoring, and cybersecurity. Logs may be preserved indefinitely if they were collected as part of a legal or conduct investigation.
Confidentiality
As a general matter, Middlebury does not guarantee the confidentiality of any content housed within or transmitted through its systems or networks. In certain circumstances Middlebury may need to access information for legitimate institutional purposes, an illustrative but not exhaustive list of which are described below.
Health and Safety Matters
In situations where the safety of any human being is seriously threatened, Middlebury reserves the right to access information to reduce the health and safety risk.
As Required By Law
Middlebury must comply with legal process, including lawful demands for information in government investigations, law enforcement proceedings, etc. and it has obligations to preserve and produce information that is required in connection with threatened or pending litigation. Subpoenas, court orders, or other demands for information should be directed to the Office of the General Counsel.
Investigations of Illegal Activity or Misconduct
Under its policies, Middlebury may and often is required to gather information to investigate a possible violation of law or a breach of Middlebury policy. Access under such circumstances is restricted under the associated Procedure for Authorization, which ensures that appropriate senior leadership, such as the Vice-President for Human Resources, or the Dean of the Faculty, is informed in order to authorize access. Senior leaders may consult with the General Counsel, as needed.
Operational Continuity
Middlebury may access information necessary to carry out essential business functions, which may include circumstances of unexpected absence, death or other unavailability.
Authorization to Access Information
Authorization for Access
Under the circumstances outlined above, ITS is authorized to access information.
Scope of Authorization
All information and content created or logged while using a Middlebury technology service, including location data, may be subject to discovery in these cases.
Campus Safety and Emergency Authorization
ITS is authorized to access information in support of campus safety investigations and in emergency situations. Examples of information relevant to campus safety investigations include location information derived from either network or authentication logs.
Emergency access to information needed to reduce a serious threat to a person’s health or safety may be authorized by an appropriate member of the Senior Leadership Group, the AVP of Public Safety, and/or official delegates of the above. The authorizing party is responsible for notifying appropriate offices, after the emergency is resolved, of the actions taken. Notice will ordinarily be given to an identified user within a reasonable period of time, although Middlebury may exercise discretion in such notifications.
Electronic Discovery Authorization
Other than in an emergency, access to identifiable electronic information in connection with a legal or conduct investigation may be authorized by individual account holder(s) subject to investigation, or the following authorities and/or their official delegates:
| Cohort | Authorizing Senior Leader(s) |
| All community members | Dep. General Counsel General Counsel Chief Risk Officer President |
| All staff | VP for Human Resources EVP for Finance and Administration |
| College faculty | Dean of Faculty VP for Academic Affairs EVP for Academics and Provost |
| College students | VP for Student Affairs Dean of College |
| Middlebury Institute faculty | Dean of the Institute VP for Academic Affairs |
| Alumni, Parents, and Friends | VP for Advancement |
| Faculty and Students of the Schools | VP for Academic Affairs Dean of the Schools |
ITS will notify the senior leader about a pending need for authorization. The senior leader is responsible for weighing the needs of Middlebury against the privacy interests of the individual, in the context of applicable legal restrictions, and may take into consideration technological tools utilizing non-consumptive or data analytical techniques. Senior leaders may consult with the General Counsel and others as needed. Information provided under this exception will be limited to the information that is necessary to effectuate the institution’s purpose and must be maintained as confidential to the maximum extent possible.
Authorization to Preserve Information
Middlebury may be compelled, either to protect its own interests, or as part of legal proceedings, to perverse information for an indefinite period.
When so directed by the General Counsel, ITS is authorized to implement technical controls, i.e. litigation holds, to prevent the destruction of data subject to preservation requests.
Authorization for Systems Administration
Monitoring
ITS is authorized to monitor technology services to collect adoption and usage statistics, to monitor the availability and performance of technology services, and for cybersecurity purposes.
Systems Maintenance
ITS is authorized to perform system maintenance when and as needed to ensure the performance, availability, and security of Middlebury technology services.
Necessary Actions
ITS is authorized to take necessary actions, when required, to protect Middlebury technology services from abuse or misuse, including revoking access to services until such issues are resolved. ITS is authorized to disable technology services, if necessary, to prevent them from being abused or misused due to a cybersecurity vulnerability. Such systems will remain offline until the cybersecurity issue is resolved and the impacted systems can be safely returned to service
Authorization for Cybersecurity Operations
Analysis
In order to ensure the security of Middlebury’s technology services and data contained therein, the ITS Information Security team and the ITS Leadership team are authorized to analyze all information created with or by Middlebury technology services. ITS leverages trusted security partners to analyze data flows, including email, for potentially malicious activity. Automated security tools analyze email and document contents for potential security threats and accordingly, either blocking or quarantining content and messages, and raising alerts for the Information Security team to investigate.
Incident Detection and Response
During cybersecurity detection and response operations, Information Security team members are authorized to inspect content specific to the cybersecurity risk being investigated. The ITS Information Security team may, for example, examine the contents of any email messages related to phishing attacks, spam, or other abuses of the email system, including message contents and attached files. ITS and its security partners may also investigate files suspected of being malicious, i.e. infected with malware or containing malicious links.
SUPPORT
Questions about this policy and its application should be directed to the Vice President for ITS and/or the Executive Vice President for Finance and Administration, or the General Counsel.