Privacy and Security of Files, Data and Communications


Unencrypted personally identifiable information (individual names associated with driver's license, social security, credit card or bank account numbers and access codes) and other confidential information related to College activities must not be stored on individual faculty, staff, or student employee computers, or personally-owned devices. College employees must not reconfigure a College-supplied laptop and personal computer to bypass the prompt for an authorized College username and password upon start-up: passwords must be keyed in, rather than set to be entered automatically. Loss or theft of a College laptop, personal computer, or personally-owned device that may contain institutional data must be immediately reported to ITS.
see also, below: Banner Security Procedures for additional policies & practices related to data integrity and stewardship


The following shall serve to protect the privacy of the Middlebury College community.

1. College computing resources are provided for educational and administrative purposes. We recognize that computing resources will be used for storing and communicating many types of information, including that of a personal nature. Members of the College community are expected to be judicious in their use of computing resources and understand that the College is obligated to inspect these systems for sensitive and malicious content. These resources should never be used for personal for-profit gain, theft, fraud, invasions of privacy, distribution of illegal materials, or distribution of copyrighted or licensed materials without appropriate approval. Individuals bear the responsibility to avoid libel, obscenity, undocumented allegations, attacks on personal integrity, and acts of harassment.

2. Files stored on an individual's computer or on a shared central system or file server are considered private, to be viewed only by the original creator of the files, unless otherwise so designated by the creator. Access to files by others is prohibited without just cause. (See section 5 below.)

2a. Faculty and staff should take steps to assure that documents necessary to the operation of the College are available to those that may require them.

2b. Institutionally-generated, personally identifiable information must not be stored on personally-owned devices.

3. Electronic communications and messages (such as e-mail) are considered private, to be viewed only by the original sender and designated recipient(s). Access to messages by others is prohibited without just cause or permission. (See section 5 below.) We encourage individuals to reinforce this for sensitive files and messages by flagging them as confidential.

3a. As a matter of principle and ethics, individuals bear the responsibility for assuring that e-mail messages, including attachments and previous appended messages, are forwarded only to parties whose interest is consistent with the purpose of and intent of the previous correspondents. If in doubt, obtain the consent of the original correspondents before forwarding.

3b. By its very nature email is not a secure or confidential form of communication. Sensitive or personally identifiable information should not be sent through email without appropriate precautions.

4. Members of the Middlebury College community should be aware of the following considerations:

4a. Data storage and communications are not perfectly secure. There are software and physical limitations that can compromise security. ITS tries to minimize such exposures, but the risks exist.

4b. Mail delivered outside of the College is notably insecure and should be treated like a postcard. Individuals may redirect (forward) their electronic mail to another Internet site off-campus. Unless you know that the intended recipient of an e-mail message has not redirected mail to an off-campus site, you should assume the possibility that others may see the content of the message.

4c. Deletion of files or e-mail messages does not guarantee the inaccessibility of those files and messages. Centrally maintained file-storage devices and mail systems are archived to magnetic tape regularly. These archive tapes are kept for 60 days.

4d. Privacy depends upon individuals keeping their password secure. Anyone using Middlebury College systems must have difficult-to-guess passwords and must not share his or her password with others.

4e. Many off-campus Internet sites may record information you provide and divulge this to others without your prior consent. In some circumstances, information about you, your activities on the remote site, and information about your computer, may be recorded without your knowledge. Some remote Web sites may store information on your computer in the form of hidden files or "cookies." Caution and prudence are advised when providing any information you would consider confidential to unknown third parties.

5. Access to another individual's electronic files and e-mail is permissible only if there is just cause in the following situations:

5a. If the creator of files, or the sender/recipient of electronic mail messages, has granted specific permission for another individual or individuals to view designated files and messages.

5b. In the event of a significant electronic mail system software problem that prevents automatic delivery of electronic mail, e-mail message headers must be read by authorized ITS staff to direct e-mail to the intended recipients.

5c. In the event of a medical emergency or departure (including administrative leave, with or without pay) involving a member of the College community which renders them unable to access files or messages considered essential for the continuation of College business, another individual may access the individual's electronic files and communications under the procedures set forth in section 6 below.

5d. In the event of a need-to-know emergency (suicidal or homicidal threat), access to an individual's files or messages is permitted, following the procedures outlined in section 6 below.

5e. In the event that a local, state, or federal law-enforcement authority in the investigation of a crime, civil litigation, or regulatory proceeding produces a subpoena, discovery request, or warrant granting access to files or messages, following the procedures outlined in section 6 below.

5f. In the event of a financial or legal audit, following the procedures outlined in section 6 below.

5g. In cases of suspected; violations of ITS policies, unauthorized activity, abuse of College-owned computing resources, compromises of College-owned computing systems, exposure of extremely sensitive and/or confidential data (ESD), and/or in the event that compliance or regulatory requirements mandate that systems be inspected for sensitive or malicious content, ITS may take appropriate measures to mitigate any risks or threats to the College’s resources and reputation. It is important to note that:

  • College-owned computing devices and College-provided computing services require ongoing monitoring and management to ensure that they are functioning properly; to guard against  unauthorized access, abuse, and misuse; to protect against viruses, worms, malware, and adware; and, ultimately, to safeguard the integrity and security of information contained therein. College-owned computing devices and College-provided computing services require periodic and regular maintenance, for example, to fix known security issues and/or implement new functionality. In support of these operations, ITS may scan or otherwise access files on College-owned computing devices and College-provided computing services as necessary, given that proper precautions are observed to limit the scope of such access solely to the task at hand and to respect the privacy of individuals using said devices and/or services.

  • Any device attached to a College-owned computing system may be scanned for the presence of potentially malicious content and for the presence of Extremely Sensitive Data (ESD), as defined in the Middlebury’s Data Classification Policy. ITS leverages automated tools to regularly audit system processes, files and messages on College-owned computing devices and/or within College-provided computing services. Files exposed by any online service that is accessed from a College-owned computing system may similarly be scanned for the presence of malicious content or ESD. Examples on devices that may be scanned for both malware and ESD include removable storage devices, such as USB flash memory devices, smart phones, and tablets. Examples of online services that may be scanned for malware or ESD, if accessed from a College-owned computing system, include popular online file sharing, storage, and backup services

5h. In any other instance, no access is granted to an individual's electronic files or messages without prior review and approval by the appropriate body as indicated in section 6a below.

6. Emergency access to another individual's electronic files and messages is granted only under conditions noted in section 5 above.

6a. Before invoking any such procedure, the circumstance creating the need for access shall be reviewed in a timely fashion, access shall not take place without approval, and specific procedures and strictures may be recommended for each circumstance. The persons involved in the review and approval process will vary depending upon the individual involved:

  • Human Resources will assume review and approval responsibility in cases involving a faculty or staff member.
  • The dean of the College or the appropriate Commons dean will assume review and approval responsibility in cases involving a student.
  • ITS will work with the departments mentioned above to determine if the needs of the College or third party requesting access outweigh the privacy needs of the individual.

6b. A neutral third party (not the person's supervisor, adviser, or teacher) shall examine files and messages on the individual's computer, mailbox, or file-server space and provide only the specifically requested file(s) or message(s) to the requester.

6c. The student, staff, or faculty member will be notified that access has been granted to his/her files or messages unless there is sufficient and compelling reason not to have done so.

6d. No other files or messages may be copied, transferred, or forwarded.

7. The ITS personnel charged with the administration of the College's computing systems and file servers take their obligations to protect individuals' privacy very seriously. The professional standards consistent with positions that require select individuals to have access to personal and sensitive information are strictly enforced. In accordance with general College policy, inappropriate use, access, or sharing of confidential information is grounds for summary discharge of employment. (see the section on summary discharge in the Employee Handbook)

8. Middlebury College has procedures, protocols and training programs for employees to optimize privacy and security of financial transactions and personal information in compliance with the Gramm-Leach-Bliley Act. (see also Banner Security Procedures below).

9. These policies are subject to change only as may be reasonable under the circumstances.


Banner information systems are an integral part of the mission of Middlebury College. The college has made a substantial investment in human and financial resources to obtain and manage these systems. The following procedures have been established to protect this investment and the good reputation of the college; to develop data stewardship to safeguard the information contained in these systems; and to enhance the fulfillment of the mission of the college.

ITS staff members are responsible for the administration of these security procedures, in accordance with all college information policies dealing with security, access, and confidentiality of college records.

Statement of responsibility

All users of Banner, BannerWeb, and applications that depend on Banner data (such as Hyperion and Resource25) are required to comply with these security procedures.

Central Systems and Network Infrastructure (CSNS) responsibilities

CSNS shall be responsible for the administration of all access controls for Banner. CSNS will process adds, changes, and deactivations to user accounts upon receipt of a written request from the end user's supervisor or manager. (See sections titled Request for user access process and Access deactivation process.) Requests to add or change access must include all required approvals for the appropriate level of access. Requests to deactivate access may be processed by an oral request from Human Resources prior to the receipt of the written request. Records of all processed access requests will be maintained in a secure area.

Employee responsibilities

An employee who uses Banner or applications that depend on Banner data shall:

  • Ensure that all Banner access requested and used is for professional reasons and they are required for their productivity.
  • Use and protect their own account passwords and privileges, and not share those with other employees or non-employees.
  • Be responsible for the content of all Banner data that is placed over the Internet or sent through email.
  • Know and abide by all college information policies dealing with security and confidentiality of college records.
  • Avoid transmission of nonpublic Banner information. If it is necessary to transmit nonpublic information, employees are required to take steps reasonably intended to ensure that information is delivered securely to the proper person who is authorized to receive such information for legitimate college use.

Supervisor and manager responsibilities

Supervisors and managers shall:

  • Ensure that all appropriate personnel are aware of and comply with these security procedures.
  • Provide appropriate data stewardship in their areas of responsibility.
  • Work with the Banner systems administrator to create and validate proper authorizations for Banner data access for current and new employees.
  • Create appropriate control practices, standards, and methods designed to provide reasonable assurance that all employees observe these security procedures.
  • Provide appropriate support and guidance to assist employees in fulfilling their job responsibilities under these security procedures.

HR (Human Resources) responsibilities

HR will notify CSNS of employee transfers and terminations biweekly, or as soon as necessary. Involuntary terminations will be reported concurrent with the termination.

Data stewardship

Data stewardship has as its main objective the management of the college's data assets in order to improve their usability, accessibility and quality. This is accomplished through the role of the data steward. The primary data stewards are the department heads, or their designates, who have planning and policy level responsibility for data within their areas, and management responsibilities for defined segments of the institutional data. In the simplest terms, the data stewards could be said to be the owners of the data. Currently, data stewardship is the responsibility of the Banner functional leads and their designates, and the Data Integrity Group members.

It is the data stewards' responsibility to develop consistent data definitions, develop and adhere to data standards created by the institution, document the business rules of their area, monitor the quality of the data input and output from the Banner systems they use, define security requirements, work with other data stewards on integration requirements, and communicate critical uses of data on which other departments depend. As data are developed, the data stewards assure that storage and access of the data is appropriately managed. This shall include the classification of all forms, views, reports and all other forms of access in which this data is expressed.

The data stewardship function shall have one or more data stewards assigned to each major data subject area. These subject areas consist of the major Banner modules, comprised of Finance: Controller's Office, Accounts Payable, Accounts Receivable, Purchasing, Budget Office; Human Resources: Payroll and Position Control; College Advancement and Development; Student Systems: Admissions and Recruiting, Catalog, Schedule and Location Management, Registration, Academic Records and History, Fees and Billing, Faculty Load, and Housing; and Financial Aid. The College also maintains and develops custom applications that are designed and integrated with Banner which also require data stewardship, including Vehicle Registration and Ticketing, and College Driver License systems for Public Safety.

Oracle security requirements for Banner

Security classes and class ownership

Banner security is designed and implemented based on inherent characteristics of Oracle database security, including password management, object privileges, security roles, and grants. Banner maintains security classes that enable Oracle roles containing specific object privileges. These security classes allow the college to implement a distributed security model based on security class ownership of specific Banner functionality and data. The functional lead or a designated data steward shall be the security class owner who controls all access requests for the security class.

Each Banner module and functional area shall design a set of security classes which define all forms used within their module or area and the access type of either Query (view only) or Maintenance (adds, changes, inserts, and deletes). In addition to Oracle database security implemented in Banner security, some of the modules provide system specific security at the form level. This allows the college to maintain security by fund and organization code, employee class code, and/or salary range. Details on the design and definition of Banner security are available in the Banner Technical Reference Manuals.

Security classes can be designed based on the following access types:

  • Administrator, Maintenance access—an administrator with global access to tables and forms for administration purposes in a given module, allows view and change (updates, inserts, and deletes)
  • Internal user, Query access—a selection of relevant forms, allows view only
  • Internal user, Maintenance access—a selection of relevant forms, allows view and change
  • External user, Query access—a selection of relevant forms for individuals outside of a given functional area, allows view only
  • External user, Maintenance access— a selection of relevant forms for individuals outside of a given functional area, allows view and change
  • Student user, Maintenance access—a limited selection of relevant forms for data input

In general, a user may have multiple security classes assigned to him/her, rather than developing a custom security class to meet the needs of an individual, or sporadically adding individual forms to a given user account to create a completely custom profile for each person. For example, the gift processing department manager in Advancement may need the External user, Query access type for budget forms to review the department's budget; the Internal user, Maintenance access type for Advancement gift processing to assist with inputting gift data; and the Internal user, Query access type for Advancement for donor-related information to see but not modify relevant information related to donors.

User accounts

To use the Banner client software or BannerWeb a user must have an Oracle user account in the appropriate databases in accordance with their job function. During the implementation phase of any Banner module, a user may have multiple user accounts in the Production, Pre-Production, Practice, Training, and Development databases. All Oracle user accounts for Banner are managed by the Banner systems administrator.

Access control

The data access type and security classes appropriate to the user shall be approved by the functional lead or the data steward of the functional area before the user account can be established or maintained. In some areas the security class maintenance function is performed by the technical or functional lead in accordance with special administration rights granted by the Banner systems administrator. Questions about the different data access types for security classes should be directed to the Banner systems administrator.

Oracle security requirements for Hyperion and other applications using Banner data

Security roles and role ownership

Each Banner module and functional area shall design a set of Oracle security roles that define object privileges on all tables, views, object access views, and custom views used within the module and the access type of either Select—allows query for reporting only; or Update, Insert, and Delete—allows data to be changed and is restricted to Technical Leads for conversion and special purposes. These security roles allow the college to implement a distributed security model based on security role ownership of specific Banner data. The functional lead or a designated data steward shall be the security role owner who controls all access requests for the security role. In addition to Oracle database security, some of the Banner views provide system specific security at the view level using functions that filter the data so that only the appropriate data is shown to the user. This allows the college to maintain security by fund and organization code, employee class code, cashiering, and/or salary range.

To use other applications such as Toad and SqlPlus a user must have an Oracle user account, or an authorization to an existing Banner schema account such as is needed for system or application development. All authorizations to existing Banner schema accounts are granted by the Banner systems administrator. No Middlebury College student or employee should ever request from another member of the community a Banner schema password. If someone requests a Banner schema password for a College computer or account, refer the user to this policy, or have the user contact the ITS Help Desk,

User accounts

To use Hyperion applications, a user must have both an Oracle user account with security role grants and an Hyperion account. The Oracle user account is granted the appropriate security roles by the Banner systems administrator.

Access control

The Hyperion product type and security roles appropriate to the user shall be granted by the functional lead or the data steward of the functional area. Questions about the different data access types for security roles for Hyperion products can be directed to the reporting specialist for the area, the Hyperion system administrator, the DBA, or systems administrator.

Request for user access process

A basic form is provided to all functional leads which they submit for each new employee, or changes in positions/responsibility for existing employees. If an employee leaves one area and begins working in another, a termination form MUST be submitted by the original area, and a new employee form submitted by the new area to guarantee that permissions from one don't "linger" into the new area.

Steps to create user access:
- if new employee, network access created first
- must have written request
- create Oracle user account
- grant security classes
- if Hyperion needed, must have written request
- grant access to user account to Hyperion
- Functional Lead grants security roles
- if employee needs system level security (Fund/Org, Eclass, etc.) send to appropriate data steward for setup

Access deactivation process

HR will send a written request to CSNS for an employee's access to be deactivated due to transfer or termination with the effective date. On the effective date, and within 24 hours of the employee's official separation from the college, the Oracle user account and BannerWeb access will be expired and disabled. Some level of access detail information is retained for audit purposes. Timeliness is essential to prevent any unauthorized access to data, therefore HR also submits this information to LIS to guarantee that both internal and external users of a Banner module are also removed from the system in a timely manner.

Security assessment

Each functional area has a clearly defined set of Banner security classes that is readily available for review and stored in a location that is available to said area, as well as appropriate systems management staff. Each area reviews the definition of their classes at least annually, and at the time of a system upgrade, to guarantee definitions are still appropriate, and that newly delivered forms are assigned to appropriate classes. Each functional area is required to review and sign off on their Banner security classes each year.

At least twice a year, the functional lead representing each module of Banner receives from the Banner systems administrator a printed report of all users who currently have access to some portion of their data and the roles assigned. Functional users are REQUIRED to review this information, sign off, and return this to the Banner systems administrator to keep on file. Receipt of this report is the final "catch all" particularly for users perhaps outside of the functional lead's primary area. Before returning to the systems administrator, the functional lead determines that those external to their primary area are still employed similarly and need access similar to what had been originally granted. Changes are typically fairly limited, as the termination protocol should capture these changes immediately. Non-receipt of this important documentation may result in user account terminations.