File Sharing Policy

File Sharing Policy

Wheaton provides a variety of College-managed services to current faculty, staff, and students for storing and sharing college data. The College community should use the following guidelines to determine appropriate file management strategies that optimize usability and collaboration while properly protecting the security of college data.

Caution: Since cloud-based file storage services like Box and Google Drive enable effective collaboration and mobile access, the risk of inadvertent or malevolent disclosure increases accordingly. Thus, users of college data stored in cloud services are responsible for the security of that data. They must be cognizant of the risks, carefully manage who they share the data with, and make sure devices used to access the data are properly secured. For example, when sharing files be careful to restrict access to individuals who have a legitimate need.

File Storage and Sharing Services

ThunderCloud Storage, powered by Box

Thundercloud Storage provides unlimited external cloud storage that allows users to access their filesanywhere, synchronize documents across multiple devices, and share files and folders with collaborators both internal and external to the college community. This service is available to current faculty, staff, and students for managing public, internal, and some categories of confidential data. It may only be used for college-related purposes.

Wheaton File Servers

Academic & Institutional Technology maintains secure on-campus file servers for current faculty and staff to use with all categories of college data. Current students may also get access for specific purposes, such as file storage for lab and research computers. This option is best for highly sensitive college data and applications that require local storage. It cannot be used to share data with colleagues outside the college or for purposes unrelated to the college. Access can be restricted to an individual, a group, or a department. Remote access is possible with Wheaton’s GlobalProtect VPN service. Contact the AIT Service Desk for more information.

Google Apps at Wheaton

Wheaton’s Google Apps for Education provides all undergraduate and graduate students with a robust suite of collaboration and file sharing tools. Students can continue to use their Google account after they graduate. Wheaton faculty and staff, who also have Google accounts, may choose the appropriate file sharing option when collaborating with students (e.g., Blackboard, Thundercloud Storage, or Google). Google @ Wheaton cannot be used for confidential college data.

Usage Guidelines

Use of Wheaton file storage and sharing services must comply with all relevant College policies. Also, college data may only be stored on services provided by Wheaton College. Use the following table to determine the appropriate service based on the type of data being stored or shared.

Data Classification Governing Regulation ThunderCloud Storage Wheaton File Servers Google Examples
Public College Data   Yes Yes Yes Press releases, calendar,maps, course descriptions, directory information
Internal Non-Confidential College Data   Yes Yes Yes Meeting agendas, memos, project documents, budgets, contracts, HR data
Confidential College Data   Yes* Yes No SSNs, driver’s license #s, passport #s, financial account #s, passwords
Personal Identity Information (PII) Illinois State Law Yes* Yes No An individual’s name in combination with their SSN, driver’s license number, or financial account number
Student Education Records FERPA Yes Yes No Grades, transcripts, class schedules, disciplinary records
Private Individual Financial Information GLBA Yes* Yes No Student financial aid information, income tax forms
Credit Card Information PCI DSS No No No Primary Account Number, cardholder name, expiration date, security code
Protected Health Information (PHI) HIPAA No Yes** No Any attribute(s) that uniquely identify an individual, in combination with medical or health information
Human Subjects Research Data Federal Law Yes*** Yes*** No Individually identifiable research data with sensitive information like genetics, physical or mental health, substance abuse, etc.
Export-Controlled Research Data ITAR, EAR No Yes No Some types of research data related to chemical and biological agents, satellite communications, strong encryption technologies, etc.
Other Research Data (w/o PII and not subject to export controls)   Yes Yes No Research data that does not involve human subjects

* Data may be stored in Box, but access from laptops or mobile devices (e.g., tablets and smartphones) must be restricted
to view only (i.e., don't sync, make available offline, or download) unless the device is encrypted, such as with whole disk encryption on a laptop, or a passcode is required to access the files on the device.

** Data must be encrypted.

*** With IRB approval.