File Sharing Policy
Wheaton provides a variety of College-managed services to current faculty, staff, and students for storing and sharing college data. The College community should use the following guidelines to determine appropriate file management strategies that optimize usability and collaboration while properly protecting the security of college data.
Caution: Since cloud-based file storage services like Box and Google Drive enable effective collaboration and mobile access, the risk of inadvertent or malevolent disclosure increases accordingly. Thus, users of college data stored in cloud services are responsible for the security of that data. They must be cognizant of the risks, carefully manage who they share the data with, and make sure devices used to access the data are properly secured. For example, when sharing files be careful to restrict access to individuals who have a legitimate need.
File Storage and Sharing Services
ThunderCloud Storage, powered by Box
Thundercloud Storage provides unlimited external cloud storage that allows users to access their files anywhere, synchronize documents across multiple devices, and share files and folders with collaborators both internal and external to the college community. This service is available to current faculty, staff, and students for managing public, internal, and some categories of confidential data. It may only be used for college-related purposes.
Wheaton File Servers
Academic & Institutional Technology maintains secure on-campus file servers for current faculty and staff to use with all categories of college data. Current students may also get access for specific purposes, such as file storage for lab and research computers. This option is best for highly sensitive college data and applications that require local storage. It cannot be used to share data with colleagues outside the college or for purposes unrelated to the college. Access can be restricted to an individual, a group, or a department. Remote access is possible with Wheaton’s GlobalProtect VPN service. Contact the AIT Service Desk for more information.
Google Apps at Wheaton
Wheaton’s Google Apps for Education provides all undergraduate and graduate students with a robust suite of collaboration and file sharing tools. Students can continue to use their Google account after they graduate. Wheaton faculty and staff, who also have Google accounts, may choose the appropriate file sharing option when collaborating with students (e.g., Blackboard, Thundercloud Storage, or Google). Google @ Wheaton cannot be used for confidential college data.
Use of Wheaton file storage and sharing services must comply with all relevant College policies. Also, college data may only be stored on services provided by Wheaton College. Use the following table to determine the appropriate service based on the type of data being stored or shared.
|Data Classification||Governing Regulation||ThunderCloud Storage||Wheaton File Servers||Examples|
|Public College Data||Yes||Yes||Yes||Press releases, calendar,maps, course descriptions, directory information|
|Internal Non-Confidential College Data||Yes||Yes||Yes||Meeting agendas, memos, project documents, budgets, contracts, HR data|
|Confidential College Data||Yes*||Yes||No||SSNs, driver’s license #s, passport #s, financial account #s, passwords|
|Personal Identity Information (PII)||Illinois State Law||Yes*||Yes||No||An individual’s name in combination with their SSN, driver’s license number, or financial account number|
|Student Education Records||FERPA||Yes||Yes||No||Grades, transcripts, class schedules, disciplinary records|
|Private Individual Financial Information||GLBA||Yes*||Yes||No||Student financial aid information, income tax forms|
|Credit Card Information||PCI DSS||No||No||No||Primary Account Number, cardholder name, expiration date, security code|
|Protected Health Information (PHI)||HIPAA||No||Yes**||No||Any attribute(s) that uniquely identify an individual, in combination with medical or health information|
|Human Subjects Research Data||Federal Law||Yes***||Yes***||No||Individually identifiable research data with sensitive information like genetics, physical or mental health, substance abuse, etc.|
|Export-Controlled Research Data||ITAR, EAR||No||Yes||No||Some types of research data related to chemical and biological agents, satellite communications, strong encryption technologies, etc.|
|Other Research Data (w/o PII and not subject to export controls)||Yes||Yes||No||Research data that does not involve human subjects|
* Data may be stored in Box, but access from laptops or mobile devices (e.g., tablets and smartphones) must be restricted
to view only (i.e., don't sync, make available offline, or download) unless the device is encrypted, such as with whole disk encryption on a laptop, or a passcode is required to access the files on the device.
** Data must be encrypted.
*** With IRB approval.