Technology Use and Access Policy

The cultivation of mind and heart anchors every activity and directs all the operations of Hillsdale College. Its electronic resources share this purpose. The College extends these resources to students in the understanding that they are to be employed honorably, wisely, and in accord with the College Mission. The policy outlined below helps clarify how this is done and what parameters govern the use of the electronic tools made available by the College.

For the most part, common sense, established law, and the Student Honor Code supply the guidelines for appropriate use of College information systems. Some particulars concerning e-mail and internet use, file storage, and personally-owned devices are addressed in this policy, as are those limited circumstances that could require the College to access user information. In all cases and uses, these electronic tools exist to reinforce the partnership of the College in pursuit of the good and to strengthen the bonds between its members.

I. Acceptable Use of Email

The electronic mail system is intended for use related to College life and activities. The College recommends that students use a personal email account for other correspondence.

The rules for using the College’s email system are:

• Do not send or solicit email messages with content that violates the Hillsdale College Honor Code or Regulations for Proper Student Conduct.
• Do not include confidential or sensitive material (such as Social Security and bank account or credit card numbers) in email messages.

• Do not send materials that are subject to copyright, trademark, or other proprietary rights.

• Do not send unsolicited messages network-wide or to large groups of people without prior approval by the Student Deans or the Vice President for Student Affairs.

II. Acceptable Use of Internet

Internet Access and System Security

The College has provided internet access primarily to facilitate communication and information related to College life and activities. The College has taken precautions to deter hacking and protect College devices and data. However, no automated precautions are completely reliable. User diligence is crucial to maintaining a safe and secure computing environment. The College encourages students to stay informed about cybersecurity best practices. To assist student users in practicing diligence, cybersecurity training is available on demand in the College’s Canvas learning management system. Participation in available training is highly recommended to protect both personal and College information and systems.

You can help prevent breaches of system security by observing the following rules:

• If you are issued a College username and password: 
  • Use appropriate password complexity—e.g., use a minimum of 15 characters that can include a combination of uppercase or lowercase letters, numbers, and special characters.
  • Consider using a long string of words, also known as a “passphrase” (e.g. ilikegoingtotheseashore) for added security.
  • Periodically change your password and avoid reusing old passwords.
  • Use a different password for every login account.
• If anyone asks you for your password, do not disclose it and immediately report this to the Information Technology Services (ITS) Help Desk.
• Take the appropriate precautions to protect sensitive material, such as not using the College email system to email confidential data.
• Avoid clicking links in emails you are not expecting.
• Log out of or turn off your computer or a College device/system when you will be away from the device/system for an extended period of time.  

Unacceptable Use

Certain internet use can create significant risks of liability or threats to the College. Certain internet use can also disrupt academic or other legitimate College interests. Internet uses that create such problems are prohibited. 

Any unacceptable use of College Information Systems, including the internet, can lead to discipline. “College Information Systems” refers to all services, applications, networks, and devices owned, provided, or administered by any department of the College, including email services, internet access, file servers, software or apps, voice message services, storage devices and services, laptop and desktop computers, phones and other mobile devices, and usage and access logs.

The following non-exhaustive list provides some examples of unacceptable use:

• Any use that would violate the Hillsdale College Honor Code or the Regulations for Proper Student Conduct.
• Any attempt to circumvent the College’s computer security measures, including unauthorized use or disclosure of passwords.
• Any cryptocurrency mining.
• Any unauthorized use of proprietary materials.
• Downloading software to College-owned devices from the internet without authorization from Information Technology Services.
• Downloading Sensitive College Information to a personal device without express permission from appropriate College personnel. “Sensitive College Information” means data that an ordinary person or nonprofit institution would expect to be protected from disclosure. Such information includes donor data of any kind in any format, private student information, data protected by the Health Information Privacy and Affordability Act of 1996 (HIPAA), information about College faculty and staff, trade secrets, copyrights, patents, information from any confidential investigation, and any other information that is labeled confidential or that a reasonable person should expect to be confidential.
• Any activities that interfere with the abilities of others to use College Information Systems.
• Sending unsolicited communication to a large undifferentiated group of recipients.

III. File Storage

The College provides electronic file storage space for students. Content stored in this space should comply with all restrictions of this and other related policies. You are responsible for the safekeeping and maintenance of appropriate levels of confidentiality for User Electronic Information stored in this space. “User Electronic Information” or “User Information” refers to documents, communications, emails, text or imaged documents, voicemails or text messages, other electronic information, and associated metadata, which are generated by or created or received on College Information Systems and located in files, logs, and accounts associated with a particular student user.

When handling Sensitive College Information, if there is any question in your mind as to where data is being stored and who has access, please verify your assumptions with Information Technology Services. The College cannot guarantee the security of any files or information stored on the storage space it provides; you store such information on College storage space at your own risk.

IV. Security of Personally-Owned Devices That Access or Maintain Sensitive College Information

It may at times be necessary for you to access or maintain Sensitive College Information on personally-owned devices, such as phones, computers, or other electronic devices. There is a risk of data loss or unauthorized access when Sensitive College Information is accessed or maintained via self-managed personally-owned devices. Students who access or maintain Sensitive College Information must secure such data by properly self-managing the privacy and security settings on their personally-owned devices.

Sensitive College Information shall be accessed or maintained on personally-owned devices only when necessary for the performance of College-related duties and activities. Each user shall take all required, reasonable, and prudent actions necessary to ensure the security and retention of Sensitive College Information.

Device Security

All student users shall maintain up-to-date, device-appropriate security safeguards and follow the policies, standards, and guidance provided in this policy, as well as comply with appropriate safeguards required by state and federal law and regulations. In addition, the College or individual departments may require that specific security settings or software to protect Sensitive College Information be installed and maintained on the device.

Information Return and Deletion

Student users shall return or delete Sensitive College Information maintained on personally-owned devices upon request from the College or when his or her role or employment status changes such that he or she is no longer authorized to access that information.

Incident Reporting

If your personally-owned device that accesses or maintains Sensitive College Information is lost, stolen, has been subject to unauthorized access, or otherwise compromised, the incident must be reported to Information Technology Services within 24 hours.

Device Inspection

In the course of an incident investigation, the College reserves the right to inspect a personally-owned device that accesses or maintains Sensitive College Information. Any access to a personally-owned device will be carried out in accordance with this policy.

V. Reasons for College Access of User Electronic Information

The paragraphs below describe the purposes for which the College may access User Electronic Information. While this list is expected to cover most instances of access, the list is not exhaustive.

System Protection, Maintenance, and Management

College Information Systems require ongoing maintenance and inspection to ensure they are operating properly; to protect against threats such as attacks, spyware, malware, and viruses; and to protect the integrity and security of User Electronic Information and College information in general. College Information Systems also require regular management in order to maintain or implement software or other capabilities. To manage College Information Systems properly, ITS staff may scan or otherwise access User Electronic Information.

Business Continuity

User Electronic Information may be accessed for the purpose of ensuring continuity in business operations. For instance, this need can arise if a student who typically has access to requested files is unavailable due to illness or vacation or has departed from the College.

Safety Matters

The College may access User Electronic Information and personal devices to protect against threats to the safety of the College or to the life, health, or safety of any person.

Legal Process and Litigation

The College may access User Electronic Information (1) in connection with threatened or pending litigation, law enforcement investigations, or other government investigations; (2) to identify and disclose information as required by law or legal process; (3) to investigate or assist in the investigation of unlawful activity directed at the College or a member of the College community, and (4) to investigate or assist in the investigation of unlawful activity by a student or a student employee.

Internal Investigations

The College may access User Electronic Information during internal investigations, such as when investigating an allegation of student misconduct.

VI. Authorization of College Access of User Electronic Information

Student users themselves may authorize access to their User Electronic Information. Information Technology Services personnel also may access User Electronic Information to conduct routine system protection, maintenance, and management. Access that does not fit into these categories should be handled as follows:

• Two College vice presidents must authorize access. Any authorization of access shall apply only to the particular situation and user(s). Any subsequent access must be separately authorized.
• When evaluating an access request, the two vice presidents will carefully consider the stated reasons for access in light of the College’s commitment to maintaining a trusted partnership with its students.
• The College will use reasonable efforts to ensure that access will be limited to the User Electronic Information needed to accomplish the purpose for the access. If in the course of such access, the College discovers separate and distinct violations of College rules, the College may in its discretion investigate these for separate discipline and action.