Tufts Enterprise Box Service Use Policy

Purpose

This policy describes the services and the appropriate uses of the Tufts Enterprise Box service.

Scope

All users of the Tufts Enterprise Box service.

Policy Statement

Purposes of Service
The Tufts Enterprise Box service is a centrally provisioned cloud service that allows users to easily share and collaborate on files and other documents with people inside and outside of Tufts. You can access your Box account using your Tufts Username (UTLN) and Tufts Password.

Service features include:

  • Sharing files with team members
  • Syncing files between devices
  • 20GB of storage allocated per person (5GB maximum for individual files).

Box is intended to supplement—but not replace—existing Tufts services and systems such as Trunk, Network Storage, or eLists.

Box accounts are provisioned for a specific Tufts username associated with a @tufts.edu email address. Never share these credentials to share documents or mimic a group account on the Tufts Box service.

A more extensive description of the service is available on the Cloud Data Storage (Box) service page.

Definitions
Institutional Data: All information that is created, collected, licensed, maintained, recorded, used, or managed by the University, its employees, and agents working on its behalf, regardless of ownership or origin.

Institutional Systems: The electronic and physical systems owned or licensed by Tufts University used to store and access institutional data are institutional systems. Tufts University considers the Tufts Enterprise Box service an Institutional Systems.

Terms of Service and Related Policies
By creating a Tufts Enterprise Box service account you agree to the Tufts Enterprise Box Terms of Service. Box will take down data and/or accounts if data are flagged as unlawful or otherwise in violation of the Box Terms of Service. When using the Tufts Box service, users must comply with the Information Stewardship Policy and other appropriate Tufts policies.

This policy supports—and does not supersede—the Tufts Enterprise Box Terms of Service, the Information Stewardship Policy, or other applicable Tufts policies.

Responsibility
As noted in the Information Stewardship Policy, “members of the Tufts community are expected to responsibly maintain and use institutional data regardless of the resource used to access or store the data—whether an institutional system, a privately owned resource, or a third-party resource.” Thus, users are expected to responsibly maintain and use institutional data that they store on the Tufts Box service or sync onto any personal device.

Employees are responsible for moving Tufts institutional data to a different Tufts storage environment before they depart the University.

Appropriate Types of Institutional Data
The Information Classification and Handling Policy includes a four-level confidentiality classification scheme for institutional data. Based on this classification scheme, the following Table 1 outlines the types of institutional data that is appropriate for storage and use on the Tufts Box service.

Use caution when storing FERPA-covered data on Box. If you have questions on applicability, consult with your information steward for guidance. See Notes, Level 1: Regulated Institutional Data, Table 1 for details on storing FERPA data in Box.

Table 1. Acceptable Types of Data on Tufts Box

Acceptable on Tufts Box

Confidentiality Level

Description & Example

Notes

No

Level 1:
Regulated Institutional Data

Institutional data that is governed by privacy or information protection requirements articulated by law, regulation, contract, binding agreement, or industry requirements.

Examples

  • Institutional data with social security numbers, state ID numbers, or financial account information governed by Massachusetts data privacy regulations.
  • Student records governed by FERPA.
  • Records with protected healthcare information governed by HIPAA.
  • Credit card data governed by PCI data security standards,
  • Data covered by nondisclosure agreements and other formal usage arrangements.
  • FERPA-covered data ranges in sensitivity from student files to individual papers and tests. In some cases FERPA-covered data may be stored on Tufts Box. Ideally, a department, program, or school should arrive at a consensus of best practices for what types of FERPA-covered data can be stored on Tufts Box.
  • Storing documents containing records on large groups of students is discouraged. Individual papers, tests, and other documents are less of a concern.
  • Institutional data concerning student disciplinary actions or counseling cannot be stored or used on Tufts Box.  

Yes
with caution

 

Level 2:
Confidential Institutional Data

Institutional data that is meant for a very limited distribution—available only to members of the Tufts community on a strictly need-to-know basis.

Examples

  • Personnel files.
  • Compensation data.
  • Tenure and promotions files.
  • Accounts payable records.
  • Vulnerability and audit reports.
  • Data related to a patentable invention.
  • Should only sync (or download) Confidential Institutional Data stored on Box with devices and machines that are well managed and protected.

Yes

Level 3:
Administrative Institutional Data

Institutional data that is meant for a limited distribution; available only to members of the Tufts community that need the institutional data to support their work.

Examples

  • Internal memos and emails.
  • Planning documents
  • Logs and audit trails.

 

Yes

Level 4:
Public Institutional Data

Institutional data that is meant for members of the Tufts community and in some cases wide and open distribution to the public at large.

Examples

  • Limited to Tufts CommunityLicensed library resources, licensed software
  • Wide and Open DistributionPublications, press releases, information posted on and meant for open websites.
  • Use caution when looking to store licensed resources on Tufts Box. Ensure that this does not violate any terms of service.

Privacy and Confidentiality
As noted in the Use of Institutional Systems Policy, “use of institutional systems is not ultimately private.” This applies to the Tufts Enterprise Box Service.

Personal Use
Usage of a Tufts Box account may include store modest amounts of personal use data, insofar as it does not interfere with Tufts business or violate the Box Terms of Service, this policy, or any other applicable Tufts policy. As noted in the Use of Institutional Systems Policy, Managers have the authority to limit the personal use of institutional systems. Such personal use cannot involve access to confidential data, interfere with work responsibilities, or place an undue burden on institutional systems. This includes the Tufts Box service.

Review Entities

University Information Technology
Digital Collections and Archives

Approval Date

January 25, 2013

Effective Date

January 25, 2013

Executive Sponsor

David Kahle, Vice President for Information Technology and Chief Information Officer

Policy Managers

Tufts Technology Services / Information Security
Tufts Technology Services/ Enterprise Services
Digital Collections and Archives

Responsible Offices

University Information Technology / Enterprise Services
Tufts Enterprise Box Service operations

University Information Technology / Information Security
Digital Collections and Archives
Data classification

For general questions about using the Tufts Enterprise Box Service contact your IT support group.

Revision

The University reserves the right to change this policy from time to time. Proposed changes will normally be developed by the policy managers with appropriate stakeholders. The review entities have sole authority to approve changes to this policy.

Review Cycle

Annually or as needed

Related Policies

Tufts Enterprise Box Terms of Service
Information Classification and Handling Policy
Use of Institutional Systems Policy
Information Stewardship Policy