Tufts Box Use Guideline

Purpose
This Guideline describes the Tufts Box service and its appropriate use. The following sections describe the data that can be stored in Tufts Box and the conditions that apply to storing different types of data. By reviewing this Guideline, you will become familiar with the university’s requirements for using the Tufts Box service.

Scope
All users of the Tufts Box service.

Purposes of Service
The Tufts Enterprise Box service is a centrally provisioned cloud service that allows users to easily share and collaborate on files and other documents with people inside and outside of Tufts.

Service features include:

  • Sharing files within and among departments and project teams
  • Syncing files between devices
  • Storing files, with storage capacity allocated per person and for individual files. If needed, additional capacity may be requested by contacting the TTS Service Desk.

You must always use your own credentials (Tufts Username and Tufts Password) to access your Tufts Box account, whether using the Box service to store documents for your own use or to share files with others. Individual credentials may not be shared. Groups may work with Tufts Technology Services to form groups to simplify management of files.

Box Terms of Service
By creating a Tufts Box account, you agree to the Tufts Enterprise Box Terms of Service. Box will take down data and/or accounts if data are flagged as unlawful or otherwise in violation of the Box Terms of Service.

Related Policies
When using the Tufts Box service, users must comply with the university’s Business Conduct Policy, the Information Stewardship Policy, and all other applicable Tufts policies. This Guideline supports—and does not supersede—the Tufts Enterprise Box Terms of Service, the Business Conduct Policy, the Information Stewardship Policy, and all other applicable Tufts guidelines and policies.

Responsibility
As provided in the Information Stewardship Policy and the Tufts Cloud Computing Services Policy, users are required to responsibly and securely maintain and use institutional data that they store on the Tufts Box service, sync onto any device or share through the service.

Definition of Institutional Data
Institutional data: All information that is created, collected, licensed, maintained, recorded, used, or managed by the University, its employees, and agents working on its behalf, regardless of ownership or origin.

Storing or Sharing Institutional Data using the Tufts Box Service
All institutional data may be stored or shared using the Tufts Box service, except:

  1. Data subject to Export Control Laws and Regulations
  2. Credit and Debit Card Numbers and other related data
  3. When storage and/or sharing of the data in Box or a cloud-based service is prohibited by:
    • A university, departmental or other policy or guideline
    • An agreement, contract or other restriction
    • An applicable law or regulation

Examples of types of data that may now be stored and shared using the Tufts Box service, subject to item 3 (immediately above), are:

  • Government issued identification numbers, financial account numbers and Biometric Indicators, including these types of data as regulated by the Massachusetts Data Privacy Laws
  • Educational records subject to nondisclosure regulation by the Family Educational Rights and Privacy Act (FERPA)
  • Protected Health Information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA)

Security Practices and Procedures when using Tufts Box Service.

Comply with Practices and Procedures
When using the Tufts Box service, follow the practices and procedures set forth below and in Box Collaboration & Sharing Security Tips and Box Sync Security Tips.

Comply with All Applicable Requirements

  • Comply with the requirements imposed by the laws, regulations, policies and other standards applicable to the specific type of information, whether regulated, confidential, administrative or public institutional data. Laws, regulations, policies and standards include Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), the Massachusetts Data Privacy Laws and Regulations, and the Payment Card Industry Data Security Standard (PCI DSS).
  • Comply with all local policies and practices for your unit, office or department. These policies and procedures may impose additional restrictions.

Sharing and Syncing Folders

  • Routinely review and revise the access privileges to each Box folder. The Tufts Box service provides clear information showing who has access to a folder and the scope of their access.
  • Consider carefully the access granted to each Box folder. Limit a folder’s access to those persons with a need to know the information for a university purpose. Give your folder collaborators only the permissions they need to do their university work and no more.
  • Do not sync a Box folder with, or download information from Box onto, a device, including a laptop, tablet or mobile phone, unless there are strong controls on the endpoint device. Box permits only users with owner, co-owner or editor access to sync Box folders. The syncing capability and the need for strong controls on the endpoint device are important considerations when choosing an access level. See Box Sync Security Tips.

Shared Link Permissions

  • Box Collaboration & Sharing Security Tips provides guidance on sharing links to a Box folder or document in a Box folder. The Box settings for links control the scope of access to the folder or document. Review these settings before giving a shared link to a collaborator.

Recommended Folder Conventions

  • It is strongly recommended that regulated institutional data be stored in separate, higher-level folders from folders containing less sensitive information.
  • Consider using naming conventions that clearly identify folders that contain sensitive data.

Providing for Access to Box Folders in the event of Employment and other Terminations

  • Every user of the Box service, whether an employee or another person associated with Tufts, who uses the service for institutional data assumes a responsibility to ensure that the institutional data will continue to be accessible to appropriate employees and others in the event the Box user ceases to be employed or otherwise associated with Tufts.
  • Every user is encouraged to consider sharing Box folders that contain important institutional data with at least one other Tufts employee or other Tufts person. The use of groups to manage folders can aid significantly in enabling transitions of access to folders when needed.
  • Prior to leaving the university, a Box user must review the ownership and access of all Box folders and either transfer the documents to another location in Box or elsewhere that is accessible to the appropriate persons or provide for those persons to have access to the user’s Box folders.
  • Managers are responsible for confirming with each person who is leaving the university that he or she has taken the necessary steps to assure access to all Box folders containing institutional data controlled by that person.

Prohibited Use of Box Service other than Tufts Box Service
This Guideline applies only to the Box service provisioned for Tufts. Do not place Tufts institutional data in Box folders that have been provisioned for another organization or are your personal Box folders.

Third Party Applications used in conjunction with Tufts Box Service
This Guideline applies to the Tufts Box service. Neither the Tufts Enterprise Box Terms of Service nor this Guideline authorizes the use of any software applications that third parties have created that allow users to access and use functionality and features of the Box Service (Third Party Apps) for institutional data, other than applications authorized by Tufts Technology Services. If you have a need to use a third party application with the Tufts Box service, you may provide TTS with information about the application and request TTS to review and approve the application’s use. Requests for a review of a Third Party App may be submitted to the TTS Service Desk.

Other Cloud Based Services
The Tufts Cloud Computing Services Policy restricts and in some cases prohibits the self-provisioning of other cloud-based services for use with institutional data.

Personal Use of Tufts Box Service
It is strongly recommended that individuals create their own personal Box account independently from the Tufts Box service, rather than store personal data in their Tufts Box account. Managers have the authority to limit the personal use of institutional systems. As noted in the Use of Institutional Systems Policy, the use of an institutional system such as the Tufts Box service is not ultimately private. If an employee uses a Tufts Box account to store personal data, the amount of data must be modest and the use of Tufts Box must not interfere with Tufts business or violate the Tufts Enterprise Box Terms of Service, this Guideline, the Use of Institutional Systems Policy or any other applicable Tufts policy.

Individuals who store personal data in a Box file associated with their Tufts Box account will cease to have any access to that data upon the termination of their employment or other association with the university. It is solely the individual’s responsibility to remove any and all such personal information from the Tufts Box file before the end of their employment by Tufts. The university will have no responsibility to provide any such information to the individual after such termination or to continue to store such information.

Executive Sponsor
David Kahle, Vice President for Information Technology and Chief Information Officer

Review Entities and Guideline Managers
Tufts Technology Services
Digital Collections and Archives

Approval Date
January 25, 2013, revised March 3, 2016

Effective Date
March 3, 2016

Revision
The University reserves the right to change this Guideline from time to time. Proposed changes will normally be developed by the Guideline managers with appropriate stakeholders. The review entities have sole authority to approve changes to this Guideline.

Related Policies
Information Stewardship Policy
Information Classification and Handling Policy
Use of Institutional Systems Policy
Business Conduct Policy
Tufts Cloud Computing Services Policy