Purpose

Under the authority of the Chancellor of the Maricopa County Community College District (MCCCD), the mission of the Maricopa Emergency Management System (MEMS) team is to develop, implement and maintain a District-wide emergency management program that complies with National Incident Management System (NIMS) guidelines. MEMS scope will include, but is not limited to, emergency operations plans (EOP) and Continuity of Operations Plans (COOP), previously referred to as business continuity plans (BCP).

NIMS provides a systematic, proactive approach to guide all levels of government, nongovernmental organizations, and the private sector to work seamlessly to prevent, protect against, respond to, recover from, and mitigate the effects of incidents, regardless of cause, size, location, or complexity, in order to reduce the loss of life and property and harm to the environment.

Background

Upon review of the MCCCD’s emergency operations and continuity of operations plans, the Chancellor formally charged a group with the task to identify potential actions to be undertaken to improve MCCCD’s emergency preparedness and continuity of operations plans at all MCCCD sites, as well as to facilitate the implementation of those measures. This program was named Maricopa Emergency Management System (MEMS).

Since MEMS’ creation, the MCCCD has been engaged in a comprehensive and systemic effort to improve processes and protocols for the prevention of, preparedness for, response to and recovery from any emergency or crisis. Prior to this effort, each college and the District Office handled emergency planning independently resulting in vast differences in scope, approach and quality of the plans.

Approach to Emergency Management

The MEMS Team has adopted the “All-hazards” approach to emergency management. An “all-hazards” plan provides the basic framework for responding to a wide variety of emergencies varying in scale, duration and cause. All hazards within a jurisdiction must be considered as part of a thorough risk assessment and prioritized on the basis of impact and likelihood of occurrence. There are similarities in how one reacts to all emergency events and these event-specific actions form the basis for most emergency plans.

Emergency planning will begin with the identification of the emergency events that have occurred on a campus or in the community in the recent past since these are the known and, generally, the most probable hazards.

Responsibilities

The Chancellor shall possess the authority to declare a state of emergency for any site within the MCCCD. The Chancellor shall insure compliance with NIMS guidelines.

The Chancellor and the Chancellor’s Executive Council shall be charged with the overall responsibility to develop, implement, and maintain a written emergency operations plan and a written continuity of operations plan for the District Office departments and colleges, respectively.

Both types of plans will be prepared using templates created by the District Emergency Manager and approved by the MEMS Team. These plans will address all elements and best practices in the disciplines of emergency management and continuity of operations planning.

The District Emergency Manager in collaboration with the MEMS Team will coordinate and provide guidance to each college and District Office department to ensure plans are properly completed and updated annually, are NIMS compliant and incorporate best practices of the discipline. Additionally, the District Emergency Manager and the MEMS Team will support the colleges through annual training and exercises of their plans to include evaluation, dissemination of after action reports and lessons learned from the exercises. Plan gaps identified in training exercises will be corrected in revised plans.

Annual Review for Effectiveness

Each college and the District Office shall submit its updated Emergency Operations Plan and updated Continuity of Operations Plan to the District Emergency Manager by June 30 of every year for review. Each college and the District Office shall also report key performance indicators to the District Emergency Manager by June 30 of every year. These reports should highlight progress to date, what remains to be done, and what additional assistance and/or resources are needed.

The MEMS Team will review and approve each plan submitted and shall subsequently submit an annual report to the Chancellor and the Chancellor’s Executive Council that summarizes the progress towards meeting emergency operations and continuity of operations program goals and objectives for the previous year. The annual report will also articulate the goals and objectives for the coming year. This report shall be submitted by September 1 of each year.

Per Arizona Revised Statute §23-403, each employer shall furnish to each of its employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to its employees. Each employer shall comply with occupational safety and health standards and all regulations and orders issued pursuant to this article.

ARS §23-404 requires each employee to comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this article which are applicable to its own actions and conduct.

The Maricopa County Community College District (“District”) places a high priority on the safety and health and of its employees, and regards safety and health as a fundamental value of the institution. The District is committed to supporting the safety and health of its employees by instituting and maintaining a program that provides adequate systemic policies, procedures, and practices to protect their employees from, and allow them to recognize, job-related safety and health hazards. To that end:

1. The Chancellor and each College President shall be charged with the overall responsibility to develop, implement, and maintain a written employee safety and health plan for the district office and the colleges, respectively. This plan, which will be prepared using a template created by the district risk manager, shall include the following elements:
   
   1. Management Commitment and Employee Involvement
   2. Worksite Analysis
   3. Hazard Prevention and Control
   4. Safety and Health Training
2. Each college and the District Office shall submit its plan to the District Risk Manager for review and approval by January 1 of every year.
3. Each college and the District Office shall report key performance indicators to the District Risk Manager by January 1 of every year. These reports should also highlight what the colleges and the District Office are doing, what remains to be done, and what additional assistance and resources are needed.
4. The District Risk Manager shall submit an annual report to the Chancellor and the Chancellor’s Executive Council that summarizes the colleges’ and the District Offices’ progress towards meeting their safety and health program goals and objectives for the previous year as well as goals and objectives for the coming years. This report shall be submitted by March 1 of each year.

1. General Statement

   Electronic communications on behalf of the Maricopa County Community College District (MCCCD) should be used to support education, research, scholarly communication, administration and other MCCCD business. MCCCD provides significant technology resources to Governing Board members, employees and students that, among other things, facilitate electronic communications. Electronic communication is not different from any other form of communication. It is subject to a wide range of applicable federal and state laws and regulations, including public records disclosure/retention requirements and copyright mandates.

   This regulation enumerates standards for electronic communications through which MCCCD business is conducted. It applies whether the electronic communication uses MCCCD technology resources or not. MCCCD Governing Board members and employees have an obligation under the law to conduct MCCCD business through electronic communications in a manner that permits the communication to be captured for public records and retention requirements. Note that, under the interpretation of the law by Arizona State Library, Archives and Public Records–the state agency tasked with establishing standards for record retention–the individual public official or employee is responsible for preserving MCCCD electronic communications in compliance with state standards. See Administrative Regulation 4.15 “Retrieval, Disclosure and Retention of Records” and Administrative Regulation 4.4 “Technology Resource Standards.”

   MCCCD employees using electronic communications should be considerate of the needs of others, and should not impede another employee’s ability to use the electronic services that MCCCD provides. All electronic communications must at least contain the name and electronic mail address of the employee making the information available. E-mail signature cards should reflect the appropriate job title and college or district contact information. Using signature cards to promote or feature logos of vendors is strictly prohibited–No anonymous information may be sent. For electronic communications using MCCCD resources, Administrative Regulation 4.4 “Technology Resource Standards,” also applies.

2. Application of Other Policies

   1. In addition to the standards set forth in this administrative regulation, other MCCCD standards are expressly applicable to electronic communications. For instance, standards that apply to the use of MCCCD resources, including use of equipment and time, also apply to electronic communications. Relevant other institutional policies include, but are not limited to:
      
      1. MCCCD Governing Board policies
      2. MCCCD Administrative Regulations
      3. Employee policy manuals
      4. Student Code of Conduct
      5. Confidentiality of student records
      6. Sexual harassment policy
      7. Technology Resource Standards
   2. The list in Paragraph 2A is not comprehensive. In the event of a conflict between and among standards, the more restrictive standard will govern.
   3. MCCCD colleges and operational units may develop additional “conditions of appropriate use” for local computing and network facilities to supplement these electronic communication standards with additional detail, guidelines or restrictions. Such conditions must be consistent with and subordinate to the MCCCD-wide standards.                                                                                                                                                                      

3. Specifically Acceptable Uses. Examples of acceptable uses of electronic communications are:

   1. Communications with local and foreign educators, students, administrators, researchers and colleagues in connection with instruction or research
   2. Communication and exchange for scholarly development, to maintain currency, or to debate issues in a field of knowledge
   3. Use in applying for or administering grants or contracts for research or instruction, but not for non-Maricopa public relations activities
   4. Announcements of new products or services for use in research, college administration, student services, or instruction but not commercial advertising of any kind
   5. Factual vendor communication relevant to official MCCCD business
   6. Communication incidental to otherwise acceptable use, except for illegal or specifically unacceptable use
   7. Marketing by MCCCD regarding its educational opportunities, programs and non-commercial radio and television stations
   8. Uses by MCCCD non-commercial radio and television reporters for journalistic purposes
   9. Communications from MCCCD-related entities with which MCCCD has an agreement that exists solely to raise funds for MCCCD programs about the manner in which employees may support those entities, so long as the message to employees does not focus on specific third-party products or services

4. Specifically Unacceptable Uses. The following is a list of some unacceptable uses, but unacceptable uses is not limited to this list:

   1. Using electronic communications for illegal activities
   2. Use for for-profit activities (sales, consulting for pay, and so on) or use by for-profit institutions unless covered by the general principle, or as one of the specifically acceptable uses
   3. Use for private or personal business
   4. Chain letter, or any illegal schemes or activities
   5. Mailings to large numbers of people that contain unwanted solicitations or information; such as “spam” or “letter bomb”
   6. Communication that constitutes harassment
   7. Anonymous communications, or communications that impersonate another individual, except communications to the Maricopa EthicsPoint; the contents of an anonymous communication will not be considered a communication regarding official business or a public record of that business with the exception of MCCCD EthicsPoint
   8. Allowing anyone else to use your account
   9. Any communication which adversely impacts the communications of MCCCD by over-loading the network
   10. Violations of open meeting law requirements
   11. Communicating about MCCCD business without complying with the retention requirements specified under Administrative Regulation 4.15 “Retrieval, Disclosure and Retention of Records”
   12. Use of technology resources to market or conduct other activities on behalf of a third party regarding the “hosting” of an event that is prohibited under MCCCD’s Use of College Facilities administrative regulation

5. Confidentiality

   The confidentiality of electronic communications cannot be assured. Under certain conditions, selected MCCCD employees may have access to them consistent with applicable law or policy including this policy. See Administrative Regulation 4.15, “Retrieval, Disclosure and Retention of Records.” Any confidentiality may also be compromised by unintended redistribution or the inadequacy of current technologies. Employees, therefore, should exercise extreme caution in using electronic communications to communicate confidential or sensitive matters, and should not assume that their electronic communication is private or confidential. Additionally, employees should not use electronic communications to transmit information that applicable law requires be confidential, such as student education records under the Family Education Rights and Privacy Act of 1974.

6. Complaint Procedures

   Employees experiencing misuse, abuse, harassment or other incidents related to the technologies which they cannot pursue on their own should report the matter through the supervisory chain of command, the College President or to the appropriate Vice Chancellor. If the employee receives an electronic communication from an outside party that is inappropriate, the employee may also wish to contact the authority at the company or service from which the sender is transmitting. Violations of privacy or property involving the technology may be reported, even if the perpetrator is not a member of the college community, if the communication relates to MCCCD business. As specified in Administrative Regulation 4.4 “Technology Resource Standards,” limited incidental use of electronic communications using MCCCD technology resources is permitted. Employees should avoid any incidental use that may result in misuse, abuse, harassment or similar inappropriate communications. This complaint procedure will not generally be available for those types of communications unless there is a threat that may constitute a violation of law.

7. Enforcement of Standards

   Engaging in any activity that violates these electronic communications standards can result in the loss of access privileges or other discipline. Issues related to enforcement of these standards will be addressed according to established processes in job group policy manuals.

8. The Chancellor, the Vice Chancellors, the College Presidents or their designees should take necessary steps to ensure that employees under their supervision have notice of and will comply with this regulation and any protocols of the MCCCD electronic communications network, as issued by the Vice Chancellor of Information Technology, a College President or designee.

Introduction

The Maricopa County Community College District (MCCCD) provides its students, employees, Governing Board members and the public with access to information resources and technologies. MCCCD recognizes that the free exchange of opinions and ideas is essential to academic freedom, and the advancement of educational, research, service, operational, and management purposes, is furthered by making these resources accessible.

Arizona constitutional and statutory mandates require that MCCCD resources, including technology, be used only for the public’s business, and not for private purposes. Those mandates apply to all MCCCD public officials–employees of every kind and the Governing Board. The aim of those laws is to safeguard the use of resources, including technology resources, acquired and maintained with public funds. Compliance with other laws–both federal and state–also dictates the need for standards for the use of MCCCD technology resources. In some cases, the Governing Board policies emphasize the importance of compliance with the law such as the requirement to adhere to copyright laws. Governing Board policies also establish MCCCD’s own standards, such as the directive that all persons within the MCCCD community be treated in a manner that is humane, fair and dignified.

This administrative regulation establishes standards for the use of MCCCD technology resources. They should be seen as supplementing, and not in lieu of, Governing Board policy, applicable law and other applicable administrative regulations such as Administrative Regulation 4.3 “Electronic Communications.”

General Responsibilities

Technology resources (including, but not limited to, desktop and laptop systems, printers, central computing facilities, MCCCD-wide or college-wide networks, local-area networks, telephones, facsimile machines, scanners, access to the Internet, electronic mail and similar electronic devices and information) of the MCCCD are available to MCCCD Governing Board members, employees, students and, in a limited number of cases, MCCCD contractors and the public. Use of all those resources is subject to the standards set forth in this regulation (Standards).

The first screen that each MCCCD computer exhibits on starting up advises users of these Standards and requires an acknowledgment before the user may proceed to the next screen. Additionally, all MCCCD employees are responsible for annually acknowledging receipt of the Blue Book, which contains this regulation. So all users of MCCCD technology resources are presumed to have read and understood the Standards. While the Standards govern use of technology resources MCCCD-wide, an individual community college or center may establish guidelines for technology resource usage that supplement, but do not replace or waive, these Standards.

Use of Non-MCCCD Technology

Under Arizona’s public records law, MCCCD is required to transact business so that its records are accessible and retrievable. The policy underlying the law is that work done in the name of the public be transparent. Thus, any member of the public may request public records and, except in a few specific instances, are entitled to get copies of them.

Each individual employee or Governing Board member is responsible for ensuring that MCCCD records that he or she initiates or receives are retained for the period of time required by and disposed of according to mandates established by Arizona State Library, Archives and Public Records–the state agency tasked with setting standards for record retention. Therefore, an employee’s or Governing Board member’s use of non-MCCCD technology resources for communication of any type of MCCCD business is heavily discouraged because those records are less capable of being managed according to MCCCD’s process for ensuring retention, retrieval and disclosure set forth in Administrative Regulation 4.15 “Retrieval, Disclosure and Retention of Records.”

Additionally, an MCCCD employee who receives a communication allegedly from another MCCCD employee using a non-MCCCD e-mail address is not required to respond substantively to that e-mail. The employee receiving the e-mail is entitled to verify that the sender is whom he or she says that he or she is. The employee receiving the e-mail may request that the sender provide the information or inquiry set forth in the e-mail via hard-copy form.

Acceptable Use

Use of MCCCD’s technology resources, including websites created by MCCCD employees and students, is limited to educational, research, service, operational and management purposes of the MCCCD and its member institutions. Likewise, data, voice, images and links to external sites posted on or transmitted via MCCCD’s technology resources are limited to the same purposes.

Frequently, access to MCCCD’s technology resources can be obtained only through use of a password known exclusively to the MCCCD employees, Governing Board members or students. It is those users’ responsibility to keep a password confidential. While MCCCD takes reasonable measures to ensure network security, it cannot be held accountable for unauthorized access to its technology resources by other persons, both within and outside the MCCCD community. Moreover, it cannot guarantee employees, Governing Board members and students protection against reasonable failures. Finally, under certain limited circumstances defined in Administrative Regulation 4.15 “Retrieval, Disclosure and Retention of Records,” certain MCCCD employees are authorized to access information on an MCCCD technology device.

It is not Maricopa's practice to monitor the content of electronic mail transmissions, files, images, links or other data stored on or transmitted through Maricopa's technology resources. The maintenance, operation and security of Maricopa's technology resources, however, require that network administrators and other authorized personnel have access to those resources and, on occasion, review the content of data and communications stored on or transmitted through those resources. Any other review may be performed exclusively by persons expressly authorized for such purpose and only for cause. To the extent possible in the electronic environment and in a public setting, a user's privacy will be honored. Nevertheless, that privacy is subject to Arizona's public records laws and other applicable state and federal laws, as well as policies of Maricopa's Governing Board all of which may supersede a user's interests in maintaining privacy in information contained in Maricopa's technology resources.

Incidental Computer and Technology Usage

Limited incidental personal use of MCCCD technology resources including through use of personal e-mail systems is permitted, except as described in item 16 under “Prohibited Conduct.” MCCCD employees are responsible for exercising good judgment about personal use in accordance with this regulation, Colleges’ consistent local guidelines and MCCCD ethical standards. Personal use refers to activities which only affect the individual and that are not related to an employee’s outside business. MCCCD employees are required to conduct themselves in a manner which will not raise concern that they are or might be engaged in acts in violations of the public trust. Refer to the Guidelines for Incidental Computer Usage for the Maricopa Community Colleges (Appendix AS-8) and Guidelines for Incidental Telephone Usage for the Maricopa Community Colleges (Appendix AS-9).

Prohibited Conduct

The following is prohibited conduct in the use of MCCCD’s technology resources

1. Posting to the network, downloading or transporting any material that would constitute a violation of MCCCD contracts.
2. Unauthorized attempts to monitor another user’s password protected data or electronic communication, or delete another user’s password protected data, electronic communications or software, without that person’s permission.
3. Installing or running on any system a program that is intended to or is likely to result in eventual damage to a file or computer system.
4. Performing acts that would unfairly monopolize technology resources to the exclusion of other users, including (but not limited to) unauthorized installation of server system software.
5. Hosting an unauthorized website that violates the .EDU domain request.
6. Use of technology resources for non-MCCCD commercial purposes, including to advertise personal services, whether or not for financial gain.
7. Use of software, graphics, photographs, or any other tangible form of expression that would violate or infringe any copyright or similar legally-recognized protection of intellectual property rights.
8. Activities that would constitute a violation of any policy of MCCCD’s Governing Board, including, but not limited to, MCCCD’s non-discrimination policy and its policy against sexual harassment.
9. Transmitting, storing, or receiving data, or otherwise using technology resources in a manner that would constitute a violation of state or federal law, or MCCCD policy or administrative regulation including, but not limited to, obscenity, defamation, threats, harassment, and theft.
10. Attempting to gain unauthorized access to a remote network or remote computer system.
11. Exploiting any technology resources by attempting to prevent or circumvent access, or using unauthorized data protection schemes.
12. Performing any act that would disrupt normal operations of computers, workstations, terminals, peripherals, or networks.
13. Using technology resources in such a way as to wrongfully hide the identity of the user or pose as another person.
14. Allowing any unauthorized access to MCCCD’s technology and non-technology resources.
15. Making personal long distance or other toll calls, except where the charges for the calls are incurred directly by the caller or arrangements are otherwise made at the time of the call to directly bill the caller.
16. Intermittent use of technology resources that interferes with the performance of an employee’s main responsibilities.
17. Use of technology resources to market or conduct other activities on behalf of a third-party regarding the “hosting” of an event that is prohibited under MCCCD’s Use of College Facilities administrative regulation.
18. Conducting District or college-related business using any electronic mail account other than one hosted or provided by MCCCD, and approved by the Vice Chancellor of Information Technology Services, even when the e-mail account copies all outgoing and incoming messages to the MCCCD hosted account.
19. Deleting or altering a technology public record in violation of public records retention requirements, or in anticipation of receiving or after receipt of a public records request, subpoena or a complaint filed as part of an MCCCD grievance, investigation or review, or other lawful request for the record.
20. Deleting or altering a technology record on an MCCCD device in anticipation or after receipt of a public records request, subpoena or a complaint filed as part of an MCCCD grievance, investigation or review, or other lawful request for the records where the record may demonstrate a misuse of technology resources under this regulation.

Review and Approval of Alternate E-Mail Account Systems

The prior review and approval by the Vice Chancellor of Information Technology is required for the implementation of alternate College electronic mail account systems. Requests will be evaluated based upon the following considerations:

1. The system must be compatible and interoperable with the MCCCD e-mail system. All information within the e-mail system must meet the standards and authorize District Office access as specified in Administrative Regulation 4.15, “Retrieval, Disclosure and Retention of Records.”
2. Any proposed changes to an MCCCD’s entity’s e-mail system with e-discovery implications must be approved in advance during the planning stages as specified in Administrative Regulation 4.15, “Retrieval, Disclosure and Retention of Records.”

Disclaimer

The home page of an MCCCD web site must display, or link to, the following disclaimer in a conspicuous manner:

All information published online by MCCCD is subject to change without notice. MCCCD is not responsible for errors or damages of any kind resulting from access to its internet resources or use of the information contained therein. Every effort has been made to ensure the accuracy of information presented as factual; however errors may exist. Users are directed to countercheck facts when considering their use in other applications. MCCCD is not responsible for the content or functionality of any technology resource not owned by the institution.

The statements, comments, or opinions expressed by users through use of Maricopa’s technology resources are those of their respective authors, who are solely responsible for them, and do not necessarily represent the views of the Maricopa County Community College District.

Information Accuracy and Marketing Standards

In order to help ensure that the most accurate information sources are reflected on web pages, information should be cited, sourced or linked from the website of the official District or college custodian responsible for the particular subject. In addition, the design of web pages shall reflect established marketing standards with respect to the imaging and using of MCCCD marks as outlined in the marketing standards handbook and Use of Marks administrative regulation.

Complaints and Violations

Complaints or allegations of a violation of these standards will be processed through Maricopa’s articulated grievance procedures or resolution of controversy. Upon determination of a violation of these standards, MCCCD may unilaterally delete any violative content and terminate the user’s access to MCCCD’s technology resources. It is the user’s responsibility to demonstrate and/or establish the relevance of content in the event that a content complaint is made official. Users retain the right to appeal actions through MCCCD’s grievance procedures or resolution of controversy.

 

Statement on Computer Software 

Just as there has been shared responsibility in the development of this regulation, so should there be shared responsibility for the resolution of the problems inherent in providing and securing good educational software. Educators have a valid need for quality software and reasonable prices. Hardware developers and/or vendors also must share in the effort to enable educators to make maximum cost-effective use of that equipment. Software authors, developers and vendors are entitled to a fair return on their investment.

 

1. Educators' Responsibilities
   
   Educators need to face the legal and ethical issues involved in copyright laws and publisher license agreements and must accept the responsibility for enforcing adherence to these laws and agreements. Budget constraints do not excuse illegal use of software.
   
   Educators should be prepared to provide software developers or their agents with the written Software Policy Statement approved by the Maricopa County Community College District including as a minimum:
   1. A clear requirement that copyright laws and publisher license agreements be observed;
   2. A statement making employees who use Maricopa County Community College District equipment responsible for taking all reasonable precautions to prevent copying or the use of unauthorized copies on Maricopa County Community College District equipment;
   3. An explanation of the steps taken to prevent unauthorized copying or the use of unauthorized copies on Maricopa County Community College District equipment;
   4. A designation that the Vice Chancellor for Business Services or Designee are the only parties authorized to sign software license agreements for the Maricopa County Community College District;
   5. A designation at the campus site level of who is responsible for enforcing the terms of the Maricopa County Community College District regulation and terms of licensing agreements.

 

2. Hardware Vendor's Responsibilities
   
   Hardware vendors should assist educators in making maximum cost effective use of the hardware and help in enforcing software copyright laws and license agreements. They should as a minimum:
   1. Make efforts to see that illegal copies of programs are not being distributed by their employees and agents;
   2. Work cooperatively with interested software developers to provide an encryption process that avoids inflexibility but discourages theft.

 

3. Software Developer's and Vendor's Responsibilities
   
   Software developers and their agents can share responsibility for helping educators observe copyright laws and publishers license agreements by developing sales and pricing policies. Software developers and vendors should as a minimum:
   1. Provide for all software a copy to be used for back-up purposes, to be included with every purchase;
   2. Provide for on-approval purchases to allow Maricopa County Community College District to preview the software to ensure that it meets the needs and expectations of the educational institution;
   3. Work in cooperation with hardware vendors to provide an encryption process that avoids inflexibility but discourages theft;
   4. Provide for, and note in advertisements, multiple-copy pricing for Maricopa County Community College District sites with several machines and recognize that multiple copies do not necessarily call for multiple documentation;
   5. Provide for, and note in advertisements, network compatible versions of software with pricing structures that recognize the extra costs of development to secure compatibility and recognize the buyer's need for only a single copy of the software.

 

4. Software Policy Statement
   
   It is the intent of the Maricopa County Community College District to adhere to the provisions of copyright laws in the area of computer programs. Though there continues to be controversy regarding interpretation of those copyright laws, the following procedures represent a sincere effort to operate legally. We recognize that computer software piracy is a major problem for the industry and that violations of computer copyright laws contribute to higher costs and greater efforts to prevent copies and/or lessen incentives for the development of good educational software. All of these results are detrimental to the development of effective educational uses of microcomputers. Therefore, in an effort to discourage violation of copyright laws and to prevent such illegal activities the following apply:
   1. Maricopa County Community College District employees will be expected to adhere to the provisions of Public Law 96-517, Section 10(b) which amends Section 117 of Title 17 of the United States Code to allow for the making of a back-up copy of computer programs. This states that "...it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided:
      
      1. that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner, or
      2. that such a new copy and adaptation is for archival purposes only and that all archival copies are destroyed in the event that continued possession of the computer program should cease to be rightful."
   2. When software is to be used on a disk sharing system, efforts will be made to secure this software from copying.
   3. Illegal copies of copyrighted programs may not be made or used on Maricopa County Community College District equipment.
   4. The Vice Chancellor for Business Services, or designee, of the Maricopa County Community College District is designated as the only individual who may sign license agreements for software.
   5. The president of each college of the Maricopa County Community College District is responsible for establishing practices that will enforce this regulation at the college level.

It is the policy of the Maricopa County Community College District that no person shall use or cause to be used in the Maricopa County Community College District's computer laboratories any software that does not fall into one of the following categories:

1. It is in the public domain.
2. It is covered by a licensing agreement with the software author, authors, vendor or developer, whichever is applicable.
3. It has been donated to the Maricopa County Community College District and a written record of a bona fide contribution exists.
4. It has been purchased by the Maricopa County Community College District and a record of a bona fide purchase exists.
5. It has been purchased by the user and a record of a bona fide purchase exists.
6. It is being reviewed or demonstrated by the users in order to reach a decision about possible future purchase or request for contribution or licensing.
7. It has been written or developed by a Maricopa County Community College District employee for the specific purpose of being used for district purpose.

It is also the policy of the Maricopa County Community College District that there be no copying of copyrighted or proprietary programs on computers belonging to the Maricopa County Community Colleges District.

Except as noted in paragraph 1 below, all persons who attend classes, are employed by the District/college, are visiting the District/campus or who otherwise have business within MCCCD, are prohibited from carrying concealed weapons on their person or concealed within their immediate control. The above persons are also prohibited from carrying or possessing any type of deadly weapon, edged weapon, dangerous instrument or martial arts weapon, as defined in ARS §§13-105.11, 13-105.13, 13-105.17 and 13-3101.7. Except as noted in paragraph 2 below, pursuant to ARS §12-781, this policy shall not prohibit a person from lawfully transporting or lawfully storing any firearm that is both locked in the person's privately owned vehicle or in a locked compartment on the person's privately owned motorcycle, and not visible from the outside of the motor vehicle or motorcycle.

These items include, but are not limited to: all firearms, sheath knives, boot knives, swords, pocket knives or folding knives with a blade length greater than three (3) inches, crossbows, long bows, compound bows, sling shots, any instrument under the circumstances of use that could cause death or serious injury, nunchaku (numbchucks), throwing stars, darts, throwing knives and related martial arts weapons.

The above listed persons are also prohibited from carrying or possessing any type of explosive or explosive devices as defined in ARS §§13-3101.3 and 13-3101.7a, f through h. This section also prohibits the possession of all ammunition and ammunition components.

1. Persons excluded from this policy:
   
   1. Any certified peace officer, currently employed by a law enforcement agency
   2. Upon the approval of the Chancellor/or appropriate college president or president's designee, any person possessing a weapon for the purpose of teaching firearm safety, hunter safety, martial arts, law enforcement procedures or related course
   3. Upon approval of the Chancellor/or appropriate college president or president's designee, any person possessing a weapon for the purpose of demonstrating, for educational purposes, any of the above stated weapons
   4. Any person, otherwise approved by the Chancellor/or appropriate college president or president's designee
2. Locations where non-exempt persons are prohibited from concealed or open carry in vehicles, as well as on their person or in their immediate control:
   
   1. The property owner, tenant, public or private employer or business entity is a current United States Department of Defense contractor and the property is located in whole or in part on a United States military base or United States military installation
   2. The property owner is a Tribal Sovereign Nation
3. Sanctions for Violations: Failure to comply with this policy, may result in, but is not limited to:
   
   1. Removal or ejection from the properties of the institution at which the violation occurs by peace officers and/or authorized representatives of the concerned institution;
   2. Criminal prosecution;
   3. Suspension or expulsion from the concerned institution and/or all institutions within the MCCCD, and civil and/or criminal prosecution
   4. Any other sanction authorized by law, MCCCD policy or administrative regulation

Language deleted per adoption of Public Safety Administrative Regulation (formerly Board Policy) Motion No. 9447, October 23, 2007

In order to promote and enhance the visual art environment of our buildings and grounds, funds may be identified and allocated for this purpose.

The Chancellor is directed to establish guidelines to accomplish this needed enhancement of the quality of life at our colleges, centers, and District Office. (Guidelines are available as Appendix AS-1)

Periodic reports will be submitted to the Governing Board to monitor the accomplishments of this regulation.

1. Plaques commemorating the use of Federal Higher Education Facilities Funds, when appropriate, or the completion and dedication of new buildings may be placed either as a cornerstone or at the main entrance to the building.
2. This will not hold true for any projects already in existence.
3. The Director, Department of Facilities Planning and Development will establish and maintain procedures for the installation of building plaques. [A copy of the procedures may be obtained by calling the Department of Facilities Planning and Development at 480-731-8230.]

Purpose

The Maricopa Community Colleges District is proud to recognize individuals, organizations and corporations that support its mission. That support can be manifested in a number of ways—through long and distinguished service as volunteers or employees, or monetary contributions to scholarship funds, endowments, special programs, or capital projects. This administrative regulation is intended to establish guidelines and processes for naming facilities and academic entities at The Maricopa County Community Colleges District.

Authority

The authority for naming facilities and academic entities (as defined in this administrative regulation) rests with The Maricopa County Community College District Governing Board.  No commitment shall be made regarding the naming of facilities or academic entities to any person or party without appropriate, prior approval as specified in this administrative regulation. The Board also reserves the right to accept or reject naming proposals submitted through the District Chancellor.

The Chancellor shall be the Governing Board’s principal representative under this administrative regulation and may act with or without the assistance of an advisory committee he/she may choose to appoint. Nothing in this administrative regulation shall prohibit the Chancellor, the College Presidents, District Vice Chancellors, members of the Governing Board or the Governing Board as a whole, or the Board of Directors of the Maricopa County Community College District Foundation as a whole, from initiating action for the naming of District facilities or academic entities. Others, including District faculty, administrators, staff and members of the District’s service area community also may initiate consideration of a naming request either through the appropriate College President, if the naming request is for a facility or academic entity at a college, or through the Chancellor, or through a member of the Foundation.

Definitions

Facility (including facility components and outside facilities)—colleges, satellite centers, buildings, building additions, wings, halls, laboratories, libraries, conference areas, dining facilities, parks, plazas, recreational fields, parking lots and roadways.

Academic Entities—divisions, departments, centers, institutes, programs, and endowed chairs.

Exceptions—classrooms, seminar rooms, reading rooms, fountains, furniture, and bricks, plaques, walls and other commemorative installations are not covered under this administrative regulation and may be named at the discretion of the College Presidents, Vice Chancellors, and President/CEO of the Maricopa Community College Foundation with the concurrence of the Chancellor.

Naming Guidelines and Criteria

The District, its Colleges and the Maricopa Community Colleges Foundation frequently and enthusiastically recognize outstanding supporters, volunteers, faculty and staff in special publications, at events, receptions and awards ceremonies, through named endowments and other named funds, or through a variety of permanent, public installations that honor distinguished service and generous donors.

A facility or academic entity named in honor of a person or persons, organization or corporation is an exceptional form of recognition—perhaps the most prestigious and prominent recognition the District can bestow.  Naming opportunities are limited and a very high standard should be applied in the selection of honorees. Therefore, nominations based on professional achievements and/or long service that while unusual and laudable also are shared by significant numbers of other employees or volunteers should be recognized in some other, more appropriate way.  The following examples shall be used as minimum criteria in determining whether an individual, organization or corporation qualifies for nomination:

• While serving the District in an academic capacity, the individual has long demonstrated high scholarly distinction resulting in significant recognition within his/her discipline and earning a regional or national reputation.
• While serving the District in an administrative or staff capacity, the individual has rendered long and distinguished service resulting in significant, measurable benefits to the welfare of the District resulting in recognition from professional groups or other regional/national organizations.
• While serving the district, community, state or nation in an elected or appointed position, the individual has rendered long and distinguished service which demonstrably benefited the purpose and mission of the District.
• An individual or individuals, organization or corporation which has donated or pledged to donate funds or other resources and support for the benefit of the District, the amount of which shall determine the facility or academic entity that may be named.

When an individual or individuals are recommended for naming rights the following additional criteria also shall apply:

• No naming in honor of an individual who has served the District in an academic, administrative or staff capacity may be considered until two years after retirement, separation, or death if the person had not yet retired or separated from the District.
• A naming in honor of an individual who has retired from the District but has been recalled to full or part time employment may be considered based on the earlier of the first two criteria.
• No naming in honor of an individual who has served the District, community, state or nation in an elected or appointed position until two years after retirement or separation from the elected or appointed office.

Nominating Process

All proposals to name facilities or academic entities shall be submitted in writing either to the Chancellor or the President of the College at which the naming would take place. At a minimum, all written proposals will address each of the applicable sections of the nomination form provided in Appendix AS-10, and shall be in conformance with all of the applicable guidelines and criteria set forth herein.

After appropriate review and consultation the Chancellor shall recommend and submit those nominations which he/she determines have met the guidelines and criteria set forth in this administrative regulation and merit further consideration to the District Governing Board for approval.

Confidentiality

Authority for granting naming rights is reserved to the Governing Board and their action in this regard must be taken in public session. To the greatest extent possible, however, and out of respect for the individual or individuals, organizations or corporations who may be recommended for naming rights, the nominating process and deliberations of the naming rights advisory committee, should one be appointed, shall be held in confidence until such time as the Chancellor presents a recommendation for naming rights approval to the Governing Board.

Due Diligence

All nominations for naming rights shall be reviewed by the District’s General Counsel or designee. All nominations based in whole or in part on a donation or a pledge to donate funds or other resources for the benefit of the District also shall be reviewed by the President/CEO of the Maricopa County Community College District Foundation or designee.

A thorough financial review shall be undertaken by the Vice Chancellor for Business Services or designee with emphasis on the costs associated with granting naming rights including necessary legal or insurance expenses, building preparation and maintenance expenses, the cost of manufacturing, installing and maintaining new signage, etc. Whenever possible, even when naming rights are recommended for long and meritorious service, efforts should be undertaken to raise gifts sufficient to at least offset associated expense to the District/College.  In cases where a naming right is recommended and in any proposal to name an academic or non-academic program for a donor, consideration should be given to ensure that any associated endowment will be sufficient to sustain the program, if applicable.

In all cases, special care shall be exercised when a naming opportunity involves facilities currently financed with tax-exempt bonds. The Vice Chancellor for Business Services and the District’s General Counsel shall be consulted as early as possible in this process to ensure that tax-exempt bond status is not jeopardized.

Upon approval by the Governing Board, the District’s Chief Legal Counsel and, in cases where a gift or pledge is involved, the President/CEO of the Maricopa County Community College District Foundation or their designees shall cause to be executed with the honoree or their appropriate representatives, an agreement documenting the naming rights granted and their terms and conditions.

Duration of Naming Rights

When a facility is named either in honor of distinguished service or in recognition of a donor, the naming right will generally be effective for the useful life of the facility. If a facility must be replaced or substantially renovated the facility may be renamed, subject to the specific terms and conditions set forth in any gift or other naming right agreement related to the prior naming action.

If the decision to name a facility, either to honor distinguished service or to recognize a donation, is directly related to the function of that facility, and if that function is later transferred to another facility, the naming right will not automatically be transferred to the new facility. However consideration may be given to such a transfer subject to the terms and conditions of any agreement related to the original naming action. 

When an academic entity is named, that naming right also will generally be effective for the existence of the entity, once again subject to the terms and conditions of any agreement related to the original naming action.

In the case of any decision affecting previously granted naming rights, the appropriate District or Foundation representative(s) shall make a timely and good faith effort to inform the original donor(s), honoree(s) or their heirs, assigns, or representatives.

Changing Circumstances

If at any time following the approval of a naming, circumstances change substantially so that the continued use of that name may compromise the public trust, the Chancellor will consult with the District’s Chief Legal Counsel and if appropriate with the President and CEO of the Maricopa Community Colleges Foundation regarding future action. The District reserves the right to remove any name that would not reflect positively on the District or would conflict with its purpose or mission.

A naming conferred in recognition of a pledged gift is contingent upon fulfillment of that pledge and shall be approved on that condition.  After appropriate review and consultation with the Chief Legal Counsel and Foundation President and CEO, the District may remove any name granted in honor of a pledge that is not substantially fulfilled.

Renaming/Addition of Second Name

Any proposal to rename or to add a second name to a facility or academic entity shall follow all guidelines, criteria and processes set forth in the administrative regulation herein. If not otherwise required in this administrative regulation, a review of all prior agreements and documents pertaining to the original gift or naming agreement also shall be conducted.

Naming Related to Gifts – Additional Considerations

In the case of a naming right nomination based primarily or solely upon a proposed gift, consideration shall be given to the following:

Ideally, the gift shall: (1) fund the total cost of the project to be named; (2) provide substantial funding for that portion of the total cost that would not have been available from another source (such as federal or state loans or appropriations, student fees, or bond issues); (3) constitute a significant portion of the total cost of the project to be named, or (4) otherwise be sufficient to clearly justify the public recognition involved.

In fact, the appropriate contribution value for which naming rights may be granted is likely to be highly variable and dependent on factors of location, prominence and function and also may be impacted by economic fluctuations.

The District’s Office of Facilities Planning and Development and the Maricopa County Community College District Foundation shall work collaboratively to develop and periodically update a table of estimated values and value ranges for various types of facilities. And these estimates should be re-evaluated periodically. If possible, this collaboration also should attempt to establish minimum acceptable contribution levels to guide discussions with potential donors. Similarly, the Vice Chancellor for Academic Affairs and the President/CEO of the Maricopa County Community College District Foundation shall collaborate to develop and periodically update a table of values and value ranges and minimum acceptable contribution levels for naming academic entities.

The final decision regarding appropriate contribution values shall be left to the District Chancellor as part of his deliberations and recommendations to the Governing Board.

(Note: While items 1 through 3 in paragraph two of the “Naming Related to Gifts” section, relate to the actual costs of a project or projects for which naming rights may be conferred, the funds received from naming rights gifts need not necessarily be used to pay for those project costs, even in cases where a gift is received before completion of the project. The Maricopa County Community College District and the Maricopa Community College District Foundation reserve the right to negotiate the use of such gifts with a prospective donor.)

Generally, the distribution of free materials shall be avoided; however, the distribution of any commercial products, for sale or give away, to students through the bookstore, registration lines, or elsewhere on campus, shall be subject to prior review and approval by the president of the college or designee.

The Maricopa County Community College District is dedicated to providing a healthy, comfortable, and educationally productive environment for students, employees, and visitors. In order to promote a healthy learning and work environment, the Chancellor has directed that the Maricopa County Community College District serve as a total smoke free and tobacco free environment, effective July 1, 2012. Smoking (including the use of “e-cigs”) and all uses of tobacco shall be prohibited from all District owned and leased property and facilities, including but not limited to parking lots, rooftops, courtyards, plazas, entrance and exit ways, vehicles, sidewalks, common areas, grounds, athletic facilities, and libraries.

Support signage prohibiting the use of smoking instruments and tobacco shall be placed throughout all college and District locations.

Continued violations by an employee or student shall be handled through the respective conduct procedures established for employees and students.

See also 4.21 Breathe Easy Tobacco Free | Smoke Free

This Administrative Regulation prohibits the use of District funds to purchase alcoholic beverages or services related to them except in small amounts to be used in cooking for the District's culinary programs. Additionally, it generally prohibits the presence of alcoholic beverages on premises owned by the District, or those leased or rented by the institution. It permits a few, narrow exceptions to that latter prohibition. The exceptions are not available to the general population of District employees or officials. More importantly, they are established to ensure that the District's actions stay within the boundaries of state law and the District's insurance coverage. Therefore, strict compliance with this regulation is essential.

1. No Funds. No funds under the jurisdiction of the governing board of the District may be used to purchase alcoholic beverages, except for the limited purposes of purchasing small amounts of them for use solely as ingredients in food preparation for classes and at the District's culinary institutes. Alcoholic beverages may not be stored on premises owned, leased, or rented by MCCCD except as provided in Paragraph 8.
2. No Service or Sale of Alcoholic Beverages. The law of the state of Arizona strictly regulates the service, sale, distribution and consumption of alcoholic beverages. In light of that law, the District does not permit alcoholic beverages to be served, sold or distributed on or in the premises owned by the District or leased or rented by the Maricopa Community Colleges for District-approved educational, fund-raising or other community purposes, except as provided in Paragraphs 3 and 7.
3. Service at District Events on District-owned Property. The Chancellor has the sole authority to approve the service, but not the sale or other distribution, of wine or beer at District events on district-owned property that the Chancellor either sponsors or approves. The only District employees authorized to request the Chancellor's approval are the College Presidents and the Vice Chancellors. Additionally, the law strictly limits the service of wine or beer by the District on District-owned property, and those restrictions are specified in Paragraph 5. Unless approved by the Chancellor in compliance with the law and this regulation, alcoholic beverages may not be served on District-owned property.
4. Event Form Required. A College President or Vice Chancellor who wishes to obtain the Chancellor's approval for the service of wine or beer at a District-sponsored event on District-owned property shall forward a completed written request to the Chancellor no later than 30 days before the event. The request form is available at: AS-6 - Agreement to Serve Alcohol Part I. On signing the form, the Chancellor will provide a copy of it to the requestor and to the MCCCD Risk Manager. For events that the Chancellor sponsors, he or she will complete the form, sign it and provide it to the MCCCD Risk Manager no later than 10 business days before the event.
5. Service restrictions required by law. An event approved under Paragraph 4 must, by law, comply with the all of the following restrictions: Additionally, beer and wine may only be served by a beverage service contractor whose liquor license with the state of Arizona is in good standing, except as provided in Paragraph 6. The contractor must provide all of the beverages served and well as the servers or bartender. Before the event, the contractor must provide a certificate of insurance that meets the requirements of the District's Risk Manager and that adds the District as an additional insured. The contractor must also agree in writing to indemnify the District regarding the service of the beverages.
   
   1. The only alcoholic beverages that may be served and consumed are wine and beer. Wine consumption is limited to 6 oz. per person, and beer consumption is limited to 24 oz;
   2. The gathering must be by invitation only, and not open to the public;
   3. The gathering may not exceed 300;
   4. Invitees may not be charged any fee for either the event or the beer or wine; and
   5. The consumption may only take place between noon and 10:00 p.m.
6. Culinary Institutes. The Chancellor may sponsor or approve an event at one of the District's culinary institutes. Students may serve wine and beer at the event as part of their class requirements, subject to the limitations of Paragraph 5. Any student serving those beverages must, by law, be 19 years or older.
7. Third-Party Event. The Maricopa County Community College District Foundation and the Friends of Public Radio Arizona may, with the approval of the Chancellor, sponsor an event on District-owned property under this regulation. The City of Phoenix and the Friends of the Phoenix Public Library may also do so, with the approval of the Chancellor, at the joint library on the campus of South Mountain Community College. These third-party, non-district entities are solely responsible for determining the steps that they are required to take to comply with Arizona's alcoholic beverages laws. Additionally, they must comply with the following steps:
   
   1. The entity obtains a liquor license, if required by law, from the Arizona Department of Liquor Licenses and control for each event and fully complies with the laws, rules and other requirements applicable to that license;
   2. The entity completes the form available at AS-7 - Agreement to Serve Alcohol Part II. And provides it to the Chancellor for approval along with a copy of the liquor license no later than 30 days before the event, unless the Chancellor approves a shorter period of time in a particular case;
   3. The entity provides or currently has on file with the District a certificate of insurance demonstrating that it has liquor liability coverage and that adds the District as an additional insured;
   4. The entity agrees in writing to indemnify the District from any claims of any kind arising out of the event;
   5. Beer and wine are the only alcoholic beverages served and only served through a beverage service contractor whose liquor license with the state of Arizona is in good standing;
   6. The contractor provides all of the beverages served and well as the servers or bartenders;
   7. Before the event, the contractor provides a certificate of insurance that meets the requirements of the District's Risk Manager and that adds the District as an additional insured; and
   8. The contractor agrees in writing to indemnify the District regarding the service of the beverages.
8. Receipt of beverages; storage. It is not permissible to store wine or beer on premises owned, leased or rented by MCCCD, except as provided in this paragraph. Alcoholic beverages purchased for use in cooking in District culinary courses must be stored in such a way that it is inaccessible to anyone except the Director or designee of the culinary program. For wine and beer to be used for receptions at the district's culinary institutes, as authorized by this administrative regulation, the following storage requirements apply:
   
   1. Wine and beer to be served may only be brought to MCCCD property no sooner than four hours prior to the event, and remain there no longer than four hours after the event; and
   2. Once the wine and beer arrives on MCCCD property, the Director the culinary program shall assign an MCCCD employee to ensure that it is not stolen or that it is not opened until ready to be served.
9. Compliance with law. In compliance with applicable law, any persons planning an event under this administrative regulation are required to familiarize themselves with the pertinent laws and other requirements established by the state of Arizona for the service of alcoholic beverages, particularly those in Arizona Revised Statutes Title 4 (Alcoholic Beverages) Chapters 1 (General Provisions), 2 (Regulations and Prohibitions) and 3 (Civil Liability of Licensees and Other Persons) as well as Arizona Administrative Code Title 19, Articles 1 (State Liquor Board) and 3 (Unlicensed Premises Definitions and Licensing Time-Frames).
10. Residential Housing. Lawful occupants of residential housing under the jurisdiction of the Governing Board, if over the age of 21 years and not otherwise lawfully barred from such practice, may possess and consume alcoholic beverages in the privacy of their respective leased housing facility. Guests of such occupants over the age of 21 years shall have the same privilege. No alcohol is permitted in public areas (nor common areas of a dormitory) at any time.
11. Personal Responsibility. The personal or individual purchase of alcoholic beverages by individuals attending District-approved functions held in places serving alcoholic beverages is a personal and individual responsibility. Administrative discretion shall be exercised in the approval of the location of such activities, as such decision pertains to the nature of the group involved.
12. Miscellaneous Usage Issues. Any issues that are not specifically addressed within this regulation require the review and determination by the Chancellor or Executive Vice Chancellor and Provost on matters related to culinary programs, academic or student affairs.

1. Each college president shall designate an official at his/her respective college who shall ensure that any employee at that college who is authorized to operate a college or district-owned motor vehicle or vehicle rented, borrowed or leased for college or district purposes:
   
   1. has completed a driver training program approved by the district Risk Manager; and
   2. has been the subject of an authorized motor vehicle record review conducted on behalf of the college.

   The Vice Chancellor for Human Resources shall designate an official at the district office to ensure that any employee at the district office who is authorized to operate a college or district-owned, -rented, or -borrowed motor vehicle has completed such training program and been the subject of a motor vehicle record review. The training and motor vehicle record review shall be completed for an employee before that employee is permitted to operate a motor vehicle. The District Risk Manager shall coordinate the training program and processes for motor vehicle record review required under this regulation.

2. A college or District-owned, -rented or -borrowed motor vehicle may be operated only by an employee of the Maricopa County Community College District. A Maricopa Community Colleges student may operate such a motor vehicle only in the event of an emergency as determined at the time of the emergency by a responsible college or district employee.
3. A college or district driver shall report to his/her supervisor and the manager responsible for authorizing the use of college vehicles within 48 hours any conviction for driving under the influence of alcohol or drugs, moving traffic violations, license suspension, or license revocation that occurs regardless of whether or not the driver was operating a college or district-owned, rented or borrowed vehicle. The driver's supervisor shall immediately forward this information to the district Risk Manager. Failure to report information as required under this paragraph may result in disciplinary action and the loss of authority to operate a vehicle in the performance of employment responsibilities.
4. The driver of a college or District-owned, -rented or -borrowed motor vehicle shall not use a cellular telephone or similar communication device while operating the vehicle.

Introduction

The Maricopa County Community College District (MCCCD) is subject to the State’s broad public records law, obligating it to produce records under a public records request and to retain those records in a consistent manner throughout MCCCD.

That same expectation of consistency in public records production, retention and disposal applies to records that are requested through a subpoena, warrant, judicial or administrative order, litigation discovery document or as part of an MCCCD grievance, investigation or review. So, while MCCCD is composed of 10 colleges, two skill centers, several centers and the District Office, its ability to retrieve, disclose and retain public records must be subject to a single set of standards and one process.

Centralized Authority

Under this administrative regulation, the authority to manage MCCCD public records is centralized in the Manager of the Office of Public Stewardship (Manager). This authority extends to responding to or overseeing the response to public records requests in compliance with State law and establishing standards for the retention, retrieval, disclosure and disposal of public records.

The authority also extends to having access to the electronic records of an MCCCD employee or a Governing Board member under the procedures and narrow circumstances specified in this regulation. Under those circumstances and procedures, the Manager and the Vice Chancellor of Information Technology or his designee/supervisee are authorized to access those electronic records using third-party technology tools that MCCCD has purchased. The Vice Chancellor may, after conferring with the Manager and General Counsel, authorize access on a case-by-case basis to a non-District Office information technology employee on the request of the College President who supervises that employee justifying the need for access, the scope of the access, and the duration that access is needed.

Public Records Generally

Under Arizona’s public records law, MCCCD must make records in its custody open for public inspection by any person, and to provide any person with copies on request. That mandate includes records that reside in electronic form. MCCCD also must preserve those records according to the standardized retention and disposition schedules approved by the Arizona State Library, Archives and Public Records applicable to Arizona Community Colleges and Districts (Retention Schedule). See Arizona Revised Statutes §§39-121 et seq.

MCCCD employees and Governing Board members should presume that all work-related records that they produce during work hours as well as communications and attachments sent or received electronically in the performance of duties relating to MCCCD (whether through an MCCCD technology resource or other technology resource) are public records. The MCCCD General Counsel and the Manager will make the final determination of whether something is a public record or not under the law.

Individual Employees’ and Governing Board Members’ Responsibility to Comply

Arizona State Library, Archives and Public Records places the responsibility to manage public records in compliance with the law on the individual MCCCD employee or Governing Board member. It does not matter whether the record is in paper or electronic form. The responsibility is the same–on the individual.

Where a record is only in electronic form and resides within MCCCD’s technology resources, an electronic record that an employee deletes may still be retained through the normal operation of those resources. However, the law as interpreted by the Arizona State Library, Archives and Public Records does not place primary responsibility for retention of those records on MCCCD technology resources. The primary responsibility for managing each individual employee’s or Governing Board member’s electronic records is squarely on that employee or member. The Arizona State Library, Archives and Public Records has made that clear despite potential practical barriers to easy compliance, such as a limitations on memory within an MCCCD employee’s computer.

Note that it is a violation of MCCCD’s Administrative Regulation 4.4, “Technology Resource Standards,” for an employee to delete or alter an electronic public record in violation of public records retention requirements, or in anticipation of receiving or after receipt of a public records request, subpoena, a request for records as part of an MCCCD grievance, investigation or review, or other lawful request for the record.

The standards for retaining and disposing of records are discussed in more detail under the next section of this regulation.

Understanding and Applying Record Retention and Disposal Standards

The official Retention Schedule is available at: Arizona State Library, Archives and Public Records

The Arizona State Library, Archives and Public Records’ “rule of thumb” places public records into four categories based on their content: administrative, legal, fiscal research, or historical. Records of historical value must be retained permanently. For records in the other three categories, the length of time that the record must be maintained and then disposed of varies. Additionally, the description of the types of records in the Retention Schedule is by general subject matter (such as “EEO/Affirmative Action” or “Fiscal/Business Operations”), and not by the descriptor “administrative,” “legal” or “fiscal research.” A single record may have content that places it under more than one category with differing retention requirements. In those cases, the employee or Governing Board member should keep it for the longest duration specified in the Retention Schedule.

The Retention Schedule requires public employees and officers to maintain electronic records in their original form. A paper copy of the electronic record does not comply with the standards in the Retention Schedule. All public employees and governing board members, including those for MCCCD, have an obligation to retain electronic records even when they are leaving public employment or as a member of a public governing board.

Information is available on MCCCD’s Public Records website to assist employees and Governing Board members in making retention determinations. See Records Retention and Disposition-schedules. If an employee or Governing Board member has questions about the time period for which a record should be retained, he or she may contact the Manager for assistance.

The policy of Maricopa is to use its best efforts to comply with the Retention Schedule in a consistent and systematic manner. Compliance requires cooperation and diligence, particularly when it comes to retention of electronic records. The daily volume of electronic records produced, the speed in which they are created and sent, and the storage limitations on MCCCD servers make adhering to the Retention Schedule complicated.

For electronic records, this administrative regulation recommends a general retention/disposal standard for employees and Governing Board members of one year from the creation or receipt of the record. During that time, the employee or Governing Board member is encouraged to review the Retention Schedule to determine if a shorter or longer period of time is required. If the employee or Governing Board member believes that retention beyond a year is required, he or she may forward the electronic record to the following website: [URL to be inserted].

Finally, MCCCD employees and Governing Board members are reminded not to retain records beyond the period of time that the Retention Schedule requires.

District Office and College Records Officers

To implement the standards specified in this administrative regulation, each College President shall appoint a Records Officer from among the College’s Vice Presidents to coordinate public records requests, subpoenas, warrants, judicial or administrative orders, litigation discovery documents, or records as part of a grievance, investigation or review (collectively, “requests”) with the Manager. The Records Officer shall notify the Manager of records requests made directly to the College and be responsible for preparing a response plan for records residing at the College. The plan should include determining the possible location of the records, College staff to assist with the search and retrieval of the records, the scope of the search, the need for search confidentiality and a projected completion date for the search. For records requests that are initiated through the Manager’s office or that seek records at more than one College, the Records Officer shall develop the plan with the Manager. The Manager shall serve as the Records Officer for the District Office.

The Manager will maintain a list of records requests. Either the Manager or the Records Officer shall, to the extent practicable, keep a copy of the entire set of records produced pursuant to a request.

MCCCD employees or Governing Board members who seek access to MCCCD public records for reasons other than MCCCD business shall be required to submit a public records request as though they are an outside party.

Timeliness of Request Response

Arizona’s Public Records Law states that “[t]he custodian of [public] records shall promptly furnish such copies. . .” See Arizona Revised Statutes §39-121.01-D-1. The Records Officer and, where applicable, the Manager shall be responsible for determining a reasonable date by which the search and copying of documents should be complete, based on criteria such as the size and scope of the request and the availability of staff to conduct those activities. However, it is the policy of MCCCD to proceed with due diligence to accommodate requests as quickly as circumstances permit and, in the case of public records requests, subpoenas, warrants and discovery documents, to comply with the time standards specified in the law, by law enforcement, by judicial order, or by rules of court. An MCCCD employee or Governing Board member who believes that a timeline established by the Records Officer and the Manager is unreasonable shall immediately advise them in writing of the reasons and recommend an alternative plan for review by the Records Officer and the Manager.

Record Holds

The Chancellor, Manager or General Counsel may direct that some or all MCCCD employees and Governing Board members place a hold on deleting records relating to particular subjects or issues. Once the Chancellor issues that directive, employees and Governing Board members are prohibited from deleting or altering the records that are subject to the hold until the Chancellor, Manager or General Counsel advises that the hold is lifted. Situations in which holds are likely to occur include but are not limited to litigation involving MCCCD and law enforcement investigations.

Access to Electronic Records

Investigative Access. There are circumstances under which the General Counsel, the Manager or a College President needs to have access to an employee’s e-mail communications or other electronic records without advising the employee. Those situations generally occur when: MCCCD is served with a subpoena, a warrant, or judicial order that requires confidentiality; confidentiality is directed by a law enforcement agency; or the employee is subject of an MCCCD grievance, investigation or review that the Manager determines, after initial review, requires access.

If a College President believes that he or she needs access to an employee’s e-mail communications or other electronic records, the President shall discuss the matter with the Manager. Only the Manager may request, and only the General Counsel or an Assistant General Counsel acting in the General Counsel’s absence may authorize, access to an employee’s e-mail and electronic records for investigative purposes. Authorization shall be in writing and define the scope of the access required to conduct the review. As specified in the section of this administrative regulation entitled “Standard for Search Capabilities Regarding Electronic Records,” each College’s e-mail system shall authorize the Manager and the Vice Chancellor of Information Technology or his or her designee/supervisee to have direct access to conduct a search without the need to rely on the information technology staff of the College. The standards for search capabilities shall apply regardless of the centralized ability of the Manager and the Vice Chancellor to conduct a search as described in the section under this administrative regulation entitled “Centralized Authority.”

If the requirement for confidentiality is removed, the Manager may but is not obligated to advise the employee that his or her e-mails or other electronic records were accessed. An employee who believes that his or her e-mail or electronic records were illegally accessed shall notify the General Counsel in writing of the reasons. The General Counsel’s determination regarding the legality of access shall be conclusive.

Operational Access. There may be operational circumstances that require access to an MCCCD employee’s electronic records in the absence of the employee, such as when the employee is on vacation or ill. Like paper documents on an employee’s desk or files, electronic records belong to MCCCD and need to be available for business purposes. In those instances, the College President or the Chancellor shall complete the form available at Appendix AS-13 and submit it for approval to the Vice Chancellor for Information Technology or his or her designee for approval. The College President shall provide a copy of the approved form to the employee whose electronic records were accessed.

Access to Former Employees’ Records. All records should be maintained according to value and the respective retention schedule. An employee who resigns or retires from his or her position at MCCCD shall contact his/her direct supervisor about preserving his or her electronic records before his or her departure. Those records shall be transferred to a storage device and provided to the supervisor.

Standard for Search Capabilities Regarding Electronic Records

All electronic records systems serving Maricopa shall be capable of doing the following, which are minimum standards for access:

• Automated archival process for messages and documents sent and received with the capability of implementing different archiving standards by type of record as specified in the retention and disposition schedules approved by the Arizona State Library, Archives and Public Records
• Destruction according to that same retention schedule (life cycle of item per schedule)
• Capability to search for words or terms within headers and message or document text,
• Assurance that messages and other records cannot be changed or deleted (message integrity)
• Access to the Manager and the District Office’s Information Technology Department to search, retrieve and delete under the circumstances specified in this administrative regulation
• Audit to determine who logs in, searches, retrieves, deletes
• Capacity, longevity, security, recovery
• Ability of MCCCD to maintain ownership of the records
• Ability to place holds on records subject to a request
• Pull records within a reasonable period of time after the initiation of the search command
• Restore records in their original format and to the individual level, with restoration occurring ____ minutes of the initiation of the restore command
• Preservation of past records and well as new ones when switching to a different communications system

The Chancellor or the Chancellor’s designee shall have the authority to approve an electronic records system that does not have one or several of the capabilities specified above when the unique needs of a Maricopa entity require use of that system, and safeguards are in place to assure that use of the system will permit the recording and retrieval of records as required by law.

Requests for Copies

A Maricopa employee may request that electronic communications created by him or her or written directly to him or her be restored from backup in the case of a hardware or system failure where the electronic record has passed through the District Office’s server. All such requests must be reviewed and authorized by the General Counsel.

After review and authorization by the General Counsel, requests for copies of electronic communications will be forwarded to ITS security services. ITS security services will comply with the request and coordinate retrieval of the information within seven business days.

Purpose

The Maricopa County Community College District (MCCCD) endeavors to be an innovative, flexible higher education institution that encourages risk assessment and management as an integral process for carrying out our mission to promote and enhance student learning and success. MCCCD also embraces a comprehensive approach to risk management that promotes broad strategic thinking and analysis, while fundamentally integrating our institution’s vision, mission, and values. To this end, risk management will provide our institution with the superior capabilities to identify, assess, and manage the full spectrum of risks and opportunities and to enable management, faculty and staff at all levels to better understand and manage risk.

Background

In March 2000, the Maricopa County Community College District Governing Board, with support from the Chancellor’s Executive Council (CEC), approved an initiative to embed ongoing risk assessment and management into MCCCD’s daily operations and culture. The CEC has reaffirmed its support and commitment in July 2003, August 2004, and September 2005 and will reaffirm its support annually thereafter. This initiative is called the Maricopa Integrated Risk Assessment (MIRA) project and it extends beyond traditional risk management to embrace a wider view of risk management called Enterprise Risk Management (ERM). While traditional risk management focuses on insurable and hazard risks, enterprise risk management is a process and management tool to address all sources of risk that would threaten strategic objectives.

Approach to Risk Management

MIRA shall be collaboratively integrated into existing management processes and daily operations. To ensure that we achieve our strategy, MIRA provides our employees with the tools and capabilities to overcome barriers that arise in striving to exceed expectations. By realizing that risk management is everyone’s job, our management, faculty, and staff shall proactively identify risk while delivering high quality education to our students in a more efficient and cost effective manner. MIRA allows our employees to view issues from various angles to identify not only the risk mitigation activities, but also to seek out and act on potential opportunities—therefore challenging conventional wisdom to create better solutions.

Employee Responsibilities

It is the responsibility of every employee to identify, assess, and manage risks and opportunities individually, throughout our organization, and to collaboratively strive for continuous quality improvement and the efficient and effective use of our resources. All management, faculty and staff are expected to demonstrate appropriate standards of behavior in the development of strategy and pursuit of expected outcomes. All Board-Approved employees shall be required to participate in training that focuses on risk identification, assessment, and management, and this training shall be rigorous, practical, and application-based. Board-Approved employees includes those who have or could attain permanent status, one year only, one semester only, Skill Center and specially funded employees. Newly hired Board-Approved employees shall be required to participate in training during their probationary period or within one year of their hire date and every three years thereafter. This training shall be incorporated into other mandatory training and/or shall be stand-alone training. Existing Board-Approved employees shall be required to participate in training within two years after the adoption of this administrative regulation and every three years thereafter. The District shall consider ways of training temporary employees once initial training of Board-Approved employees is complete.

General Expected Outcomes

Expected outcomes include:

• Increased overall effectiveness and accountability
• Sound business processes; greater assurance of business continuity
• Clear demonstrated compliance with applicable laws and regulations
• Enhanced employee empowerment and pride
• Reinforcement of the strong MCCCD cultural identity
• Enhanced competitive advantage

The MIRA project shall establish a philosophy of fostering continued evaluation of effectiveness and efficiency of organizational leadership, systems, and strategies. Ultimately, accountability for resources—human, financial, intellectual, physical, and technical—will be impacted at every level of MCCCD.

Annual Review for Effectiveness

Each year the MIRA project committee shall measure progress and monitor results. This information will be presented in an annual report to the Governing Board and the CEC. This report will be submitted by August 31 of each fiscal year.

1. Voluntary payroll deductions may be made for reputable charitable organizations and programs approved by MCCCD including, but not limited to, employee association dues, gifts to The Maricopa Community Colleges Foundation, US Savings Bonds, tax-shelter annuities, Sun Sounds, KJZZ, and KBAQ, and others. Prior to deductions being made for a particular organization or program, the Vice Chancellor for Human Resources, on behalf of MCCCD, shall first approve written requests for deductions in accordance with this regulation and Governing Board Policy. No consideration for approval will be given if the charitable organization exists under the umbrella of a larger fund-raising group. (See Appendix AS-4—Voluntary Payroll Deduction Procedures)
2. Any organization or program for which voluntary payroll deductions may be approved shall meet the following requirements:
   
   1. Principals on behalf of the organization or program shall submit a written request per published procedures to the Vice Chancellor for Human Resources for approval to receive voluntary payroll deductions.
   2. No fewer than one hundred (100) MCCCD full-time Governing Board approved employees shall have expressed interest in directing payroll deductions to the organization or program.
   3. Principals on behalf of the organization or program seeking approval shall have secured the expression of interest of 100 MCCCD full-time Governing Board approved employees as required in this regulation.
   4. Principals on behalf of the organization or program seeking approval shall provide the Vice Chancellor for Human Resources sufficient information about the program in order for a determination to be made in accordance with this regulation.
   5. After review by committee and upon approval by the Vice Chancellor for Human Resources, the principals shall submit a request to the Payroll Department to establish a new deduction code at least 6 months before deductions are anticipated to begin. Deductions will be implemented commencing on January 1 and July 1. The request for a new deduction code should be submitted along with a sample form that will be used by participants when making requests for the deduction to begin. The form shall include at least the following information: employee name, location, employee ID, dollar amount to be deducted per payroll, requested date for deduction to start, language authorizing MCCCD to make the deduction, and the employee’s signature and date the form was signed.
3. In determining whether to approve voluntary payroll deductions for a particular organization or program, the Vice Chancellor for Human Resources and committee shall consider the following factors:
   
   1. the similarity between the important characteristics of the program and those of a program previously approved for receipt of voluntary payroll deductions;
   2. the proportion of contributions received by the program that are devoted to administrative costs and expenses, in relation to amounts received by the ultimate beneficiary;
   3. the degree to which amounts received from voluntary payroll deductions directly benefit residents of Maricopa County;
   4. the degree to which the program advances the interests of MCCCD employees;
   5. program consistency with MCCCD Vision, Mission and Values.
4. The Vice Chancellor for Human Resources and committee shall consider requests for approval of programs to receive voluntary payroll deductions.
5. Any voluntary payroll deduction issues that are not specifically addressed in this regulation require review by the Vice Chancellor for Human Resources and/or the appropriate designee.
6. As of the date of adoption of this Administrative Regulation, “active” voluntary payroll deduction programs shall be exempted; however, prior programs considered to be “inactive” shall meet the established thresholds and standards outlined in this Regulation to be eligible for reinstatement.

1. General 
   
   The existing Governing Board Policy on Hiring of Relatives prohibits employees from being involved in any employment or key decision that involves a relative. This would include work performance, job assignments, or pay related matters. In that such relationships can create a conflict with the interests of the Maricopa Community Colleges, and the increased potential for nepotism and favoritism, the same principles also apply in the case of consensual amorous, romantic and/or sexual relationships that occur between employees or between employees and students.

    

   In the work and academic environment, such a relationship that might be appropriate in other circumstances is inappropriate if one of the individuals in the relationship has a professional responsibility toward, or is in a position of authority with respect to, the other, such as in the context of supervision, instruction, coaching, counseling or advisement. An element of power is present in such a context and it is incumbent upon those with authority not to abuse that power. In addition, consensual relationships may yield to third parties the appearance that unfair bias or favoritism towards the student or supervisee is taking place.

   1. Definitions
      
      1. Consensual relationships are defined as romantic, amorous and/or sexual relationships between consenting employees or between employees and adult (18 years or older) college students currently enrolled at one of the community colleges.
      2. An employee is any individual who is employed by the Maricopa County Community College District (MCCCD). An employee includes an individual who is subject to an established employee job group policy manual, whether regular, full-time board approved, at-will, part-time, and/or temporary. An employee also includes a contract worker (special services employment, request for personnel services) working or serving as an agent or designee on behalf of the MCCCD.
      3. A student is considered to be any person currently enrolled in a credit or non-credit class at one of the colleges or centers within the Maricopa County Community College District.
      4. A vendor is someone who sells or can sell products or services to the Maricopa County Community College District.
      5. A recent consensual relationship is considered to be one that has taken place within the past 24 months.
   2. Prohibited Conduct
      
      1. An employee shall not maintain, engage in or be involved in a consensual relationship with another employee who is subject to that individual’s supervision or with a student that is currently enrolled in the individual’s class, or a student whom the individual otherwise instructs, coaches, counsels or advises, or with a vendor if the employee manages that contract or otherwise exerts influence over the contract.
      2. The Governing Board recognizes that the personal life of its employees is not a concern of the institution, and therefore, this regulation does not seek to prohibit romantic relationships that exist between parties where the context of power-authority between employees or between employees and students is not present; and provided that the relationship does not affect the employee’s effectiveness in fulfilling his or her professional obligation. For these instances, appropriate measures should still be taken in order to avoid conflicts of interest from occurring. For relationships that may exist prior to the time that either a student or employee is placed in a situation of instruction or supervision that is considered to be a conflict of interest, the employee(s) involved shall disclose and take immediate measures to avoid the conflict or appearance of conflict.
2. Procedures for Disclosure 
   
   Employees should first avoid allowing an inappropriate consensual, amorous or sexual relationship to develop with a supervisee or student.
   1. Where the employee is already in or has had a recent consensual relationship with a supervisee, the following procedures shall be followed:
      
      1. Immediate disclosure by the employee of the relationship to their supervisor and to the appropriate Vice President or Vice Chancellor in order to ensure that any conflicts of interest have been adequately addressed.
      2. The respective administrator responsible for the department or division shall place the subordinate under alternate supervision when a supervisor under his/her direction has or has had a recent consensual relationship with the employee.
      3. The supervisor shall recuse himself or herself from any discussions or involvement with decisions related to evaluations, promotion, hiring, determination of salary, or continuation of contract or employment.
      4. The respective Vice President or Vice Chancellor shall prepare and retain a report that specifies the appropriate alternate arrangements that have been made to eliminate the conflict of interest. The EEO/AA Office shall be provided a copy of the report along with the employees involved in the relationship.
   2. Where the employee is already in or has had a recent consensual relationship with a student prior to enrollment in his or her class, the following procedures shall be followed:
      
      1. The faculty member shall counsel and advise the student not to enroll in his or her course.
      2. The Consensual Relationships Policy will be made available to students via the student handbook and other appropriate communications vehicles.
      3. If it is not possible for a student to enroll in another course, section, or course and section at another college due to a requirement for completion of a degree or certificate and no other academic option is available, disclosure of the relationship will be made to the appropriate Department Chair, Dean and Vice President of Academic Affairs or Vice President for Student Affairs as appropriate for review. The Vice President will refer the matter to the Vice Chancellor for Academic and Student Affairs for consideration. The Chancellor or his/her designee may allow a student to enroll in the class only upon a showing by the student that the enrollment is necessary to avoid an extreme hardship, and upon a showing by the college President or designee that the academic integrity of the student’s enrollment in the class will nevertheless be maintained.
3. Persons who are married, or were married, are included within the definition of persons that have or who have had a consensual amorous relationship. Disclosure in this instance may be made via the Maricopa Disclosure process [The Annual Acknowledgement and Disclosures form may be found in the Employee Learn Center. Employee credentials are needed to enter secure site].
4. An employee who fails to follow the requirements established in this policy and who does not withdraw from participation in activities or decisions that may reward or penalize a supervisee or student with whom the employee has or has had a recent consensual amorous relationship, will be considered in violation of policy and will be addressed in accordance with established processes in job group policy manuals.

1. Background 
   
   The Maricopa County Community College District owns and controls its name and the names of its colleges as well as names that have become associated with them such as the “Maricopa Community Colleges,” and all logos, insignia, mascot designs and other marks that the District or its colleges uses (collectively called “Marks”). The District has registered many of these with the United States Patent and Trademark Office.

    

   The purpose of this licensing regulation is to protect the integrity of the District’s Marks and to enhance the positive image of the District and its colleges through approval of the use of the Mark by licensees who adhere to District standards.

   This regulation provides guidance on permissible use, as well as restrictions on the use, of the Marks. It also designates responsibility for granting permission through written license agreements. An outside party’s use of the Marks without a license as required under this regulation is prohibited and may constitute trademark infringement, trademark dilution and unfair competition in violation of federal and state laws.

2. Who Should Use This Regulation 
   
   This regulation applies to outside entities such as educational service providers or collaborators, suppliers or manufacturers of commercial and non-commercial products or services wishing to be associated with the Marks. It also applies to any person, regardless of whether or not they are an employee, student, or alumni of the District, who wishes to use the Marks for something other than a District-sponsored activity. Finally, it applies to Faculty, staff, students, academic departments, ad hoc campus groups, administrative divisions/departments, alumni organizations and student organizations.
3. Approval of and Monitoring the Use of the Marks
   
   The District Director, Purchasing & Auxiliary Services in conjunction with the Legal Services Department on legal issues and the District Director of Marketing on design and marketing issues, is responsible for approving the use of the Marks under this regulation.
4. General Guidelines for Use of the Marks
   
   The Marks are intended to be a positive image of the District. They may not be altered in any way from the graphic specifications approved by the District’s Marketing Department, relating to the use of the Maricopa Community Colleges Marks, or, for the Colleges, by each College’s Marketing Director. Additionally, the Marks may not be used in the name of a business, in a logo or design, in promoting services or products, or on a product in a way that states or implies an endorsement by the District.

   The Marks may not be used in any way that discriminates or implies discrimination against any persons or groups based on age, ancestry, belief, color, creed disability, national origin, race, religion, sex, sexual orientation or veteran status, or in any other way that would be a violation of the District’s anti-discrimination policies.

   The use of the Marks in conjunction with the following types of products, services or designs will not normally be approved:

   • Products that could be used to injure or kill
   • Alcohol and alcohol-related products Tobacco and tobacco-related products
   • Sexually suggestive products or designs
   • Legally controlled substances
   • Religious affiliated products, services or designs
   • Political products, services or design
   • Products or services that present an unacceptable risk of liability
   • Products or services that are inimical to the mission or image of the District or that aren’t, in the sole discretion of the District, in good taste.
5. Commercial Use 
   
   Use of a Mark in connection with any commercial or for-profit purpose, including on the web, requires a license agreement with the District and the payment of royalties. Royalties will be directed to the accounts of the College or other District entity whose Marks are being used. The Legal Services Department may approve contract provisions in which a third party requests that it be permitted to use a Mark to identify that the District or its Colleges are customers, but only if the provision states that the District Director, Purchasing & Auxiliary Services must approve the use in advance and that the use cannot suggest in any way that the District or its Colleges endorses the third party’s products or services.
6. Non-Commercial or Non-Profit Use
   
   Faculty, staff, students academic departments, ad hoc campus groups, administrative divisions/departments, alumni organizations and student organizations may use the Marks for District-sponsored or co-sponsored activities and events so long as the use adheres to the graphic standards set forth in Paragraph 4. Any other non-commercial or non-profit use of the Marks requires permission. Additionally, payment of a royalty may be required, depending on the non-profit use for which the license for the Marks has been requested.

Introduction

The goal of Maricopa County Community College District (MCCCD) use of social media is to foster an online community for various MCCCD constituents, reflecting the vision, mission and values of our organization. Although these sites are outside the direct control of the institution, MCCCD maintains an interest in how it is portrayed by them. Social media should be used to enhance communications, providing value to the institution’s target audiences.

This regulation does not apply to an individual’s private use of social media on private resources. Instead, this administrative regulation establishes standards for employees, students, and Governing Board members who create, administer or post to social media pages on behalf of MCCCD and the use of public resources. They should be seen as supplementing, and not in lieu of, existing Governing Board policies & regulations, official public stewardship responsibilities, technology resource standards, marketing & communications guidelines, and other applicable laws and administrative standards. It is important to remember and respect the privacy of others when using social media in the context of the educational setting. When posting photographs, videos, quotes or recorded statements of individuals on MCCCD social media pages, forms that authorize the Maricopa Community Colleges (including its colleges and related entities) may be required for their use; for instance, when interviewing or photographing an individual for a story that will be posted on-line. Forms are available at the following link: chancellor.maricopa.edu/marketing-communications

As with any other publicly funded resource that is used in an academic environment, the use of social media as a communications tool by agents who are acting and serving on behalf of the MCCCD is also subject to applicable laws and administrative regulations. Likewise, in accordance with Arizona Revised Statute 15-1408, a person acting on behalf of a community college district or a person who aids another person acting on behalf of a community college district shall not use community college district personnel, equipment, materials, buildings or other resources for the purpose of influencing the outcomes of elections. Except for what statutorily allowed for bond elections, using public resources to influence the outcomes of elections is strictly prohibited. This prohibition includes the use of technology resources.

Except as previously noted, this language does not prohibit community college districts from permitting student political organizations of political parties, to conduct lawful meetings in community college buildings or on community college grounds. Each student political organization that is allowed to conduct lawful meetings on community college property shall have equal access as any other student political organization that is allowed to conduct lawful meetings on community college property.

Nothing contained in this regulation shall be construed as denying the civil and political liberties of any person as guaranteed by the United States and Arizona Constitutions, nor does it seek to impede upon the tenants of academic freedom that are extended to faculty.

Definition

Social media can be defined as media based on the use of web and mobile technologies that allow for user-generated exchanges of information. Social media are powerful communication tools, enabling collaboration and communication as an interactive dialogue, enhancing the value of conversations across a global audience.

Social media includes but is not limited to social networking sites, collaborative projects such as wikis, blogs and micro-blogs, content communities, virtual game worlds, and virtual communities.

Institutional Social Media

Institutional Social Media includes various sites, projects, virtual communities, that are created specifically on behalf of the MCCCD, its locations and agents, and that exist to serve as official MCCCD communications. Creation and use of social media sites on behalf of MCCCD and its member institutions is for business use, such as for educational, research, service, operational, marketing and management purposes. Likewise, data, voice, images, videos and links posted or transmitted via MCCCD’s technology resources are limited to the same purposes.

Authorization to create and administer social media sites on behalf of MCCCD must be coordinated through the corresponding district or college marketing department. Marketing departments are the official keepers of the MCCCD brands, and must ensure that all MCCCD social media sites are branded correctly, visually and with the right voice. It is appropriate to post to MCCCD authorized social media sites if posts are directly related to MCCCD business.

Social media sites have varying levels of privacy settings and terms of agreement. Agents posting on behalf of MCCCD and its member institutions must be aware of the social media site’s privacy policy, terms of use and community guidelines. Be aware that no social media privacy option completely protects information being shared beyond desired boundaries. FERPA and HIPAA privacy laws apply to posting or transmitting of confidential information to social media sites.

Under Arizona’s public records law, MCCCD is required to transact business so that its records are accessible and retrievable. If a public records request is made, MCCCD has the responsibility to disclose the information, except in a few specific instances. All information stored or transmitted via social media must follow records management, retention and maintenance practices. A MCCCD district or college email address ending in .edu must be used for communications to and from social media sites.

Records are retained for the period of time required by law, and disposed of according to mandates established by Arizona State Library, the state agency tasked with setting standards for record retention, in accordance with archives and public records law.

Employee Guidance for Participating in Social Networking

Employees should remember that students and the community might judge them and MCCCD by their posts. Employees should be honest and transparent about their identity and role at MCCCD. Maintain accuracy by verifying facts before posting information via social media. Exercise restraint and show respect for the opinions of others. Do not use MCCCD-related social media to promote services, products or organizations that are unrelated to MCCCD or its business. MCCCD public officials, employees and Governing Board members should use good judgment in connecting with others via social media sites.

Employees will keep their personal social media sites separate from MCCCD social media. In personal posts, employees may identify themselves as an MCCCD faculty or staff member. MCCCD telephone numbers, email addresses, and images are not to be posted by employees on personal social media sites. Employees need to be clear that they are sharing their views as a member of the higher education community, not as a formal representative of MCCCD or its member institutions.

Student Guidance for Participating in Social Networking

Students are not restricted from using social media. However, they must understand that any content made public via MCCCD social media sites is expected to follow acceptable social behaviors and comply with Arizona revised statutes, federal laws, student handbooks, the student code of conduct regulation and other MCCCD policies and administrative regulations.

While the existing administrative regulation for Technology Resource Standards allows for a measure of incidental computer and technology usage for personal purposes, students must also abide by Arizona constitutional and statutory mandates regarding the use of public resources for personal use. The acceptable use of public technology resources is further defined in Administrative Regulation 4.4, “Technology Resource Standards” and personal usage is subject to the limitations outlined in this regulation.

A student who feels that he/she has been treated unfairly or unjustly by a faculty member (full-time or part-time) with regard to communications conducted via MCCCD social media sites must follow the formal Instructional Grievance Process.

Inappropriate Content

The malicious use of MCCCD social media, including derogatory language about any member of the MCCCD community; threats to any third party; incriminating photos or statements depicting hazing, sexual harassment, vandalism, stalking, underage drinking, illegal drug use, or any other inappropriate behavior, will be subject to disciplinary action.

Employees should be advised against perpetuating negative media from official MCCCD social media sites or damaging the MCCCD brands in any way. This type of negative social media engagement from official MCCCD sites can result in a loss of privileges to use social media in any official capacity.

The following list includes, but is not limited to, inappropriate content posting to social media sites:

1. Conducting MCCCD business using social media sites that are not authorized as an official means of communication per marketing standards and processes.
2. Posting confidential or propriety information about Maricopa students, alumni and employees that is in violation of MCCCD policies, HIPAA or FERPA.
3. Violating any provision of MCCCD’s Technology Resource Standards.
4. Violating any provision of the Student Conduct Code.
5. Posting comments to MCCCD authorized social media sites that are not directly related to MCCCD business or accomplishing work-related goals.
6. Posting any text, images or links to content that violate MCCCD’s Copyright Policy.
7. Violating MCCCD’s Harassment policy.
8. SPAM comments. All platforms that enable comments should be reviewed regularly for SPAM, removing SPAM comments as quickly as possible.
9. Violating the terms of use, conditions or community guidelines as defined by each social media platform.

MCCCD Identity

Use of any MCCCD and its member institutions’ logos, marks or likeness on personal social media sites is forbidden. Social media sites established for conducting MCCCD business must adhere to established graphic identity standards. Identity standards are posted at: chancellor.maricopa.edu/marketing-communications

Disclaimer

Every social media site must make an effort to display or link to the following disclaimer (or some version of it) in a conspicuous manner:

All information published online by MCCCD is subject to change without notice. MCCCD is not responsible for errors or damages of any kind resulting from access to its Internet resources or use of the information contained therein. Every effort has been made to ensure the accuracy of information presented as factual; however errors may exist. Users are directed to countercheck facts when considering their use in other applications. MCCCD is not responsible for the content or functionality of any technology resource not owned by the institution.

The statements, comments, or opinions expressed by users through use of Maricopa's technology resources are those of their respective authors, who are solely responsible for them, and do not necessarily represent the views of the Maricopa County Community College District.

Enforcement

Complaints or allegations of a violation of these standards will be processed through MCCCD’s articulated grievance procedures, Student Conduct Code or resolution of controversy.

Upon determination of a violation of these standards, MCCCD may unilaterally delete any violating content, and terminate the user's access. It is the user's responsibility to demonstrate and/or establish the relevance of content in the event that a content complaint is made official. Users retain the right to appeal actions through MCCCD’s grievance process or resolution of controversy.

See AS-11 MCCCD Social Media Best Practice Guidelines for more information.

Enforcement Guidelines

The Maricopa County Community College District has made the commitment toward a healthier environment for employees, students and guests. On July 1, 2012, all district colleges and district-owned facilities will become tobacco-free. Although the district has undertaken an expansive educational campaign, including a broad cessation component, we recognize that violations of the regulation will occur.

The MCCCD Department of Public Safety has been tasked with enforcing the new regulation. Public Safety recognizes its responsibility to enforce this regulation and similar policies with restraint and diplomacy. In enforcing the Smoke Free/Tobacco Free regulation, employees of Public Safety will consider first and foremost the educational component of compliance. The enforcement guidelines below are meant to assist Public Safety employees in their interactions with smokers that will result in a positive experience for violators.

Despite extensive efforts to make our populations aware of the new regulation, Public Safety realizes that some people will be unaware of the change. Initial contact with violators of the Smoke Free/Tobacco Free regulation will be used as an opportunity to educate smokers of the regulation’s existence and solicit voluntary compliance. The Public Safety employee making initial contact with the violator will offer information about the regulation and provide cessation resource information if the violator is interested in receiving it. In order to properly track violators and enforce the regulation, the following guidelines will be followed by Public Safety.

All violators will receive an initial warning about the prohibition of tobacco use on district property. For students, subsequent violations by the same offender will result in a referral of the student to the Dean of Student Affairs or designee. This referral will be made via a Public Safety Incident Report outlining the circumstance of the violation, including the date, time and location of the initial warning. All Smoke Free/Tobacco Free violations should be treated in the same manner as any other Student Code of Conduct violation. For employees, subsequent violations by the same offender will result in a referral of the employee to the Vice President of Administrative Services or designee. This referral will be made via a Public Safety Incident Report outlining the circumstance of the violation, including the date, time and location of the initial warning. All Smoke Free/Tobacco Free violations should be treated in the same manner as any other Human Resource policy or regulation violation. For visitors, subsequent violations by the same offender will result in the violator being escorted from district property and a no-trespass order issued for a period of 30 days. This ban will be documented via a Public Safety Incident Report outlining the circumstance of the violation, including the date, time and location of the initial warning. Visitors subjected to the no-trespass order may apply for reinstatement of their privilege to visit district property through the office of the Commander of Public Safety at that facility. Repeated violations by visitors will result is a no-trespass order being issued for extended time periods.

See also 4.12 Smoke-Free/Tobacco-Free Environment

Overview

Description: In advancement of the Chief Information Officer’s operational responsibilities and in accordance with federal, state, local and international laws relevant to information privacy and security, this administrative regulation establishes Maricopa County Community College District (“MCCCD”)’s commitment to protecting the integrity and privacy of Confidential Information[1] and promoting meaningful online experiences[2] through implementation of business practices and technological measures for:

• Protecting Confidential Information
• Collecting Confidential Information
• Obtaining Confidential Information
• Using Confidential Information
• Accessing Confidential Information
• Disclosing Confidential Information
• Opting Out
• Correcting Confidential Information 

Applicability: Information Security is everyone’s responsibility. All MCCCD Personnel and Persons of Interest (“POIs”), whether through use of online technology resources[3] or other formats, are covered by this administrative regulation. MCCCD students are expected to know and comply with all current published policies, rules and regulations as stated in the college catalog, class schedule, and/or student handbook.[4]

Protecting Confidential Information

MCCCD takes important steps to protect Confidential Information.  MCCCD treats Confidential Information as confidential and encourages its Personnel and POIs to take care in handling it.  MCCCD limits access to Confidential Information to those who need it to perform their jobs.  MCCCD’s external service providers must also protect Confidential Information, and use it only to meet MCCCD’s business needs.  MCCCD also takes steps to protect its computer systems from unauthorized access. 

MCCCD works diligently to comply with applicable information security, data privacy and related laws, rules and regulations.  Student records are protected by the Family Educational Rights and Privacy Act (FERPA), Arizona law and MCCCD administrative regulations.  Employee records are protected by MCCCD administrative regulations and by Arizona law. 

As further protection of Confidential Information and the privacy rights of individuals, MCCCD holds an Office for Human Research Protections (“OHRP”)-approved Federal-wide Assurance (“FWA”) and adheres to the U.S. Department of Health & Human Services (“HHS”) guidelines whenever MCCCD is engaged[5] in human subjects research (“HSR”).  The MCCCD Institutional Review Board (“IRB”)[6] must review and approve all proposed HSR before it has begun.   

Individually identifiable health information is protected from unauthorized release if there is a reasonable basis to believe the information can be used to identify the individual. MCCCD is required by the HIPAA Privacy Rule (the “Privacy Rule”) issued under HIPAA to maintain the privacy of protected health information.  MCCCD is committed to fully complying with the Children's Online Privacy Protection Act of 1998 to the extent that it is applicable.  The Federal Trade Commission provides more information about the Children's Online Privacy Protection Act.

Collecting Confidential Information

In connection with hiring and admissions practices, MCCCD collects identifiable information, such as an individual’s name, e-mail address, home or work address, and telephone number.  MCCCD also collects demographic information such as gender, age, zip code, and interests. 

Pursuant to the HIPAA Privacy Rule and, for example, in connection with administration of its group health plans, provision of public safety practices,  and operation of its medical and dental facilities, MCCCD adheres to standards of confidentiality regarding individually identifiable health information created or received by MCCCD that relates to the following:

1. Past, present, or future physical or mental health or condition;

2. Previously rendered health care services;

3. Planned health care services; and

4. Past, present or future payments for health care services.

MCCCD reserves the right to log and monitor all activity and all data on its systems and network(s).  This may involve capturing and retaining a complete keystroke and click log of an entire session.  In addition, MCCCD may search files on individual and networked technology resources[7] to investigate a potential privacy violation.

Information about computer hardware and software is collected by MCCCD.  Web analytical tools that do not create individual profiles are used by MCCCD to analyze traffic to MCCCD websites.  MCCCD uses these tools to routinely record the following information each time MCCCD’s websites are used:

1. Internet address of the computer being used;

2. Web pages requested;

3. Referring web page;

4. Browser used;

5. Date, time and duration of activity; and

6. Volume of data storage and transfers.

MCCCD uses this information about website usage to monitor and preserve MCCCD website functionality and integrity.  Analysis of this information also helps MCCCD improve access to web content based on browser types and operating system types, by enabling MCCCD to make web content available to as many online users as practical.  MCCCD does not link this collected information to the personal information that an individual may actively submit online when participating in or registering for programs and activities. 

Some MCCCD web pages use cookies to store information, and some web-based services require cookies for access.  Cookies are short pieces of information used by web browsers to remember an individual’s specific information on subsequent visits and to personalize the online experience.  For example, if an individual personalizes MCCCD pages, or registers with MCCCD sites or services, a cookie may help MCCCD to recall their personal information, such as name, home address, phone number and other details. Cookies can be disabled on most personal computers by modifying the browser setting to decline cookies.  If, however, cookies are declined, an individual may not be afforded a fully interactive online experience. 

MCCCD accepts credit card payments online for a variety of goods and services.  To prevent unauthorized access as the credit card information travels over the Internet, credit card information handled by MCCCD, such as the cardholder's name, address and credit card number, is encrypted before transfer to any financial institution for further processing.  Credit card transactions performed by students in self-service are encrypted when noted by the “lock” icon on the web page.   

Obtaining Confidential Information

In most cases, MCCCD obtains information about an individual from the individual.  MCCCD may also use outside sources to help ensure its records are correct and complete.  These sources may include background check companies, employers, other educational institutions, adult relatives, and others.  These sources may give MCCCD reports or share what they know with others.  MCCCD does not control the accuracy of information external sources provide to MCCCD.  If an individual wants to make any changes to information MCCCD receives from others about them, they must contact those sources.

Using Confidential Information

MCCCD collects information to help it decide whether an individual is eligible for enrollment into specific MCCCD courses, participation in specific MCCCD programs, and/or employment by MCCCD departments and offices.  MCCCD may also need personally identifiable information to help deter fraud, money laundering, or other crimes.  How MCCCD uses this information depends on what educational products and services an individual has or wants from MCCCD.  It also depends on what laws apply to those educational products and services.  For example, MCCCD may also utilize personally identifiable information and individually identifiable health information to:

• Verify financial aid eligibility and process related transactions
• Perform research on issues affecting community colleges and collaborate with other educational institutions and states to improve student success and institutional performance
• Confirm or correct an individual’s information
• Market new educational courses
• Help run and operate MCCCD
• Deliver requested educational services
• Establish eligibility for family medical leave, disability accommodation, and course and program placement
• Survey opinions of current services or potential new services
• Comply with applicable laws

Accessing Confidential Information

Students: Information about the rights of a student to access their education records in compliance with FERPA is available at https://district.maricopa.edu/regulations/admin-regs/section-2/2-5#3.

Service Providers: From time to time, individuals or companies under contract with MCCCD may have authorized access to Confidential Information in the course of the services they provide to MCCCD. 

Disclosing Confidential Information

MCCCD will not disclose Confidential Information without notice, unless it is required to do so by law or it believes, in good faith, that such action is necessary to: (a) conform to law or comply with legal process, (b) safeguard and defend the rights or property of MCCCD, or (c) act under exigent circumstances to protect the life and/or personal safety of others.  Confidential information protected by FERPA or by other laws or Board administrative regulations will not voluntarily be disclosed in response to a public records request. 

Student information: Pursuant to FERPA, MCCCD must, except under certain conditions, obtain written consent for or on behalf of a student prior to the disclosure of certain information from the student’s education records. MCCCD may, however, disclose “directory information” as listed in Administrative Regulation 2.5.3 Student Records.

Students who do not want directory information released may so indicate in writing either (a) during the admissions process or (b) by notifying the Office of Admissions and Records at every college at which they are enrolled. 

Certain information is loaded into MCCCD’s learning management systems, such as the Instructure/Canvas-based Course Management System and RioLearn Learning Management System. As a result, examples of information visible to other students enrolled in the class may include: students’ names, official MCCCD e-mail addresses and enrollment in the class.

Employee information:   Pursuant to the Arizona Public Records law, MCCCD Administrative Regulation 6.17 Requests for Public Information, and any other applicable rules and ordinances, the following are examples of information about present and former employees that may be disclosed without the employee’s prior written consent:

• Name
• Titles or positions (including academic degrees and honors received)
• Fact of past or present employment
• Dates of employment
• Salaries or rates of pay
• Name of employee's current or last known supervisor
• Disciplinary Records
• Self-Evaluations
• Performance Reviews

Records that contain information about Personnel are not subject to release if they are works-in-progress or part of the deliberative process. Access to records that contain information about Personnel or disclosure of such information may be provided in compelling circumstances affecting the immediate health or safety of the individual and others.

Other disclosures:  Under the Arizona Public Records Law, [8] MCCCD may be required to provide information contained in MCCCD records to a third party.  Commercial users may purchase public record information, such as non-confidential lists of students and employees.  MCCCD may share aggregated information with governmental and non-profit agencies, and third-party vendors but only for legitimate educational and workforce development purposes. 

Opting Out

As noted above, students who do not want directory information released may so indicate in writing either (a) during the admissions process or (b) by notifying the Office of Admissions and Records at every college at which they are enrolled. 

Correcting Confidential Information

As previously noted, if an individual wants to make any changes to information MCCCD receives from others about them, the individual must contact those sources.

Definition(s):   As used in this administrative regulation, the following terms have the respective meanings set forth below: 

 

ARS: Arizona Revised Statutes; the statutory laws that govern the state of Arizona as formally enacted in writing by the Arizona State Legislature, such as the Arizona law that requires businesses, including, but not limited to, colleges and universities, to provide consumer notification of data breaches involving personally identifiable information.  Pursuant to ARS § 44-7501, “personally identifiable information (PII) (a) Means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted or secured by any other method rendering the element unreadable or unusable: (1) The individual's social security number; (2) The individual's number on a driver license issued pursuant to ARS § 28-3166 or number on a nonoperating identification license issued pursuant to ARS § 28-3165; or (3) The individual's financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to the individual's financial account.”  PII does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. 

FERPA: Family Educational Rights and Privacy Act; a federal law that protects the privacy of student education records. "Education records" are "those records, files documents, and other materials which 1) contain information directly related to a student; and 2) are maintained by an educational institution.” (20 U.S.C. § 1232g (a)(4)(A); 34 CFR § 99.3). FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education. 

GLBA aka Financial Services Modernization Act of 1999: Gramm–Leach–Bliley Act; an Act that requires “financial institutions,” including, but not limited to, colleges and universities, to protect the privacy of their customers, including information that customers provide to a financial institution that would not be available publicly (“personally identifiable financial information (PIFI)”).[9]  MCCCD, therefore, has a responsibility to secure the personal records of its students and employees.  To ensure this protection, GLBA mandates that all financial institutions establish appropriate administrative, technical and physical safeguards.  GLBA also requires financial institutions to provide notice to customers about their privacy policies and practices, but institutions of higher education are generally exempt from this requirement, because they already do so under FERPA.  Colleges and universities complying with FERPA are considered to be in compliance with GLBA.

 

HIPAA: Health Insurance Portability and Accountability Act of 1996; an Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.

HIPAA Privacy Rule aka Privacy Rule: A statute that (1) establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically, (2) requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization, and (3) gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.  The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.  The Privacy Rule calls this information “protected health information (PHI).” (45 CFR § 160.103). Individually identifiable health information” is information, including demographic data, that relates to: 

• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or 
• the past, present, or future payment for the provision of health care to the individual, 

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Ibid.  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, social security number). 

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. 

Payment Card Industry Data Security Standard (PCI DSS): Payment Card Industry Data Security Standard; a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, automated teller machine (ATM), and point-of-sale (POS/ePOS) cards.  “Payment card information” is any personally identifiable information associated with a cardholder, such as the cardholder’s account number, account expiration date, name, address, or social security number.  All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered payment card information. 

Personnel: All full-time, part-time and temporary employees and faculty who work for the MCCCD organization.  

POI: Person(s) of Interest; individuals such as the following who are not considered part of the MCCCD workforce but who are still of interest to the organization:

Person of interest category
Definition

Dual enrollment instructor

Individuals who teach college-level courses to high school students and are not compensated by MCCCD

Consultant

Individuals who are hired to do specialized work for MCCCD and are paid by outside sources

Agency temporary employee

Temporary agency employees who come to work for MCCCD and are paid by the temporary agency

Retired employee

Retired employees who continue a relationship with MCCCD are changed from Employee status to Person of Interest status

Call center or contract employee

Employees who provide support for some of our systems and are paid by the contracted company

Unpaid intern

An individual who is completing an internship at MCCCD for credit in their degree program

Volunteer
An individual who is working at MCCCD on a volunteer basis

Vendor (e.g., Follett bookstores, Chartwells dining services, Aramark facilities services)
Members of organizations that provide services to MCCCD employees and students

ESS Educational Services (e.g., hospitals providing adjuncts for nursing program and/or Fire Science/EMT department)

Members of organizations that have contractual relationships with MCCCD for specialized programs

 

Security Incident: The unauthorized access to and/or misappropriation of Confidential Information. 

Confidential Information: Information that is so deemed under applicable law.   Personally identifiable information, personally identifiable education records, individually identifiable health information, personally identifiable financial information and payment card information are examples of Confidential Information covered under the Arizona Revised Statutes (ARS), Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm–Leach–Bliley Act (GLBA aka Financial Services Modernization Act of 1999) and Payment Card Industry Data Security Standard (PCI DSS), respectively.

Technology Resources: MCCCD Administrative Regulation 4.4 Technology Resource Standards provides the following examples of technology resources:  Websites, applications (such as, but not limited to, MCCCD’s Instructure/Canvas-based Course Management System and RioLearn Learning Management System), desktop and laptop systems, printers, central computing facilities, MCCCD-wide or college-wide networks, local-area networks, telephones, facsimile machines, scanners, access to the Internet, electronic mail and similar electronic devices and information. 

Reference(s):

 

MCCCD Administrative Regulations 2.1 General Regulation, 2.5.1 Disciplinary Standards, and 2.5.2 Student Conduct Code

MCCCD Administrative Regulation 2.5.3 Student Records

MCCCD Administrative Regulation 3.8 MCCCD Institutional Review Board (IRB)

MCCCD Administrative Regulation 4.4 Technology Resource Standards

MCCCD Administrative Regulation 6.11 Identity Theft Red Flag and Security Incident Reporting

MCCCD Administrative Regulation 6.17 Requests for Public Information

Records Retention and Disposition Schedules for Arizona Community Colleges and Districts are located in the Employee Portal  [Employee credentials are needed to enter secure site].  

Contact(s):                                                        

Pursuant to MCCCD Administrative Regulation 6.11 Identity Theft Red Flag and Security Incident Reporting, anyone who notices that a MCCCD technology resource(s) is currently being or may have been used in an inappropriate fashion should contact the Chief Privacy Officer via email at protect.privacy@maricopa.edu.   

Please email governance@domail.maricopa.edu with any questions and concerns about the MCCCD administrative regulations.  

Please email protect.privacy@maricopa.edu with any legal questions and/or to arrange for the evaluation of any vendors, subcontractors and/or third-party products in advance of any work or purchase. 

 

[1] Confidential Information is information that is so deemed under applicable law.  Personally identifiable information, personally identifiable education records, individually identifiable health information, personally identifiable financial information and payment card information are examples of Confidential Information covered under the Arizona Revised Statutes (ARS), Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm–Leach–Bliley Act (GLBA aka Financial Services Modernization Act of 1999) and Payment Card Industry Data Security Standard (PCI DSS), respectively.

[2] This administrative regulation addresses the District’s commitment to ensure productive experiences within the family of MCCCD Web sites.  MCCCD is not responsible for the privacy statements or other content on Web sites outside of the MCCCD family of Web sites. 

MCCCD encourages individuals to review the privacy statements of Web sites they choose to link to from MCCCD to understand how those Web sites collect, use and share information.

[3] MCCCD Administrative Regulation 4.4 Technology Resource Standards provides the following examples of technology resources:  Websites, applications (such as, but not limited to, MCCCD’s Instructure/Canvas-based Course Management System and RioLearn Learning Management System), desktop and laptop systems, printers, central computing facilities, MCCCD-wide or college-wide networks, local-area networks, telephones, facsimile machines, scanners, access to the Internet, electronic mail and similar electronic devices and information. 

[4] See, for example, MCCCD Administrative Regulations 2.1 General Regulation, 2.5.1 Disciplinary Standards, and 2.5.2 Student Conduct Code. 

[5] http://www.hhs.gov/ohrp/policy/engage08.html

[6] See, MCCCD Administrative Regulation 3.8 MCCCD Institutional Review Board. 

[7] MCCCD Administrative Regulation 4.4 Technology Resource Standards provides the following examples of technology resources:  Websites, applications (such as, but not limited to, MCCCD’s Instructure/Canvas-based Course Management System and RioLearn Learning Management System), desktop and laptop systems, printers, central computing facilities, MCCCD-wide or college-wide networks, local-area networks, telephones, facsimile machines, scanners, access to the Internet, electronic mail and similar electronic devices and information. 

[8] Additional information about the Arizona Public Records Law may be found at https://chancellor.maricopa.edu/public-stewardship/records-information/… and in MCCCD Administrative Regulation 2.5.3 Student Records.

[9] Also, See, 17 CFR 160.3 [Title 17 Commodity and Securities Exchanges; Chapter I Commodity Futures Trading Commission; Part 160 Privacy of Consumer Financial Information], for a related definition of PIFI and whereby some GLBA requirements with respect to futures commission merchants, commodity trading advisors, commodity pool operators and introducing brokers. 

Overview

Description: In advancement of the Chief Information Officer’s operational responsibilities and in accordance with federal, state, local and international laws relevant to information privacy and security, this administrative regulation describes the role-based responsibilities and activities associated with implementation of the Maricopa County Community College District (“MCCCD”) program for protecting the confidentiality, integrity, security and availability of records, data applications, and/or systems containing Confidential Information[1]  (the “Written Information Security Program” or “WISP”).[2] 

Applicability: Information Security is everyone’s responsibility. All MCCCD Personnel and Persons of Interest (“POIs”) with access to MCCCD Confidential Information, whether through use of online technology resources[3] or otherwise, are covered by this administrative regulation.  All Personnel and POIs must complete training on the information security administrative regulations and information security awareness training annually, certify their attendance at each training session, and certify their familiarity with MCCCD’s requirements for protecting Confidential Information in compliance with the WISP. MCCCD students are expected to know and comply with all current published policies, rules and regulations as stated in the college catalog, class schedule, and/or student handbook.[4]

Failure to Comply: Failure to comply with this administrative regulation may result in disciplinary actions up to and including dismissal from employment and termination of service at MCCCD. Legal actions, including, but not limited to the application of civil and criminal penalties, may also be taken for violations of applicable regulations and/or laws.

MCCCD recognizes that laws and regulations involving security of Confidential Information are continuously evolving.  In this context, to the extent that applicable data privacy laws or regulations conflict with the procedures outlined in the Information Security Incident Response Plan, the applicable laws or regulations govern and override the Information Security Incident Response Plan.  Notify the Chief Privacy Officer immediately of applicable law or regulations that appear to conflict with the Information Security Incident Response Plan.

Information Security is everyone’s responsibility. Listed below are some of the crucial roles and responsibilities associated with implementation of the WISP: 

General WISP Responsibilities

Role
 

All
Report Security Incidents by exclusively contacting the Chief Privacy Officer  protect.privacy@maricopa.edu, without communicating with anyone else beforehand.

Chief Information Officer
Issue Governance Directives as needed to regulate use of IT resources and protection of

Confidential Information.

Chief Information Security Officer
1.) Implement the WISP.

 

2.) Regularly test the WISP’s safeguards.

3.) Facilitate compliance with regulatory requirements in coordination with MCCCD IT and Legal personnel.[4]

4.) Evaluate the ability of relevant MCCCD Personnel and POIs to implement and maintain appropriate security measures for the Confidential Information to which MCCCD has permitted access, and require such individuals to implement and maintain appropriate security measures.

5.) Review the WISP, in collaboration with the Information Security Incident Response Team (“IRT”), at least annually and whenever there is a material change in MCCCD’s business practices that may implicate the confidentiality, integrity, security and/or availability of MCCCD Confidential Information.[5]

Chief Privacy Officer
1.) Obtain details about the situation from the individual(s) who report actual or suspected Security Incidents.

 

2.) Coordinate with the IRT to take any additional actions that may be appropriate.

Incident Response Team
As noted in Administrative Regulation 4.24 Information Security Incident Response Plan.

Office of Information Technology Services
1.) Configure network devices to prevent possible electronic breaches.

 

2.) Configure intrusion detection and file integrity monitoring systems to continually track activity and identify possible electronic intrusions.

 

Role
Training, Awareness and Compliance  Responsibilities[6]

Chief Information Security Officer
1.) In conjunction with the Chief Privacy Officer, conduct annual Information Security Awareness training that includes all MCCCD Personnel and POIs and those employed by others to perform MCCCD work who regularly use and/or have access to Confidential Information; and

 

2.) In conjunction with the Chief Privacy Officer, conduct annual Information Security Awareness training that includes MCCCD personnel and those employed by others to perform MCCCD work who do not regularly use and/or have access to Confidential Information.

Chief Privacy Officer
1.) In conjunction with the Chief Information Security Officer, conduct annual Information Security Awareness training that includes all MCCCD Personnel and POIs and those employed by others to perform MCCCD work who regularly use and/or have access to Confidential Information;

 

2.) In conjunction with the Chief Information Security Officer, conduct annual Information Security Awareness training that includes MCCCD personnel and those employed by others to perform MCCCD work who do not regularly use and/or have access to Confidential Information; and

3.) Maintain accurate records pertaining to all in-person training activities.

Human Resources Division
In collaboration with the Office of Information Technology Services and the Chief Privacy Officer, provide training to all Personnel and POIs via an online training course on the information security administrative regulations and information security awareness every year, and additional training as warranted.

Office of General Counsel (Legal)
In coordination with Human Resources Division and Office of Information Technology Services, generate reports to meet litigation and regulatory requests.

Office of Information Technology Services
In collaboration with the Human Resources Division and Chief Privacy Officer, provide training to all Personnel and POIs via an online training course on the information security administrative regulations and information security awareness every year, and additional training as warranted.

Personnel and POIs
1.) Complete training on the information security administrative regulations and information security awareness annually, certify attendance at each training session, and certify familiarity with MCCCD’s requirements for protecting Information in compliance with the WISP.[7]

 

2.) Maintain the confidentiality, integrity, security and availability of MCCCD Confidential Information in compliance with the WISP.[8]

3.) Comply with MCCCD Administrative Regulation 4.4 Technology Resource Standards, including, but not limited to, the acceptable computer use provisions described therein.[9]

 

Role
Internal Risk Mitigation  Responsibilities10

Chief Information Security Officer

Review and reevaluate, in collaboration with the Chief Privacy Officer, information security measures annually or whenever there is a material change in MCCCD’s business practices that may reasonably implicate the security or integrity of records containing Confidential Information.

Chief Privacy Officer
Review and reevaluate, in collaboration with the Chief Information Security Officer, information security measures annually or whenever there is a material change in MCCCD’s business practices that may reasonably implicate the security or integrity of records containing Confidential Information.

Human Resources Division

1) Obtain acknowledgement, via the completion of the required online training course, that all Personnel and POIs have received a copy of the WISP and will abide by its provisions.

 

2) Require that Human Resource departments or responsible parties at all MCCCD sites work with the Office of Information Technology Services and Chief Privacy Officer to establish exit processes that require Personnel and POIs who cease employment/contract service with MCCCD (“Separated Individuals”) to return all records, data applications and/or systems, in any form, including, but not limited to, information stored on laptops or other Portable Devices or media, and in files, records, and work papers, and (2) surrender all keys, identification cards, and all other means of using and/or accessing MCCCD’s premises and/or information.

Management through enforcement of Administrative Regulations
1) Require that Personnel and POIs immediately report any suspicious or unauthorized use of Confidential Information to the Chief Privacy Officer who coordinates with the IRT to appropriately respond.

 

2) Require that Personnel and POIs who violate the WISP may be disciplined according to the severity of the violation, regardless of whether Confidential Information was accessed or used without authorization.

Office of General Counsel (Legal)
1) Require that all employment and consulting agreements contain provisions that (1) require all Personnel and POIs to receive training and acknowledge, sign and comply with the provisions of the WISP, and

 

2) prohibit any nonconforming use of Confidential Information during or after employment.

3) Authorize in writing any and all exceptions to internal risk mitigation responsibilities.

Office of Information Technology Services
At the direction of the appropriate manager and Chief Privacy Officer, revoke Separated Individuals’ physical, electronic, and remote electronic use of and/or access to Confidential Information.

Personnel and POIs
1) Cooperate with efforts underway to limit the amount of Confidential Information collected or stored to that amount reasonably necessary to accomplish MCCCD’s legitimate business purposes or as required by law.

 

2) Limit use of and/or access to records, data applications, and/or systems containing Confidential Information to those persons who have a legitimate business purpose for such use and/or access.

3) Permit use of and/or access to MCCCD’s Confidential Information by only authorized individual(s) for legitimate business reasons.

4) Do not store Confidential Information on personally owned Portable Devices.

5) Periodically change passwords and conform to MCCCD’s password standards.

6) Do not manipulate or disregard security measures that have been put in place to protect Confidential Information, including, but not limited to, access controls, cameras and secure storage for card and device inventory, as well as tracking and monitoring of individuals' use of and/or access to Confidential Information.

7) Secure Confidential Information in a manner that is consistent with the WISP’s rules for protecting information security of any files and other records containing Confidential Information.

8) Securely dispose of physical and electronic records containing Confidential Information at the earliest opportunity consistent with business needs and records retention requirements11 in the following manner:

a) Physical documents containing Confidential Information are redacted, burned, pulverized, cross-cut shredded, or otherwise securely erased so that Confidential Information cannot practicably be read or reconstructed; and

b) Electronic media and other non-physical media containing Confidential Information are destroyed or otherwise securely erased so that such information cannot practicably be read or reconstructed.

9)  Upon ceasing employment/contractual service with MCCCD, (1) return all records, data applications and/or systems, in any form, including, but not limited to, information stored on laptops or other Portable Devices or media, and in files, records, and work papers, and (2) surrender all keys, identification cards, and all other means of using and/or accessing MCCCD’s premises and/or information.

 

10 Any exception must be authorized in writing by General Counsel.

 

11 See, Records Retention and Disposition Schedules for Arizona Community Colleges and Districts located in the Employee Portal [ [Employee credentials are needed to enter secure site].

 

Role
External Risk Mitigation  Responsibilities[12]

Human Resources Division
1.) Obtain acknowledgement, via the completion of the required online training course, that all Personnel and POIs have received a copy of the WISP and will abide by its provisions.

 

2.) Require that Human Resource departments or responsible parties at all MCCCD sites work with the Office of Information Technology Services and the Chief Privacy Officer to establish exit processes which require Personnel and POIs who cease employment with MCCCD (“Separated Individuals”) (1) return all records, data applications and/or systems, in any form, including, but not limited to, information stored on laptops or other Portable Devices or media, and in files, records, and work papers, and (2) surrender all keys, identification cards, and all other means of using and/or accessing MCCCD’s premises and/or information.

Management through enforcement of Administrative Regulations

1.) Require that Personnel and POIs immediately report any suspicious or unauthorized use of Confidential Information to the Privacy Officer who coordinates with the Information Security Incident Response Team to appropriately respond.

2.) Require that Personnel and POIs who violate the WISP may be disciplined according to the severity of the violation, regardless of whether Confidential Information was accessed or used without authorization.

Office of General Counsel (Legal)
1.) Require that all employment and consulting agreements contain provisions that (1) require all POIs to acknowledge, sign and comply with the provisions of the WISP, and (2) prohibit any nonconforming use of Confidential Information during or after employment.

 

2.) Authorize in writing any and all exceptions to external risk mitigation responsibilities.

3.) Provide legal advice to the Chief Information Officer, Chief Information Security Officer, Chief Privacy Officer, Human Resources Division and Management as needed in connection with any and all aspects of WISP compliance.

Office of Information Technology Services
At the direction of the appropriate manager, revoke Separated Individuals’ physical, electronic, and remote electronic use of and/or access to Confidential Information.

Personnel and  POIs
1.) Prohibit removal of Confidential Information from the MCCCD business premises (whether owned, leased, rented or otherwise utilized by MCCCD) in electronic or written form absent (i) an approved, legitimate business need and (ii) use of reasonable security measures, as described in this WISP.

 

2.) Encrypt or deliver by an alternative, more secure method all records and files containing Confidential Information that are transmitted wirelessly or across public networks.

 

3.) Protect all passwords.  Keep passwords in a location and format that are secure. 

 

4.) Contact the Chief Privacy Office or protect.privacy@maricopa.edu to ensure evaluation of all vendors, subcontractors and third-party products in advance of any work or purchase.

 

5.)  Require that all vendors, subcontractors and third-party products be evaluated in advance of any work or purchase. 

 

6.) Upon ceasing employment with MCCCD, (1) return all records, data applications and/or systems, in any form, including, but not limited to, information stored on laptops or other Portable Devices or media, and in files, records, and work papers, and        (2) surrender all keys, identification cards, and all other means of using and/or accessing MCCCD’s premises and/or information.

Definitions: As used in this administrative regulation, the following terms have the respective meanings set forth below: 

ARS: Arizona Revised Statutes; the statutory laws that govern the state of Arizona as formally enacted in writing by the Arizona State Legislature, such as the Arizona law that requires businesses, including, but not limited to, colleges and universities, to provide consumer notification of data breaches involving personally identifiable information.  Pursuant to ARS § 44-7501, “personally identifiable information (PII) (a) Means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted or secured by any other method rendering the element unreadable or unusable: (1) The individual's social security number; (2) The individual's number on a driver license issued pursuant to ARS § 28-3166 or number on a nonoperating identification license issued pursuant to ARS § 28-3165; or (3) The individual's financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to the individual's financial account.”  PII does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

FERPA: Family Educational Rights and Privacy Act; a federal law that protects the privacy of student education records. "Education records" are "those records, files documents, and other materials which 1) contain information directly related to a student; and 2) are maintained by an educational institution.” (20 U.S.C. § 1232g(a)(4)(A); 34 CFR § 99.3). FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education. 

GLBA aka Financial Services Modernization Act of 1999: Gramm–Leach–Bliley Act; an Act that requires “financial institutions,” including, but not limited to, colleges and universities, to protect the privacy of their customers, including information that customers provide to a financial institution that would not be available publicly (“personally identifiable financial information (PIFI)”).13  MCCCD, therefore, has a responsibility to secure the personal records of its students and employees.  To ensure this protection, GLBA mandates that all financial institutions establish appropriate administrative, technical and physical safeguards.  GLBA also requires financial institutions to provide notice to customers about their privacy policies and practices, but institutions of higher education are generally exempt from this requirement, because they already do so under FERPA.  Colleges and universities complying with FERPA are considered to be in compliance with GLBA.

HIPAA: Health Insurance Portability and Accountability Act of 1996; an Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.

HIPAA Privacy Rule aka Privacy Rule: A statute that (1) establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically, (2) requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization, and (3) gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.  The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.  The Privacy Rule calls this information “protected health information (PHI).” (45 CFR § 160.103). Individually identifiable health information” is information, including demographic data, that relates to:

• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Ibid.  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, social security number). 

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. 

Information Security Incident Response Team (IRT): The internal ad hoc team of professionals that is convened to provide incident handling services to MCCCD during an ongoing information security event and to respond to an information security incident when the need arises. 

Payment Card Industry Data Security Standard (PCI DSS): Payment Card Industry Data Security Standard; a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, automated teller machine (ATM), and point-of-sale (POS/ePOS) cards.  “Payment card information” is any personally identifiable information associated with a cardholder, such as the cardholder’s account number, account expiration date, name, address, or social security number.  All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered payment card information. 

Personnel: All full-time, part-time and temporary employees and faculty who work for the MCCCD organization.  

 

POI: Person(s) of Interest; individuals such as the following who are not considered part of the MCCCD workforce but who are still of interest to the organization:

 

Person of interest category

Definition

Dual enrollment instructor

Individuals who teach college-level courses to high school students and are not compensated by MCCCD

Consultant

Individuals who are hired to do specialized work for MCCCD and are paid by outside sources

Agency temporary employee

Temporary agency employees who come to work for MCCCD and are paid by the temporary agency

Retired employee

Retired employees who continue a relationship with MCCCD are changed from Employee status to Person of Interest status

Call center or contract employee

Employees who provide support for some of our systems and are paid by the contracted company

Unpaid intern

An individual who is completing an internship at MCCCD for credit in their degree program

Volunteer

An individual who is working at MCCCD on a volunteer basis

Vendor (e.g., Follett bookstores, Chartwells dining services, Aramark facilities services)

Members of organizations that provide services to MCCCD employees and students

ESS Educational Services (e.g., hospitals providing adjuncts for nursing program and/or Fire Science/EMT department)

Members of organizations that have contractual relationships with MCCCD for specialized programs

 

Portable Devices: Examples of portable devices include, but are not limited to, CDs, DVDs, eReaders, external hard drives, Google Glasses, laptops, memory sticks, smart phones, tablets, thumb drives, and USB drives. 

Security Incident: The unauthorized access to and/or misappropriation of Confidential Information. 

Confidential Information: Information that is so deemed under applicable law.  Personally identifiable information, personally identifiable education records, individually identifiable health information, personally identifiable financial information and payment card information are examples of Confidential Information covered under the Arizona Revised Statutes (ARS), Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm–Leach–Bliley Act (GLBA aka Financial Services Modernization Act of 1999) and Payment Card Industry Data Security Standard (PCI DSS), respectively.

Separated Individuals:  Personnel and POIs who cease employment with MCCCD.

Technology Resources: MCCCD Administrative Regulation 4.4 Technology Resource Standards provides the following examples of technology resources:  Websites, applications (such as, but not limited to, MCCCD’s Instructure/Canvas-based Course Management System and RioLearn Learning Management System), desktop and laptop systems, printers, central computing facilities, MCCCD-wide or college-wide networks, local-area networks, telephones, facsimile machines, scanners, access to the Internet, electronic mail and similar electronic devices and information. 

Reference(s):

MCCCD Administrative Regulations 2.1 General Regulation, 2.5.1 Disciplinary Standards, and 2.5.2 Student Conduct Code

MCCCD Administrative Regulation 4.4 Technology Resource Standards

MCCCD Administrative Regulation 4.24 Information Security Incident Response Plan

MCCCD Administrative Regulation 6.11 Identity Theft Red Flag and Security Incident Reporting

MCCCD Administrative Regulation 6.17 Requests for Public Information 

Records Retention and Disposition Schedules for Arizona Community Colleges and Districts are located at: Employee Portal [ [Employee credentials are needed to enter secure site].

Contact(s): 

Pursuant to MCCCD Administrative Regulation 6.11 Identity Theft Red Flag and Security Incident Reporting, anyone who notices that a MCCCD technology resource(s) is currently being or may have been used in an inappropriate fashion should contact the Chief Privacy Officer via email at protect.privacy@maricopa.edu.  

Pursuant to MCCCD Administrative Regulation 6.11 Identity Theft Red Flag and Security Incident Reporting: (1) anyone, including, but not limited to, any MCCCD Personnel and POIs, who notices and/or suspects that MCCCD Confidential Information may currently be or may have been exposed to someone without authorization should immediately contact the Chief Privacy Officer at protect.privacy@maricopa.edu,  and (2) the Chief Privacy Officer is designated as the exclusive recipient of reports of this nature.   The Chief Privacy Officer is responsible for obtaining details about the situation from the individual(s) and coordinating with the IRT to take any additional actions that the IRT deems necessary.  Responsibilities of the IRT are described in MCCCD Administrative Regulation 4.24 Information Security Incident Response Plan.   

MCCCD, in consultation with legal counsel, is responsible for completing the analysis necessary to determine whether a breach has indeed happened.  Deciding whether a breach of Confidential Information has happened is a complex technical and legal determination that involves detailed analysis.  Neither MCCCD Personnel, POIs, nor students should postpone notification of the Privacy Officer until a breach determination has been made.  Instead, MCCCD encourages anyone to report their hunch or suspicion, since MCCCD counts on everyone to share the responsibility for keeping information secure.

Please email governance@domail.maricopa.edu with any questions and concerns about the MCCCD administrative regulations.  

Please email protect.privacy@maricopa.edu with any legal questions and/or to arrange for the evaluation of any vendors, subcontractors and/or third-party products in advance of any work or purchase. 

Overview 

Description: To advance MCCCD’s operational responsibilities and to comply with federal, state, local and international laws relevant to information privacy and security, this administrative regulation outlines the responsibilities and procedures of Maricopa County Community College District’s (“MCCCD”) collective body, known as the Information Security and Privacy Incident Response Team (“IRT”).  The IRT is defined in Appendix AS-14 and is charged with responding to actual or suspected situations involving unauthorized access to and/or misappropriation of Confidential Information.[1][2]

Applicability: Information security and privacy is everyone’s responsibility. All MCCCD Personnel and Persons of Interest (“POIs”) are covered by this administrative regulation. MCCCD students are expected to know and comply with all current published policies, rules and regulations as stated in the college catalog, class schedule, and/or student handbook.[3]

Failure to Comply: Failure to comply with this administrative regulation may result in disciplinary actions up to and including dismissal from employment and termination of service at MCCCD.  Regulators may commence legal actions, including, but not limited to, the application of civil and criminal penalties for violations of applicable regulations and/or laws. MCCCD recognizes that laws and regulations involving security of Confidential Information are continuously evolving.  In this context, to the extent that applicable data privacy and security laws or regulations conflict with the procedures outlined in the Information Security and Privacy Incident Response Plan, the applicable laws or regulations govern and override the Information Security and Privacy Incident Response Plan.

Information Security Incident Response Team Responsibilities and Procedures

The Incident Response Team (“IRT”) is chaired by the Chief Information Security Officer, the Chief Privacy Officer, and the Director of Enterprise Risk Management (“Risk Manager”) (collectively, “Core IRT”), who are assigned primary responsibility for providing a thorough and orderly response to an actual or suspected Security Incident.  While Information security and privacy is everyone’s responsibility, the IRT’s specific mission is to provide an effective and skillful response to actual or suspected Security Incidents by taking appropriate steps to investigate, contain, and mitigate each incident while reporting findings to management in a timely, efficient manner.  The IRT aims to protect Confidential Information and minimize financial loss by ensuring evidence gathering, chain of custody tracking, and preservation of data, as appropriate.    

The IRT provides a coordinated response to actual or suspected Security Incidents.  The IRT includes, as needed, representatives from operating units within MCCCD along with their alternates.  Each represented operating unit has designated one IRT member.  The Core IRT is in charge of leading the incident response.  Where a Core IRT member is absent during a Security Incident, the Core IRT alternate has the same level of responsibility and expectations under this administrative regulation as does the member of the Core IRT for which he or she serves as an alternate. 

If, as a result of an actual or suspected Security Incident, the Chief Information Security Officer and the Chief Information Officer/Vice Chancellor for Information Technology determine that it is necessary to take immediate action involving MCCCD’s information technology systems, the Chief Information Security Officer and the Chief Information Officer will determine the appropriate action to take and take that action, consulting with legal counsel if needed, and informing the Chancellor promptly of the determination made and the need for the actions to be taken or already taken.  Any subsequent changes to the action taken require the approval of the Chief Information Security Officer and the Chief Information Officer. The Chief Privacy Officer shall be responsible for providing a notification of the incident to the Director of the Arizona Department of Homeland Security and to any other state or federal officials as may be required by applicable law.

Appendix AS-14 Standing Information Security and Privacy Incident Response Team Members is a supplement to Administrative Regulation 4.22 through 4.24, which are known as the Privacy Statement, The Written Information Security Program and Privacy Incident Response Plan, respectively. Appendix AS-14 contains the job titles that constitute the members of the IRT. 

The Core IRT will determine, based on the type of Security Incident involved, which members of the IRT will be called to provide assistance.  On a quarterly basis, the IRT will review and, if needed, recommend an update to the job titles listed in the Appendix to ensure that they include the appropriate personnel with District-wide oversight over Confidential Information, employment matters, student matters, and MCCCD’s security and privacy.  The Core IRT will report the results of its review to the Chancellor for review, revision and approval.  The Core IRT will also promptly update the Appendix when the names of the persons in those job titles changes.

With the agreement of the Core IRT, other MCCCD employees or critical contractors may be asked to assist with, for instance, the investigation of an actual or alleged Security Incident (“Auxiliary Personnel”).  The IRT will limit the scope of work performed by Auxiliary Personnel at the request of the IRT, along with the time period that the Auxiliary Personnel is involved, to that necessary to investigate facts or to implement mitigation/remediation procedures.  Additionally, the Core IRT along with other IRT members will use their best efforts to avoid methods of communication among themselves that may increase the potential for sensitive or confidential information being shared inappropriately outside of the IRT. 

The IRT includes representatives of several operating units within MCCCD.  The IRT provides a coordinated response to actual or suspected Security Incidents.  Each represented operating unit has designated one IRT member.  The Chief Information Security Officer and Chief Privacy Officer are in charge of the incident response, along with alternates who are designated by the Chief Information Security Officer and Chief Privacy Officer, respectively, to assume authority in all capacities including IRT responsibilities, if the Chief Information Security Officer and Chief Privacy Officer are absent or otherwise unavailable.  Listed below are the roles and responsibilities of each operational unit represented on the IRT:

 

General Responsibilities of the Core IRT (Chief Information Security Officer, Chief Privacy Officer and Director of Enterprise Risk Management)

• Take charge of the incident response.
• Inform the Chancellor, General Counsel, and the Chief Information Officer if an actual or suspected Security Incident has been reported and provide them with an overview of the situation.
• Lead the investigation and the remediation and mitigation efforts.
• Determine with the General Counsel whether the Core IRT and other members of the IRT and selected MCCCD contractors should operate as agents of the General Counsel.
• Triage each actual or suspected Security Incident.
  • Contact the individual who reported the actual or suspected Security Incident.
  • Determine the nature and scope of the actual or suspected Security Incident.
• Take steps to ensure that communications among IRT members and with the Chancellor and any other MCCCD executives are confidential and, where appropriate, subject to the attorney-client privilege.
• Determine and engage other members of the IRT in the investigation of and response to an actual or suspected Security Incident as needs dictate.
• For the Risk Manager:
• Determine whether or when it is appropriate to notify MCCCD’s network security and privacy coverage insurance carrier.
• Be solely responsible for communicating and coordinating with MCCCD’s network security and privacy coverage insurance carrier.
• Determine whether there are possible criminal aspects to the actual or suspected Security Incident and, if so, contact MCCCD Public Safety.
• Coordinate responsibilities among themselves and other IRT members.
• Develop a communication plan appropriate for the circumstances including formulating as needed public or internal messages about an actual or suspected Security Incident with the approval of the Chancellor.
• Make operational, security, and other related business decisions relating to the actual or suspected Security Incident after receiving input from members of the IRT, if appropriate.
• For the Chief Privacy Officer in conjunction with the General Counsel, provide legal advice in connection with any actual or suspected Security Incident. 

Incident Response Steps

The MCCCD IRT will generally follow the steps identified below in responding to incidents.  Notably, after the initial assessment commences, some components will proceed simultaneously.

Additionally, these steps in practice may change if MCCCD network security and privacy insurance carrier is involved in the matter.  For instance, MCCCD insurance carrier may direct that MCCCD hire outside legal counsel to assist with the legal issues surrounding the actual or suspected Security Incident in which case the Legal Services Department and the Risk Manager will jointly supervise the work of that counsel.

The steps may also change in instances where the Legal Services Department hires outside counsel without consulting with MCCCD’s insurance carrier because the matter is not covered by MCCCD’s insurance.  The steps below are intended to be guidelines, and not set standards, for how MCCCD’s response to an actual or suspected Security Incident is conducted.

1.         Report and Assess Situation

2.         Investigate and Conduct Fact Finding

3.         Strategize to Formulate Response

4.         Contain and Limit Exposure.

5.         Remediate and Resolve Vulnerabilities

6.         Document Investigation and Communicate

7.         Conduct an Annual Review and Simulation    

[1] A Security Incident is the unauthorized access to and/or misappropriation of Confidential Information, or threats to the security and privacy of MCCCD’s information technology systems, such as malware or ransomware.  Confidential Information is information that is so deemed under applicable law.  Personally identifiable information, personally identifiable education records, individually identifiable health information, personally identifiable financial information and payment card information are examples of Confidential Information covered under the Arizona Revised Statutes (ARS), Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm–Leach–Bliley Act (GLBA aka Financial Services Modernization Act of 1999) and Payment Card Industry Data Security Standard (PCI DSS), respectively.

[2] This Administrative Regulation supersedes and expressly replaces Administrative Regulation 2.5.6 and Appendix S-11 such that Administrative Regulation 2.5.6 and Appendix S-11 are hereby repealed and no longer effective.

[3] See, for example, MCCCD Administrative Regulations 2.1 General Regulation, 2.5.1 Disciplinary Standards, and 2.5.2 Student Conduct Code.