2022-2023 Policy Library 
    
    Oct 03, 2022  
2022-2023 Policy Library

Data Use and Retention Policy Related to the College’s COVID-19 Health Protocols


Approved by: Covid Compliance Committee
History: Issued August 11, 2020. 

Amended: August 7, 2022
Applicability: This Policy applies to the following individuals and groups of people
Faculty, staff, and students of Claremont McKenna College
Consultants, contractors, and others when acting on behalf of the College, or otherwise required to comply with the College’s COVID-19 health protocols; and
Individuals who perform services for the College as volunteers
This policy does not extend to third parties that are merely providing services to the College.
Related Policies: COVID-19 Policies   
References: None
Responsible Official: Vice President of Business and Chief Operating Officer



I. Policy Statement

Even with the unprecedented challenge of COVID-19, CMC remains committed to its fundamental mission of preparing students for thoughtful and productive lives and to be responsible leaders in business, government, and other professions.  As part of our effort to make CMC a safe and thriving educational, residential, and working environment, we are implementing a number of COVID-19 prevention and mitigation measures that rely upon the appropriate collection, use, and maintenance of data.  CMC recognizes the sensitivities surrounding the use of our community members’ information, especially medical information, and CMC is committed to doing so in a manner that is compliant with applicable laws and consistent with appropriate data collection and use principles.

This Policy describes the general data collection, maintenance, use, and disposal practices that CMC will follow with respect to data collected as part of its COVID-19 prevention and mitigation efforts (COVID-19 Data).  There may be more specific policies and requirements for certain types of activities and data that are not articulated in this policy. 

II. Contacts

Report any questions about this policy to the Office of the General Counsel at (909)607-8966.

III. Applicable Laws and Regulations

In conducting COVID-19 prevention and mitigation measures, CMC will follow applicable data privacy laws, including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the California Confidentiality of Medical Information Act (CMIA), the Americans with Disabilities Act (ADA), regulations issued by the Occupational Safety and Health Administration, and the Family Educational Rights and Privacy Act (FERPA). 

CMC will also observe data minimization principals, including:

  • Limiting the collection and use of COVID-19 Data to only that what is needed to support the COVID-19 prevention and mitigation measures;
  • Limiting access to COVID-19 Data to only those individuals and partners that have a need to know in support of COVID-19 prevention and mitigation measures; and
  • Retaining COIVD-19 Data only for so long as it is needed to support the COVID-19 prevention and mitigation measures, or as otherwise required by law or policy.

IV. Data Collection and Use

CMC is using a number of data-related measures to prevent and mitigate the spread of COVID-19. Access to the COVID-19 Data will be restricted to authorized CMC staff and support personnel, including third party information technology personnel and others providing support to COIVD-19 prevention and mitigation efforts.  In addition, CMC may share COVID-19 Data with other individuals and organization, such as public health officials, as permitted or required by law.  In all circumstances, COVID-19 Data collected by CMC will only be shared with individuals who have a need to know the information.  A roster of all CMC personnel with access to the COVID-19-related data will be maintained by CMC.  COVID-19 Data will be protected with reasonable administrative and technical security measures.

Below are brief descriptions of some of the COVID-19 prevention and mitigation efforts that have significant data components.

a. Daily Symptom Questionnaire

Data collected as part of the Daily Symptom Questionnaire will only be used for COVID-19-related health measures, such as determining whether students, faculty, staff or vendors can come to the campus, determining potential exposure of other persons, and developing and adopting appropriate mitigation measures.  CMC will collect basic identity and contact information, symptom information, and information about possible exposure to others with COVID-19.  CMC will only share this information with CMC staff and third parties supporting CMC’s prevention and mitigation efforts, or as otherwise required or authorized by law.  CMC will delete questionnaire data in its possession one month after it is collected by CMC, unless further retention is needed to support COIVD-19 prevention and mitigation efforts, or a required to meet a legal obligation.

b. COVID-19 Testing

Upon discovery of symptoms, exposure to an infected person, or other appropriate circumstances, CMC students, faculty, and staff may be referred to a health care provider for COVID-19 testing.  In some instances, the third party medical provider may need to share protected health information with CMC.  CMC will only receive from the third party medical provider the minimum amount of information necessary to take appropriate prevention and mitigation measures.  Any protected health information will be treated with appropriate confidentiality.  Protected health information received by CMC will only be further disclosed as permitted by the relevant waiver or as required or permitted by law.  CMC will retain medical information for only so long as necessary to support COIVD-19 prevention and mitigation efforts, or as required to meet a legal obligation.

c. Contact Tracing

CMC will use the services of a manual contact tracer.  Through interviews of a person who has tested positive for COVID-19, manual contact tracers will document other community members who may have been exposed to COVID-19.  This information will be shared with authorized CMC staff and support personnel, including third party information technology personnel and others providing support to COVID-19 prevention and mitigation efforts.   CMC will delete proximity data and information from manual contact tracing in its possession one month after it is collected by CMC, or as required to meet a legal obligation.

V. Revisions

CMC will periodically review this Policy, at the very least every six months, to determine whether collection and retention of COVID-19 Data continues to be necessary.  Any revisions or changes will be reflected in an updated version of this Policy, which will be distributed as appropriate.