Policy

The College possesses significant collections of artwork. When not in storage, the College endeavors to display this artwork in the Berrie Center Kresge and Pascal Galleries, Rodman Gallery, and Potter Library Galleries. The intent of this policy is to provide for the disposal or deaccessioning of artwork by the College under certain circumstances.

Reason for Policy

To set forth a policy that governs the circumstances, conditions, and procedures in which artwork is deaccessioned from the College.

To Whom Does the Policy Apply

All College galleries and stewards of the art work therein including but not limited to Berrie Center Kresge and Pascal Galleries, Rodman Gallery, and Potter Library Galleries.

Related Documents

• Procedure 418: Deaccessioning of Artwork

Contacts

Art Gallery Director

I. Purpose

In forming and maintaining a permanent collection of the highest quality, Ramapo College of New Jersey considers it legitimate and sometimes desirable to refine the collection through the occasional sale or other disposition of previously-acquired objects. The fundamental purpose of removing objects from the permanent collection (also known as deaccessioning) is to strengthen the collection. It may also provide more adequate space and care for the College’s permanent collection. Deaccessioning should never be done to raise money for any stated purpose; rather, it should be done to remove those materials that, for various reasons, are no longer valuable to carrying out the mission of the Ramapo College of New Jersey Galleries.

II. Definitions

The following words and phrases, as used in these procedures, shall have the following meanings:

• “Accessioning” shall mean the formal process of accepting objects into the Galleries’ permanent collection.
• “Board of Trustees” shall mean the Ramapo College of New Jersey Board of Trustees.
• “College” shall mean Ramapo College of New Jersey.
• “Deaccessioning” shall mean the formal process of removing an accessioned object from the permanent collection of the Galleries.
• “Direct care” for purposes of this section means the direct costs associated with the storage or preservation of objects of art.
• “Disposition” shall mean the process of physically removing a deaccessioned object from the custody of the Galleries by transferring title and custody or, in the case of false or fraudulent works or works that are irreparably damaged, by destruction.
• “Director” shall mean the Director of the Ramapo College of New Jersey Art Galleries.
• “Foundation” shall mean the Ramapo College Foundation.
• “Galleries” shall mean collectively, the Ramapo College of New Jersey Art Galleries consisting of the Berrie Center Kresge and Pascal Galleries, Rodman Gallery, Potter Library Galleries, and any future such spaces designated by the Provost as galleries.
• “Object” shall mean an item of tangible personal property that has significant aesthetic, historical, cultural and market value, and provides significant opportunities for teaching.
• “Permanent collection” shall mean a collection of art objects that is owned and intended to be kept for the long term.

III. General Principles

A. In forming and maintaining a permanent collection of the highest quality, the College’s Galleries consider deaccession a legitimate and important action.

B. The fundamental purpose of deaccessioning is to strengthen the College Galleries’ permanent collection. Deaccessioning can refine and improve the overall quality of the permanent collection and allow the Galleries to shape the collection carefully to best serve its mission.

C. Deaccessioning of material from the permanent collection of the Galleries is a step that should not be taken lightly, but instead judiciously, with the same caution and prudence as is exercised in accessioning. No action pertaining to deaccessioning should be undertaken which would impair the integrity and goodstanding of the Galleries within its community, the community at large, and within the profession.

D. Realizing the potential issues in any deaccessioning, all concerned persons must attempt to foresee potential uses which the Galleries might have for the material in question. Due diligence with regard to legal ownership, permanent documentation and institutional process should be completed for all objects considered for deaccession.

E. Proceeds of deaccession will be used for future acquisitions and conservation or other direct care of works in the permanent collection. Money realized from the sale of objects will not be used for general College operational, non-museum expenses. The Bukstein Collection is an exception where funds may be used for scholarships. Acquisitions purchased with deaccession funds will usually be credited to the donor(s) of the deaccessioned material.

F. No member of the College’s Board of Trustees, Galleries, Campus Art Committee or staff or those whose association with the College might give them advantage in acquiring the work, shall be permitted to acquire directly or indirectly a work deaccessioned by the Galleries, or otherwise benefit from its sale, trade, or other disposition.

G. Deaccessioning must comply with all applicable local, state and federal laws and regulations in force at the time, as well as relevant international conventions accepted by the United States.

H. Deaccessioning should take the public trust into consideration.

IV. Criteria for Deaccession

Objects may be removed from the Galleries’ permanent collection for any of the following reasons:

A. The object is of poor quality, either intrinsically or relatively, in comparison with other objects of the same type in the permanent collection.

B. The object is redundant or is a duplicate that has no value as part of a series.

C. The Galleries’ possession of the object is found to be inconsistent with applicable law, i.e., the work may have been stolen, illegally exported in violation of applicable state and federal laws, or subject to repatriation or other legal claims.

D. The authenticity, attribution or genuineness of the object is determined to be false or fraudulent and the object lacks sufficient aesthetic merit, teaching merit,or art historical importance to warrant retention.

E. The object has been damaged and is unable to be restored to its value and usefulness to the permanent collection.

F. The physical condition of the object is so poor that restoration is impossible or will render the object essentially false.

G. The Galleries can no longer adequately care for the object because of continuing special requirements for stewardship such as storage, exhibition, or conservation.

H. The object was acquired as part of an accession but is not within the scope of the permanent collection.

I. The object is hazardous to people, the physical environment of the Galleries, and/or to other objects in the permanent collection.

J. The object is no longer consistent with the mission or collecting policies of the Galleries.

V. Guidelines

A. Legal and Consensual Considerations

1. Deaccessioning must be in alignment with applicable legal requirements and College policies.
2. Deaccessioning must comply with all applicable local, state and federal laws in force at the time.
3. Deaccessioning must observe any terms and obligations which pertained to the acquisition of the work by the Galleries, unless as part of the deaccessioning procedure it is determined to seek judicial exoneration or relief for a cy pres order from any consensual restriction.
4. Reasonable efforts will be made to ascertain that there is clear and legal title and that the work is free from donor restrictions. Galleries staff findings and recommendations do not represent a legal audit. In some cases it may be necessary to consult legal counsel, possibly including art law specialists, in order to ensure compliance with legal and consensual requirements.

B. Campus Art Committee

The Campus Art Committee functions as an Art Galleries advisory and discussion group which, among its duties, monitors the deaccessioning process.

C. Recognition to donors

In the case of removal for gifts or bequests, recognition to the donor may be transferred to resulting acquisitions where appropriate.

D. Forgeries and reproductions

Known forgeries or reproductions shall be marked as such and so described in documentation to the transferee.

E. Three-Year Disposition

To the extent there is no conflict with any gift agreement, applicable law or regulation, the Galleries will refrain from selling, exchanging, or otherwise disposing of any donated property for three years after acquisition. In the event that a gift having a value in excess of $5,000.00 is disposed of in less than three years, the Foundation will file a Donee Information Return form (I.R.S. #8282).

F. Records

The Director is responsible for assuring that complete and accurate records, including photographs, are compiled and maintained in connection with deaccession.

VI. Deaccessioning Process

A. Recommendation by the Director/Referral to the Director

1. The process of deaccessioning and disposal may be initiated by the Director or referred by a member of the College community to the Director, who then nominates objects for deaccession after basic research and documentation are completed.
2. The Director will, after appropriate review of the facts and circumstances, present the request to the Campus Art Committee, notify the Dean with supervisory responsibility of the Director, and notify the Executive Director of the Foundation.
3. The Director shall exercise care to assure that the recommendations are based on authoritative expertise.
4. In cases where there is not adequate staff expertise, the Director should seek and present in writing the opinion of at least one outside expert.
5. In instances where disposition for cash is proposed for the deaccessioning, the Director shall recommend an upset price; the Director may modify the recommendation at their discretion; in each instance having due regard for the appraisal obtained pursuant to the process described below. The final upset price shall be fixed by whichever entity has the authority to approve the disposition of the deaccessioned object.

B. Approvals

1. Upon recommendation by the Director and after evaluation of all the information, the Campus Art Committee votes on the recommendation.
2. Upon approval by the Campus Art Committee, that recommendation is forwarded to the College administration for final approval.

C. Notification

A reasonable effort may be made to advise the donor or their designees for the proposed deaccession, but is not required. Such action shall not be construed as a request for permission to deaccession. Donor concerns related to the original acquisition should be carefully considered.

D. Disposition of Objects

1. Disposition of objects may vary according to the existing market for: each type of object; essential purpose of the deaccession; or, reason for the deaccession.
2. The Director decides on the type of disposition and possible notification ofthe donor/heirs in consultation with the Foundation’s Executive Director.
3. If the value of the object is insignificant to the extent that auction is not practical, consideration will be given to selling the object in the public marketplace.
4. Appraisals, if required, shall be a matter of written record: a.) No value or under $5,000.00- no appraisal is required; b.) Above $5,000.00 – one outside appraisal is required; c.) Objects valued at $25,000.00 or more – two outside appraisals are required.

E. Method of Disposition.

The disposition of deaccessioned objects shall be in accordance with N.J.S.A.18A:64-78 (Sale of surplus personal property) and applicable College policies/procedures.

Policy Statement

Ramapo College is committed to maintaining a secure, cost-effective, and strategically aligned technology environment. All software, hardware, and supporting devices shall be acquired, used, reassigned, and disposed of in accordance with standardized institutional procedures to ensure compatibility, security, and proper fiscal management.

Reason for Policy

Establishes standardized procedures for the acquisition, use, reassignment, and disposal/elimination of software, hardware, and supporting devices at the College. It ensures that all technology resources are compatible, secure, cost-effective, and appropriately funded.

To Whom Does the Policy Apply

All faculty, staff, and administrative units requesting or using College-owned software, hardware, or supporting devices.

Contact:

• Information Technology Services (ITS)
• Instructional Design Center
• Office of Budget & Fiscal Planning
• Purchasing Department

Supplemental Resources

• Policy 604: Acceptable Use of Information and Technological Resources

I. Software Procurement and Management

All software acquisitions must be approved and managed by the Chief Information Officer (CIO) or their proxy using the centralized ITS Help Desk system. Unauthorized software purchases or unauthorized use by faculty or staff are strictly prohibited. Users will not be permitted to install unauthorized software on RCNJ devices.

A. Process

1. Submission

• Submit a Help Desk ticket using the appropriate request type. Requests must specify if the software is for academic or administrative use.

2. Approval

Submitting a request does not guarantee purchase or license. Software must be vetted by ITS for:

• Compatibility with College systems
• Security and integration considerations, including data handling
• Redundancy with existing licensed products
• Proof of budget availability by the requesting unit, which may be verified by the Budget Office

3. Funding

• Once approved, the requesting unit must request a funds transfer to ITS.
• The request must indicate whether the funding transfer is:
  • Permanent (multi-year use anticipated), or
  • One-time (limited to the current year)
• Funding must include all licensing and maintenance costs.

4. Special Funding Considerations

• The cost of academic software funded by course/student fees will remain in the unit’s budget in order to properly align revenue and expense.

5. Contracting

• Prior to engagement with vendors, units must consult with Purchasing for current contract guidelines, such as pursuing three-year vendor contracts instead of one-year or exploring current state contract vehicles (e.g. NASPO).
• ITS must be involved in vendor negotiations and contract review.
• Copies of fully executed contracts must be sent to the Controller for review against GASB96.

6. Integrations

• Units must disclose all system integrations related to the software.
• Units must include ITS in the discussions with vendor to ensure system integration with Banner (if integration with Banner is required).
• Responsibility for undisclosed systems lies with the requesting unit. If a new system is incompatible with Ramapo’s existing systems and therefore cannot be used as intended—for example, by integrating with other campus software—ITS will not provide support or develop custom solutions to enable compatibility.

7. Decommissioning

• Notify ITS upon retiring software.
• Potential return of unused funds from ITS to the requesting unit is subject to the Office of Budget & Fiscal Planning’s procedures.

B. Additional Considerations

1. Software Installation for Lab Computers

• All software installed on college devices must be properly licensed. Note that while some software may be offered at no cost to students for installation on personal devices, this does not necessarily mean that the same software is free for institutional use. Installation on college-owned computers, including lab environments, may require a separate license or carry associated costs. All proposed software installations must undergo a licensing review to determine eligibility, cost implications, and compliance with vendor agreements. Faculty and staff must submit software installation requests to the ITS Help Desk for evaluation prior to deployment. Approval will be based on the approval requirements (as outlined in this policy), licensing terms, institutional need, and budget considerations

2. Software Licensing and Installation

• All software purchased by the College is licensed to the institution and must be used in accordance with the terms of the applicable licensing agreements. Installation of college-licensed software on personal devices is prohibited unless explicitly permitted by the software’s licensing terms. Software licensed on a per-user basis (e.g., Microsoft Office, which allows installation on up to five devices per authorized user, depending on the subscription plan) may be installed on personal devices, provided such use complies with the licensing agreement. Software licensed per device or with other restrictions must not be installed on personal equipment unless prior written approval is obtained from ITS and only if the license explicitly allows such use. Users are responsible for ensuring compliance with all software license terms including the End User License Agreement (EULA).

3. Software Requests for Instructional Delivery and Academic Purposes

• In coordination with the requesting faculty member, ITS and the Instructional Design Center (IDC) are responsible for reviewing instructional technologies. Requests for new technologies must be submitted to ITS via the procedure above for review prior to purchase. The College will ensure that the necessary, College-supported technology and equipment is identified and in place, appropriate training for faculty members is available, and faculty members have access to adequate technical support personnel for approved instructional technologies as shown on the IDC website.

II. Hardware Procurement and Management

All hardware purchases must be approved by ITS and requested through the Help Desk. Hardware is defined as any device that can be assigned an IP address. Hardware is College property regardless of the funding source and must be tracked and managed accordingly.

A. Process

1. Submission

• Submit a Help Desk ticket using the appropriate request type and indicating whether the request is for academic or administrative purposes.

2. Approval & Funding

• Submitting a request does not guarantee purchase.
• ITS will replace computers approximately every five years.
• Computers will be replaced with the current college standard. However, if an upgraded device is requested and approved by the core vice president, and the difference in cost is transferred to ITS, upgraded equipment can be purchased.
• Devices not eligible for upgrade can be requested and approved, however, the full amount needs to be transferred to ITS and the computer being replaced also goes to ITS.
• For secondary computers or Grant funded computers, ITS will purchase a computer with the supplied specifications, if approved by the core VP and budget. The full cost of the computer is transferred from the unit to ITS.
• All purchases remain under college ownership (and therefore the State), regardless of whether the funding came from the college or a grant and are subject to ITS governance.

3. Eligibility & Assignment

• A computer qualifies for replacement if:
  • its operating system is deprecated (i.e., no longer supported with security updates) (mandatory),
  • it is more than five years old (optional unless the operating system is deprecated),
  • it has unrepairable hardware (determination made by ITS),
  • it is a desktop or part of a set of multiple computers (assigned to a single user) to be exchanged for a single laptop (determination made in collaboration with ITS).
• Employees are entitled to one primary device (Windows-based Lenovo laptops only) with a docking station, stand-alone monitor, keyboard, and mouse. (Note, a user may elect not to receive a docking station.) Any previously issued laptops and desktops will need to be returned to ITS
• Requests for desktops will need to come from the VP of Operational & Administrative Integration based on another Core VP’s recommendation to meet a particular need.
• Hardware is assigned to individuals, not departments.

4. Reassignment & Returns

• Reassignments must be coordinated through ITS. When a college employee leaves the college, they must surrender their assigned computer(s) to ITS regardless of how or why they were purchased.
• Hardware should not be passed internally without ITS approval, reconfiguration, and security updates.
• Upon employee separation, all devices must be returned to ITS. If any employee, upon departure, leaves any of their devices with their supervisor, POER, or another employee, those devices must be returned to ITS.

5. Platform Eligibility

• Mac OS devices are only approved under special circumstances (e.g., instructional requirements).
• If a request is made for a computer that is different from the standard issued model, ITS will evaluate the request for security standards and supportability and will fund up to the cost of our standard issue laptop. The unit or department will have to fund the remaining portion of the cost. Approval will also need to be provided by the unit’s core Vice President (VP).

6. Computer Labs

• Lab hardware requests follow the same Help Desk request process.

7. Replacement Guidelines

• Replacements due to damage/misuse will be fulfilled with used equipment.
• Renewals may not result in the same class of computer as the original.

B. Additional Considerations

1. Distribution of Faculty Hardware

• The College provides equipment such as laptops to full-time faculty to support portability and flexibility in their work and allow for successful instruction. Requests for additional equipment by faculty members, including adjuncts, will be evaluated on a case-by-case basis. All inquiries regarding hardware or college-supported software, including licensing, must be submitted to the ITS Help Desk. Software requests are subject to an approval process involving ITS and the Office of the Provost. Approval is not guaranteed and is based on institutional needs, resource availability, and compatibility with existing systems.

2. Disposition of College-Owned Hardware

• All computing equipment purchased by the College, including computers purchased by grants, remains the property of the institution and may not be sold, transferred, or otherwise disposed of to individuals, including current or former employees or students. Requests to purchase College-owned computers—whether at the time of device retirement (end of life) or upon separation from the College—will not be granted. All such equipment must be returned to ITS for appropriate decommissioning, repurposing, or disposal in accordance with NJ State regulations related to the disposition of state-owned property, institutional asset management policies, and data security policies.

III. Supporting Devices

Supporting devices such as network infrastructure (e.g., switches, routers, firewalls) must be procured and implemented by ITS.

A. Process

1. Submission

• Use the Help Desk system to submit requests for changes to networking.

2. Approval

• All devices must be vetted and approved by ITS for compatibility, necessity, and alignment with infrastructure standards.

3. Funding & Ownership

• Approved networking changes may be funded by supporting units’ budgets; however, all such devices are implemented and managed by ITS. All devices remain College property. These funding rules apply regardless of whether the funding comes from the College or a grant.
• Devices must be installed, configured, and tracked by ITS.

B. Additional Considerations

Grant-Funded Devices Policy

• All devices purchased using grant funds are considered the property of Ramapo College (unless otherwise noted by the grant) and are subject to all applicable institutional IT policies and security requirements. This includes, but is not limited to, the mandatory use of multi-factor authentication (e.g., Duo) and the installation and maintenance of college-approved antivirus software. Grant-funded devices must be managed and secured in the same manner as all other College-owned technology assets.

IV. Implementation, Integration, and Administrative Responsibility

A. Implementation and Integration Support

ITS will support the implementation and integration of any approved software, hardware, or supporting device. This includes coordinating vendor activities, configuring integrations with college systems, and ensuring initial deployment is secure and functional.

B. Functional and Security Administration

• Each software system must have an assigned functional administrator, typically a staff or faculty member within the requesting unit. This individual is responsible for:
  • Managing the system’s operational usage.
  • Serving as the liaison between the vendor and ITS.
  • Coordinating and delivering training to the campus community.
  • Handling day-to-day maintenance and updates (excluding ITS-managed code or integrations).
  • Notifying ITS of any security or important changes to the software.
  • Liaising with internal audit for audit purposes.
• ITS will assign a security administrator (typically a programmer or systems analyst) who will:
  • Manage system security, including user authentication and access permissions.
  • Collaborate with the functional administrator on technical, implementation, and integration requirements.

C. User Access and Security Management

• ITS will manage user permissions within the system based on the roles and needs identified by the functional administrator.
• The functional administrator is responsible for:
  • Notifying the security administrator of all user role changes, additions, or deletions.
  • Ensuring timely updates to access control to maintain system integrity.
  • Maintaining records of user access decisions and justifications.

D. Enforcement

Failure to comply with this policy may result in denial of support, removal of unauthorized technology, and/or disciplinary action in accordance with college policies.

*Following initial publication of this policy in December 2025, it was reviewed by the NJ Department of the Treasury, specifically Records Management Services (RMS). RMS advanced modest revisions in accordance with Title 47, NJ Public Records Laws, and a change of the Policy’s name from “Secure Handling & Disposal of Documents” to “Enterprise-wide Public Records Retention & Disposal.”

Policy Statement

In accordance with Title 47, New Jersey Public Records Law, Ramapo College recognizes that all of the records, regardless of their medium, which are created, maintained, received or distributed college-wide are deemed to be Public Records. Therefore ensuring the legal and secure scanning, storage, retention and disposal of hardcopy, digital, electronic and scanned Public Records—including but limited to those containing Personal Identifiable Information (PII).

Reason for Policy

Ramapo College recognizes its legal responsibility to ensure the secure scanning, storage, retention and disposal of all documents regardless of their medium, including those containing Personal Identifiable Information (PII).

This policy establishes the standards and procedures necessary to safeguard sensitive information, maintain compliance with applicable data protection regulations, and uphold internal records retention and information security requirements.

This policy does not supersede Policy 642 Records Retention or the State of New Jersey Public Records Law’s records retention and disposition requirements.

To Whom Does the Policy Apply

This policy applies to all College departments and all the records they scan, store, retain or manage —particularly those containing sensitive or confidential information—using enterprise systems, including but not limited to Banner and its Document Management module.

Contact

Information Technology Services

Supplemental Resources:

• Procedure 412: Enterprise-wide Public Records Retention and Disposal
• Policy 642: Records Retention
• Policy 410: Data Protection (PII)

I. Banner Document Management (BDM) Record Guidelines

These guidelines apply to records scanned into Banner Document Management (BDM), the College’s official document management system.

a. System of Record

• Once a document is successfully scanned into BDM, it becomes the institution’s official system of record for that document. This aligns with the purpose of BDM as an enterprise records management system designed for secure, compliant document storage.

b. Document Validation

• Prior to uploading, staff must ensure that the scanned document is authentic and complete.
• All required signatures are obtained and are legible.
• Documents must include all required fields and identifiers (e.g., student ID, employee name, date).
• If a document is incomplete or questionable, consult with the appropriate department before uploading.

c. Redaction and PII Handling

• Personally Identifiable Information (PII) that is not required for the business purpose or system function should be removed prior to scanning, uploading, or attaching, with the exception of retaining only the last four digits of a Social Security Number or R Number, if necessary.
• Departments must use care when handling documents that contain PII to prevent unauthorized disclosure.
• Scanners and users should follow all data security protocols when managing sensitive information.

d. Scanning and Uploading Standards

• Documents must be scanned via your unit’s designated BDM scanner only.
• Preferred file format is PDF; mobile device scans may use JPEG when appropriate and approved.
• Ensure scanned or uploaded images are complete, legible, clear, and properly aligned.
• Validate that the number of pages scanned matches the physical document.

e. Storage Restrictions

• Documents scanned, attached, or uploaded to BDM must not be stored separately on local drives or personal folders.

f. Retention and Disposal

• Because documents stored in BDM become the official public record, any hardcopy documents scanned, attached, or uploaded to BDM may be disposed after submission and receipt of authorization of a Request and Authorization for Records Disposal through the Artemis online Records Management System – the Department of the Treasury, Division of Revenue and Enterprise Services, Records Management Services. Documents uploaded to BDM and stored within the Banner system are centrally backed up and retained in accordance with the Records Retention time periods as per the State of New Jersey, Records Management Services’ record retention and disposition requirements.

g. Security and System Standards

• System access must be tied to individual user accounts; shared accounts are prohibited unless explicitly approved by the system owner with appropriate logging and accountability in place.
• When an employee departs from a department, the unit manager is responsible for terminating (or notifying ITS to terminate) their access to all scanning and document management systems or devices.

II. Scanning Guidelines for Non-BDM Related Documents

These guidelines apply to non-BDM related activities, such as saving files on shared network drives, cloud drives, saving files from email, etc.:

• If the original document is electronic, it can be saved onto the network drive, which is backed up once a day.
• If the original document is on paper, the paper copy must be retained in accordance with the Records Retention time periods as denoted in Records Management Services’ records retention schedules.
• Scanned copies cannot be modified and while not the official record, they are Public Records and subject to the time periods as denoted in Records Management Services’ records retention schedules.
• For security reasons, files should not be saved on desktop or local computer folders (folders that are not on the network drive). As an example, if a computer crashes, any locally stored data will be lost, as desktop storage is not backed up.

Security and System Standards

• Devices such as network-connected scanners, printers, fax machines, and copiers may store digital images of scanned documents. These devices should be configured to automatically delete stored data or must be manually cleared on a regular basis, or if the data should remain, the device must encrypt the data.
• Departments are encouraged to implement or request automatic memory wipe settings on multifunction devices (i.e. printers) where feasible, if not already done so by default.

III. All Documents: Legal and Regulatory Alignment

All files—regardless of where they are stored, presented, or accessed—must comply with all applicable federal, state, and institutional regulations governing the handling of sensitive and protected information. This includes, but is not limited to:

• FERPA (Family Educational Rights and Privacy Act)
• HIPAA (Health Insurance Portability and Accountability Act)
• GLBA (Gramm-Leach-Bliley Act)
• Title 47, New Jersey Public Records Law
• Public Records Requests and Litigation Holds

Departments are responsible for ensuring that all documents scanned, uploaded, or attached into College systems are managed in compliance with these legal requirements. For this reason, each office should develop the processes, procedures, and policies to support Banner Document Management. For guidance on how specific laws or regulations apply to a particular office’s records, or for assistance interpreting retention or access issues, please contact the Records Custodian or the Office of the General Counsel.

IV. All documents: Disposition

All records maintained by the College —whether in BDM, scanned, hardcopy, or other formats are deemed to be Public Records and must be retained and disposed in compliance with Title 47, New Jersey Public Records Law’s record retention and disposition requirements. See Policy 642: Records Retention.

Policy Statement
Ramapo College is committed to protecting the privacy and confidentiality of personal information, including sensitive Personally Identifiable Information (PII), in compliance with applicable laws and regulations such as the Family Educational Rights and Privacy Act (FERPA), New Jersey statute 56:8-161 and Identity Theft Prevention Act, and the Federal Bureau of Investigation (FBI) classifications of PII.

Reason for Policy
Sets forth policy to ensure proper stewardship and safeguarding of personally identifiable information in accordance with the law.

To Whom does the Policy Apply
All Ramapo employees

Supplemental Resources

• Procedure 410: Data Protection (PII)
• FERPA Policy (Ramapo College)
• Policy 642: Records Retention
• USDOE FERPA Regulations
• New Jersey Identity Theft Prevention Act
• Policy 411: Cybersecurity
• Policy 604: Responsible Use of Electronic Communication
• Statement on Use of Artificial Intelligence in the Workplace
• Cybersecurity Policy and Protocol Manual (PENDING)
• Acceptable Use of College Systems & Data Policy (PENDING)

PROCEDURE 410: DATA PROTECTION (PII)

I. Personal Information Definitions
a. High-Risk Personal Information
The following types of information are considered high-risk and must be protected with the highest level of security measures:

• Social Security number (SSN)
• Driver’s license number or State/Federal identification card number
• Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
• User name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account
• Biometric data (e.g., fingerprints, iris scans)
• Medical and health information, as outlined by HIPAA
• Passport numbers
• Criminal history records

Access to high-risk data is strictly limited to authorized positions on a need-to-know basis.

The college logs and annually reviews systems with access to high-risk data, implements encryption on servers that store sensitive information, and reviews user access controls within those systems and servers to protect this data from unauthorized access, disclosure, or misuse.

b. Moderate-Risk Personal Information
The following types of information are considered moderate-risk and are protected with security controls:

• Date of birth
• Place of birth
• Mother’s maiden name
• Home address
• Email address (when not combined with access information)
• Telephone number
• Employment information
• Educational information
• R Number (employee/student ID)*

Access to moderate-risk data is limited to authorized positions. Additionally, certain combinations of moderate-risk PII may elevate the overall classification to high-risk. Classification determinations regarding these combinations are the responsibility of ITS leadership.

* An R Number is a unique identifier assigned to each student and employee within the institution, and while it is sensitive, it does not directly reveal personal information. On its own, it is considered moderate risk. The risk level of an R number can increase when combined with other sensitive information.

c. Low-Risk Personal Information
The following types of information are considered low-risk data, but should still be handled with care:

• Religious beliefs
• Political affiliations
• Sexual orientation

While these types of information may be less sensitive, measures are taken to protect them from unauthorized access or disclosure.

II. PII Evaluation, Classification, and Authorization
Evaluation. Ramapo College regularly evaluates PII to determine its confidentiality impact level. Factors considered include:

• Identifiability: How easily the PII can be used to identify specific individuals.
• Quantity of PII: Number of individuals affected in case of a breach.
• Data field sensitivity: Sensitivity of individual PII elements.
• Context of use: How PII is collected, stored, used, processed, and disclosed.
• Legal obligations: Compliance requirements for protecting PII.
• Authorized Access: Positions with access to high- and moderate-risk PII
• Location: Sources and locations from which PII is accessed and stored.

Classification. When multiple pieces of moderate-risk PII are combined in a way that could lead to identification or cause significant harm if breached, the overall classification may be elevated to high-risk. Classification determinations regarding these combinations are the responsibility of ITS leadership.

Authorization. Positions authorized to access high- and moderate-risk PII are determined by unit heads in collaboration with system functional administrators. ITS implements security measures to safeguard against unauthorized access or disclosure. By default, student positions are not permitted access to moderate or high-risk PII on any campus system. Any exceptions must be formally requested through ITS and approved by the Vice President with oversight of People Operations and Employee Resources.

III. Data Handling and Breach Notification
All college records are considered property of Ramapo College and must be handled in accordance with state law, institutional requirements, and Ramapo College Records Retention Policy. In the event of a security breach involving personally identifiable information, the College will follow the applicable notification procedures outlined in the New Jersey Identity Theft Prevention Act.

IV. Compliance
Units within the College that handle or process high- and moderate-risk PII are responsible for ensuring the security, privacy, and proper management of that PII. At minimum, employees should always password protect documents containing personally Identifiable Information (PII) before sending them via email.

Ramapo College complies with the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student education records. The College’s FERPA policy is overseen by the Office of the Registrar in accordance with regulations set forth by the U.S. Department of Education.

The Responsible Unit shall annually review this policy to ensure compliance with FERPA, New Jersey Identity Theft Prevention Act, and other applicable laws and regulations.

Any breach disclosure will be discussed in conjunction with both Legal Counsel and the College’s cyber insurer.

Violations of this policy may result in disciplinary action, up to and including termination of employment or expulsion from the College.

Exceptions to this policy may apply to students and employees in the European Union (EU) and in the European Economic Area (EEA) under the General Data Protection Regulation (GDPR).

Policy Statement

Ramapo College of New Jersey (hereafter “RCNJ” ) is committed to the responsible, ethical, and transparent use of Artificial Intelligence (AI) technologies in the workplace. While AI tools may be used to enhance efficiency, decision-making, and innovation; their use must align with RCNJ’s core values of integrity, accountability, fairness, and respect for privacy.

RCNJ employees are required to use AI in ways that: comply with all applicable laws, regulations, and organizational policies; avoid harm, bias, or discrimination; protect confidential and personal information; support—not replace—human judgment in sensitive or high-impact decisions. Further, AI use must be documented, monitored, and periodically reviewed to ensure continued alignment with these standards.

This policy articulates and complies with the security control requirements stated in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and its supporting NIST Special Publication (SP) 800-171, and applicable laws, regulations, and best security practices.

Reason for Policy

To provide clear guidelines for employees regarding the responsible and ethical use of Artificial Intelligence (AI) technologies, including but not limited to generative AI (also known as GenAI) programs such as ChatGPT, within the College.

To Whom does the Policy Apply

This policy applies to all employees, contractors, and third-party vendors who utilize AI tools and technologies in the course of their work with Ramapo College of New Jersey. Additionally, the policy encompasses all systems and information owned, managed, or processed by RCNJ and its authorized employees for non-instructional, business, or support purposes. It also extends to any external or non-RCNJ systems that interconnect with or exchange data with RCNJ-managed systems.

Supplemental Resources

• Policy 410: Data Protection (PII)
• Policy 411: Cybersecurity
• AI Tools Available to RCNJ
• Artificial Intelligence in Teaching & Learning

I. Definitions

Employee. For the purposes of this Procedure, the term “employee” refers to all individuals who work for Ramapo College in exchange for financial or other compensation, and the term “employee” includes all part-time and full-time staff, faculty, adjuncts, managers, and student workers.

Artificial Intelligence. As defined by IBM, “Artificial intelligence (AI) is technology that enables computers and machines to simulate human learning, comprehension, problem solving, decision making, creativity, and autonomy.”

II. Scope

a. Controls. This policy and procedure are intended to address the requirements of National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), its supporting NIST Special Publication (SP) 800-171, and the security controls contained therein. Specifically, this policy addresses compliance with the following NIST CSF categories and subcategories relevant to the responsible use and governance of artificial intelligence systems:

Identify (ID):

• • ID.AM-1: Maintain an inventory of all AI tools and systems used within the institution, documenting ownership, purpose, and associated data.
  • ID.RA-1: Conduct risk assessments to evaluate the potential impact of AI systems on privacy, fairness, and security.
  • ID.BE-4: Ensure alignment of AI system usage with institutional objectives and regulatory requirements.

Protect (PR):

• • PR.AT-1: Conduct security and ethical awareness training for personnel managing AI systems.

Respond (RS):

• • RS.RP-1: Develop and implement incident response plans specifically for AI systems, including handling ethical or student conduct violations.

b. Why These Controls Are Relevant.  Identify (ID) helps educate on AI use cases and their potential risks, ensuring a clear understanding of system dependencies and compliance. Protect (PR) ensures the safeguarding of sensitive data and establishes security baselines for AI tools. Respond (RS) outlines how to mitigate and communicate risks associated with AI use, whether ethical or operational.

c. Educational or Instructional Use. This policy and procedure do NOT apply to, preempt, or supersede any academic policies that apply to faculty or students regarding the educational or instructional use of AI.

d. Exceptions to Policy. All exceptions to this policy must be approved by ITS Leadership and documented accordingly. Exceptions may be granted under the following circumstances:

• • Activities governed by academic or research policies;
  • Instances where compliance conflicts with principles of academic freedom; or
  • Emergency or temporary uses of AI systems.

See Section IV.o. for additional information regarding exceptions.

III. Rules

The following rules must be followed when using AI on College systems or networks:

a. IMPORTANT: Do not upload or input any confidential, proprietary, or sensitive College or student information into any GenAI tool! 

• • Examples include passwords and other credentials, Protected Health Information (PHI), data outlined as moderate or high risk in the RCNJ Policy/Procedure 410: Data Protection (PII), personnel material, information from documents marked Confidential, Sensitive, or Proprietary, or any other nonpublic College information that might be of use to malicious entities or harmful to the College if disclosed. Failure to comply with this policy may breach your or the College’s obligations to keep certain information confidential and secure, risks widespread disclosure, and may cause the College’s rights to that information to be challenged.

b. Verify that any response from a GenAI tool that you intend to rely on or use is accurate, appropriate, not biased, not a violation of any other individual or entity’s intellectual property or privacy, and consistent with RCNJ policies and applicable laws.

c. Do not use GenAI tools to make or help you make personnel decisions about applicants or employees, including recruitment, hiring, retention, promotions, transfers, performance monitoring, discipline, demotion, or terminations.

d. Do not upload or input any personal information (names, addresses, likenesses, etc.) about any person into any GenAI tool.

e. Do not represent work generated by a GenAI tool as being your own original work.

f. Do not integrate any GenAI tool with internal College software without first receiving specific written permission from your supervisor and the ITS Department.

g. If you are unsure if a tool is GenAI, seek the counsel of ITS prior to using it.

IV. Guidelines

The responsible use of AI can significantly enhance organizational capabilities and improve efficiency. By adhering to this policy and procedure, employees contribute to a positive and innovative workplace culture while ensuring that our use of AI aligns with the College’s core values and ethical standards. Guidelines for use include:

a. Appropriate Use of AI. GenAI tools can be valuable for enhancing productivity, streamlining processes, and supporting decision-making; however, they are not a substitute for human judgment and creativity. The output from these tools is often prone to inaccuracies, outdated information, or false responses, making careful human verification essential. Employees must critically evaluate AI-generated suggestions or plans using their knowledge of the College’s values, policies, procedures, and strategies, while also collaborating with colleagues to gain different perspectives and reduce the risk of errors. AI tools should be used to supplement, not replace, traditional methods of problem-solving and decision-making, with appropriate validation such as cross-referencing information, performing tests when feasible, or consulting experts. Additionally, employees must treat any information shared with AI tools as if it could go viral on the Internet and be attributed to them or the College, regardless of tool settings or assurances from its creators. By using AI responsibly and maintaining human oversight, we can optimize its benefits while minimizing risks.

b. Data Privacy and Security. Employees must adhere to all data privacy and security protocols when using AI technologies. This includes ensuring that any data input into AI systems complies with our data protection policies and relevant legal regulations. Sensitive or confidential information, including student data, pre-decisional work, negotiations, personal details, or any data classified as moderate- to high-risk as outlined in RCNJ Policy/Procedure 410: Data Protection (PII), must never be shared with AI tools, as these tools learn and generate content based on the input data. Users should ensure that any data input complies with College policies and legal regulations, preserving data security, intellectual property, and confidentiality. If unsure whether specific information is appropriate to use with the AI tool, employees should consult their supervisor, the ITS department, the College’s internal auditor, or the legal department. Non-compliance with data protection policies and legal regulations may result in disciplinary action.

c. Risk Assessments for AI Usage. In the course of using AI tools, employees should always be aware of the inherent risks these technologies pose. These may include potential inaccuracies or misinterpretations in AI-generated content due to lack of context, legal ambiguities concerning content ownership, and possible breaches of data privacy. As such, a critical attitude towards AI outputs is required at all times. To ensure that risks associated with AI usage are effectively managed, it is the responsibility of management to incorporate AI-specific risk assessments into the College’s broader risk management procedures. This includes continually evaluating and updating protocols to identify, assess, and mitigate potential risks, with considerations for changes in AI technology, its application, and the external risk environment. This also necessitates periodic training and awareness sessions for employees to ensure they stay informed about these risks and the steps needed to mitigate them.

d. Use of Third-Party AI Platforms. Employees should exercise caution when using third-party AI platforms due to the potential for security vulnerabilities and data breaches. Before using any third-party AI tool, employees are required to verify the security of the platform. This can be done by checking for appropriate security certifications, reviewing the vendor’s data handling and privacy policies, and consulting with the College’s ITS cybersecurity team if necessary. Moreover, DRAFTdata shared with third-party platforms must comply with the guidelines outlined in the section on Data Privacy and Security. In situations where employees are unsure about the use of a third-party platform, they should seek guidance from their supervisors or the ITS security team. Employees should not integrate any AI tool with software provided by or maintained by the College without first receiving specific written permission from their supervisor and the ITS Department.

e. Use in Communications. AI tools, when used appropriately, can aid in facilitating efficient internal communication within Ramapo College. This includes drafting emails, automating responses, or creating internal announcements. However, while using AI for these purposes, it is crucial that employees adhere strictly to the College’s policies on ethics, harassment, discrimination, and professional conduct. AI-generated communication should be respectful, professional, and considerate, mirroring the high standards of interpersonal communication expected at Ramapo College. Any misuse of AI tools for communication, including any language or behavior that violates College policies, will be treated as a serious violation and may lead to disciplinary action.

f. Transparency and Accountability. Employees should maintain transparency in their use of AI tools. When AI-generated outputs are utilized in decision-making processes, employees should not represent work generated by an AI tool as being their own original work. Rather, employees should include a footnote in their work indicating which AI tool was used and when it was used. Also, employees must be prepared to explain the rationale behind these decisions and the role AI played in them. Accountability for decisions made with the assistance of AI remains with the employee.

g. Training and Support. The organization will provide training and resources to help employees understand how to effectively and responsibly use AI tools. Use case is an important factor in determining which tools are appropriate, and employees are expected to evaluate whether a given tool fits their intended purpose. In addition to internal resources, employees are encouraged to complete relevant courses – such as those available free online – on AI ethics, data privacy, and secure usage. Employees should seek assistance from their supervisors or the ITS department if they have questions or require support regarding AI technologies.

h. Ethical Considerations. Employees must consider the ethical implications of using AI in their work. This includes assessing AI outputs to detect and avoid bias, considering whether AI outputs would have a negative impact on institutional reputation or integrity, ensuring fairness in decision-making, and being mindful of the potential impact on employees, students, stakeholders (i.e., board members, alumni, etc.), and vendors with whom the College has DRAFTcontractual relationships. Any concerns regarding ethical use should be reported to management.

i. AI Tool Vetting and Inventory. ITS maintains a website which has a list of AI tools that have been vetted for use by employees and students. AI tools used by employees and students on the college’s network or on college-provided computing machines must undergo a formal vetting process to ensure they meet established security requirements. If an employee or student has a mission-related reason to use an AI tool that is not listed on the ITS website, then the employee or student should submit a request to ITS which will assess whether the tool aligns with the college’s security requirements. Approval to use an AI tool not listed on the ITS website must be granted by the Chief Information Officer (CIO), and when appropriate, in consultation with the head of the requesting department (See NIST control ID.AM-1.) (Note: if the AI tool requires purchase, then please refer to the Software Request policy for details about the process to follow in order to procure the tool.)

j. Essential Pre-Use Considerations for New AI Tools. Responsibility for vetting AI tools does not reside solely with ITS. As AI technologies continue to evolve and expand, the campus community shares a role in ensuring responsible use. Employees are encouraged to research any AI tool (not on an approved list or encouraged for use by ITS) prior to use with attention to its purpose, data handling practices, and potential risks. The checklist below highlights key considerations to help evaluate whether an AI platform—if not already vetted by the College—meets acceptable ethical standards and safeguards, and guides users on how to responsibly approach its use:

1. 1. Handling of Inputted Data. Regardless of any encryption or security measures claimed by the tool, I understand that I should avoid submitting sensitive or personally identifiable information. I also understand that I should not share confidential or valuable intellectual property with the tool.
   2. Purpose and Context. I should use the platform appropriately in alignment with relevant organizational or legal requirements. I understand that not all AI tools are suited for every task, therefore, I should evaluate whether the tool aligns with the specific purpose, intended outcome, and organizational context of the task.
   3. Consideration of Others. I understand that if others (e.g., students, colleagues, etc.) are expected to use the platform, then clear communication, informed consent, and alternatives should be made available.
   4. Data Ownership and Use. The platform should clearly explain who owns the submitted content and how it may be stored, reused, or used for AI training.
   5. Privacy and Security. The platform should provide a transparent privacy policy and describe how it protects data (e.g., via its encryption, access control, and retention policies). The platform also provides users with the option to clear personalized memory from conversations with the tool.
   6. Ethical Use and Risk Awareness. The platform makes it easy to understand ethical considerations and risks, and the platform commits to responsible, safe, and fair AI use.

k. Compliance with Regulations. Employees must comply with all applicable laws and regulations governing the use of AI technologies. This includes intellectual property rights, data protection laws, and industry-specific regulations.

l. Non-Personal Use. AI tools provided by Ramapo College are for business use only and should not be used for personal use. This policy is in place to ensure the maintenance of a professional and productive environment, the preservation of institutional resources, and to prevent potential legal and security risks. Personal use of these tools could potentially involve sharing of inappropriate or sensitive content, misuse of time and resources, and potential breach of data privacy regulations.

m. Monitoring. Ramapo College reserves the right to monitor all employee interactions with AI tools for the purpose of ensuring compliance with this policy and procedure.

n. Non-compliance. Non-compliance with this policy and procedure may result in disciplinary action.

o. Exceptions. Any exceptions to this policy and procedure must be documented by RCNJ ITS with the reason for the exception, and mitigations to reduce risk associated with not fully implementing this policy and procedure. Exceptions may include, but are not limited to, legacy systems or applications that do not permit configuration to the extent required by this policy and procedure, and systems that are not under the direct control of RCNJ, for example.

p. Review and Updates. This policy and procedure will be reviewed annually and updated as necessary to reflect changes in technology, legal requirements, and organizational needs. Employees will be notified of any significant changes to the policy.

Note: The typli AI Text Generator (see https://typli.ai/ai-text-generator) was used on 1/27/2025 to generate an initial draft of this policy statement.

Policy

The Padovano Commons is a general use, informal gathering space for members of the College community.  There are prescribed hours for use by faculty and staff, and for use by students.

Reason for Policy

To set forth policy and procedure for the use and stewardship of the Padovano Commons.

To Whom Does the Policy Apply

All Ramapo College students and employees

Related Resources

Policy 427: Facilities Rental

Contacts

Events & Conferences (E&C)

Procedure 460: Padovano Commons Use

Faculty and staff may use the Commons or gather to meet informally in the Commons without official reservations year around prior to 4pm. The Commons will not typically be reserved in its entirety for daytime events prior to 4pm. Special approval from the Provost will be required for and notice of any such reservations will be posted. Reservations for formal activities must be requested through Events and Conferences (E&C). All users should take great care to remove their own trash, rearrange furnishings to their original location prior to departure, and avoid damaging the floors, walls, furnishings, and other fixtures.

Students may use the Commons after 5pm on selected days of the week during the fall and spring terms. The Commons may be reserved for formal activities after 5pm by submitting a request through E&C. Student groups may submit reservation requests to the Center for Student Involvement (CSI), which will in turn submit requests to E&C.

The College President may authorize the Commons to be used as a location for limited food and beverage service provided by an authorized vendor during daytime hours for faculty and staff, or during evening hours and weekends in support of providing a place for faculty, staff, and students to socialize, relax, collaborate, and engage in informal dialogue.

I. Academic Year: Hours of Operation

Monday-Wednesday:

• 8:00 am – 4:00 pm: Open for faculty and staff use. Formal reservations submitted through E&C and, as needed, to the Provost for approval.
• 4:00 pm – 5:00 pm: Closed for daily maintenance.
• 5:00 pm – 12:00 am: Open for student use. Formal reservations submitted through CSI to E&C.

Thursday-Friday:

• 8:00 am – 4:00 pm: Open for faculty and staff use. Formal reservations submitted through E&C and, as needed, to the Provost for approval.
• 4:00 pm – 5:00 pm: Closed for daily maintenance.
• Evening hours to be determined based on reservation requests, and resources and vendor availability.

Saturday-Sunday:

• 8:00 am – 5:00 pm: Closed (unless reservations requested through E&C).
• Evening hours to be determined based on reservation requests, and resources and vendor availability.

Exam Periods:

• Extended hours will be available for quiet space; advance notice will be provided in Daily Digest.
• During exam periods, the Commons will not be reservable.

II. Reserved Use

Faculty or staff may request to reserve use of the Glass Room (dining area) for up to 8 people at a conference table M-F from 8:00 am – 4:00 pm. Requests can be made through E&C.

Students may request to reserve use of the Commons M-F from 5:00 pm – 12:00 am through CSI, which will coordinate requests with E&C.

Pre-scheduled, reserved use of the Commons during the day (i.e., prior to 4:00 pm) will be prioritized for gatherings that are primarily designed to bring faculty together, and, in the spirit of the building’s namesake, will also serve to foster opportunities for greater interdisciplinarity and fellowship across faculty and staff constituent groups.

Even when reserved for a gathering during the day (i.e., prior to 4:00 pm), the space will remain open to faculty and staff. That is, faculty and staff who are not participating in the activity for which the reservation was made may use portions of the Commons not occupied by the reserving group so long as they do not interfere with or disturb the activities of the reserving group.

III.      Prioritization

Generally, on a weekly basis, E&C will provide the Provost with a listing of any requests received for daytime use of the space. On instances when that listing reflects multiple parties seeking the use of the space at the same time or a latent request for an upcoming already reserved date, the Provost will determine the ultimate user, and communicate that decision to E&C.

It is only in instances when a conflict emerges for the use of the space that the Provost will be expected to approve the user or override an existing reservation.

IV. Notice

The reservation requestor is responsible for advising the campus, through Daily Digest or signage at the Commons, when a program is being held. The purpose of this notification is to both promote the program and to extend a courtesy to those community members who may wish to find an alternative on-campus space to gather.

V. Space Configuration/Usage

The Commons itself has limited flexibility. While IT and AV setups can be supported, as well as modest catering tables, the general seating in the Commons remains largely stationary.

Should users wish to rearrange some of the chairs or furnishings toward a particular part of the space, they may do so on their own while (1) taking great care to not damage the furniture, floors, walls, or other fixtures, and (2) returning all chairs and furnishings to their original locations.

Furnishings cannot be removed from the Commons building as there is no adjacent storage. Individuals may bring in food and drinks or utilize the vending machines. Users are expected to clear tables after personal use and carefully return any moved furniture to its original location.

VI. Additional Resources

Updated guidelines for use and additional details about the space, including capacities, are available at the Padovano Commons Website.

Please address any housekeeping needs or questions to E&C or to Facilities Management using the Service Request system.

Emergencies should immediately be reported to Public Safety (x6666 or 201-684-6666) or call 911.