The institution protects the security, confidentiality, and integrity of student records and maintains special security measures to protect and back up data. (Student records) |
Judgment of Compliance
|
Narrative
Sam Houston State University complies with the Texas Administrative Code, Chapter 202, Subchapter B, Rule 202.20 and the Family Educational Rights and Privacy Act (FERPA) to ensure the security, confidentiality, and integrity of student records [1] [2]. The University’s Academic Policy 810806 is established to assure FERPA compliance and designates types, location, and custodians of various student records [3]. Academic Policy 820830 provides guidelines for the printing of hard copy student academic records [4].
Additionally, the University has established the Information Security Policy and Plan [5]. This plan identifies the Security Plan Coordinator, whose function is to assist University departments in identifying internal and external risks. The Security Plan Coordinator is also charged with evaluating current safeguards, and designing and implementing new safeguards as necessary. This policy addresses the use of electronic information, hard copy information, and verbal information, as well as the development of application software used to provide access to the University information system.
Upon employment, computer accounts are created for faculty and staff. Activation of these accounts requires the user to agree to abide by the Computing Acceptable Use Policy (FO-IR-01) [6]. Passwords for such accounts are required to pass certain checks to ensure the strength of the password. Computer Services staff members participate in the new employee orientation sessions held by the Department of Human Resources and provide guidance on the use of the University’s computer systems. Additionally, each new employee receives a document concerning the Family Educational Rights and Privacy Act (FERPA) which outlines their responsibilities regarding the use of information to which they may have access based on their employment [7]. Access to administrative menu systems is controlled by individual username/password authentication. Levels of access within the administrative menus are determined by job duty and individual need and are maintained by the parties responsible for the given data. Menu access is removed as employees separate from the University.
Access to the online course management system used at Sam Houston State University is granted via the same username/password combination as the administrative menus. The Finance and Operations Information Resources Policy FO-IR-04 addresses the security of this data, and states, “Faculty must maintain the integrity, security, and confidentiality of student information, including, but not limited to, grades, test scores, usernames, or ID numbers” [8].
Electronic data are stored on physically and electronically secured servers. Daily backup procedures are in place. Backup tapes are stored in a vault in a building separate from the servers. Academic records that pre-date electronic storage are retained in a vault within the Registrar’s Office.
Students are informed each semester of their right to privacy via the Schedule of Classes [9]. This information defines the data that are considered to be directory information and as such is available for release to the general public. Students may restrict the release of information through requests submitted prior to the census date of the semester. These requests may be made either by written notification to the Registrar’s Office or through an online program provided for this purpose [10].
The Student Health Center restricts access to patient information as outlined in their Patient Confidentiality Policy and the Counseling Center retains records in locked cabinets to ensure security and confidentiality [11].
Supporting Documentation