12.5    STUDENT RECORDS

The institution protects the security, confidentiality, and integrity of its student records and maintains security measures to protect and back up data.

 

JUDGEMENT

 

    Compliance     Non-Compliance     Partial Compliance

 

NARRATIVE

 

North Carolina A&T State University protects the security, confidentiality and integrity of its student records and maintains security measures to protect and back up its student data.  Active student records are maintained in a digital format, using the Banner system. The Office of the Registrar has primary responsibility for maintaining and securing student records.  It is supported by the Division of Information Technology.  Both units are parts of the Division of Academic Affairs. The Division of Information Technology has overall institutional responsibility for maintaining the integrity and confidentiality of the university’s information records and other information assets including data on undergraduate, graduate and distance education students.  The institution’s processes for data security are aligned with FERPA regulations—the Family Educational Rights and Privacy Act—and the UNC System requirements.  The university’s Information Security Policy is provided.  It addresses the university’s commitment and efforts to maintain the security of information and underscores the obligation of all members of the university community to maintain the safety and confidentiality of its information assets.  HIPPA and FERPA guidelines govern the institution’s release of student medical records.

 

The Office of Student Financial Aid understands the importance of protecting financial aid information.  The following measures are taken:

1.      Continuous review and monitoring of processes and document security are discussed with the staff each semester.

2.      Financial Aid documents are imaged in the Banner Data Management System (BDMS) system and various financial aid information is located on the Banner system. 

3.      Once the data are imaged and audited, the documents are shredded. 

4.      Staff members must sign a Code of Conduct and Statement of Ethical Principles, which indicate that the information in the Financial Aid Office must be treated with confidentiality. 

 

Employees in the Financial Aid office are constantly reminded to:

 

·         Ensure that student and parent private information provided to the Financial Aid Office by financial aid applicants is protected in accordance with all state and federal statutes and regulations, including FERPA and the Higher Education Act, Section 483(a)(3)(E) (20 U.S.C. 1090).

 

·         Protect the information on the FAFSA from inappropriate use by ensuring that this information is only used for the application, award and administration of aid awarded under Title IV of the Higher Education Act, state aid, or aid awarded by eligible institutions.

 

The Financial Aid Office also follows the NASFAA Code of Conduct and Statement of Ethical Principles.

 

Security roles are also implemented in the Banner system to ensure that unauthorized staff or potential attackers are not able to obtain financial aid information.  Regular evaluation of security controls is ongoing, and access to the system is immediately removed once a staff member leaves the university. 

 

Employee access to student data is limited by their job responsibilities.  Access is secured by an application and approval process that includes senior officers of the university, such as deans and vice chancellors.  And, all access requires password authentication. 

 

All full-time faculty and academic advisors have limited access to student records in Banner, allowing them to do such things as check a student’s schedule or assist the student in enrolling in courses.

 

The institution’s Information Technology Services Policies (ITS) are posted online.  The ITS policies address acceptable use, security, and confidentiality. 

 

Back-up of university data is taken very seriously.  The university uses a combination of technologies to preform back-up procedures.

·         The Office of Information Technology Services backs up campus enterprise systems, including central servers and storage area networks.

·         The university's enterprise resource planning (ERP) system, Banner, is hosted and backed up by the University of North Carolina System Office.

·         The university uses Office 365 for email and group collaboration. These applications use a combination of replication and retention in place of back-up to ensure that items are not lost by failure and can be recovered if accidentally deleted.

·         The enterprise learning management system, Blackboard Learn, is hosted and backed-up by Blackboard.

 

SUPPORTING DOCUMENTS

 

1.      UNC Policy 1400.2-Information Security

2.      The University’s Information Security Policy

3.      Accessing Medical Records

4.      Financial Aid Code of Conduct

5.      NASFAA Statement of Ethical Principles

6.      Password Authentication

7.      Information Technology Systems Policies (pdf listing)

8.      Acceptable Use Policy

9.      Security

10.     Confidentiality—Secure Data Requirements