2007 Reaffirmation Teams
3.9.2 - 2007 Reaffirmation Teams
The institution protects the security, confidentiality, and integrity of all student records and maintains special security measures to protect and back up data.
The University of Texas at Dallas (UT Dallas) recognizes the importance of student record security (particularly in an environment where digital records increasingly form the bulk of student records) and therefore diligently protects the security, confidentiality, and integrity of student records by employing strict security measures to protect and back up data. As a result, UT Dallas extends federal law and maintains records in accordance with regulations from The University of Texas System (UT System). The policies and procedures for data security are available at the Information Security Office policies page , which also contains information about encryption, server management, and network connections as well as responses to frequently asked questions. The relevant state laws such as the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley are available online on the Information Security Offices’ state and federal law policies page , among others.
UT Dallas adheres to federal laws that protect the privacy of student records. The Office of the Registrar is responsible for registering students and maintaining academic records. Detailed information pertaining to the content and handling of Office of the Registrar is contained in the UT Dallas Handbook of Operating Procedures (HOP), Title V, Chapter 47 - Student Educational Records . All student records are maintained under regulations established by FERPA . Personally identifiable information retained in student educational records may be accessed or released only with the written consent of the student or under the provisions allowed by FERPA on a need-to-know basis. In addition to the procedures detailed in the HOP, individuals are notified of these rights through the hard copy and online versions of the undergraduate catalog  and the graduate catalog , and through FERPA information provided through the Bursar’s office . An information packet, “FERPA and YOU
Student records are protected through the policies and procedures of Information Resources as stated in the Information Resources Use and Security Policy, page A5-110.0, in the UT Dallas Administrative Policies and Procedures Manual, a document also seen online as the Information Resources Security Operations Manual . The UT Dallas Information Security Office works with the various departments of Information Resources (IR), the support components in schools and departments, and internal audit and business continuity planning groups to ensure the integrity, authenticity, confidentiality and availability of computer-based data resources. It is the policy of UT Dallas to protect the confidential nature of social security numbers, and the university has taken measures to discontinue the use of the social security number (SSN) as an individual’s primary identification number by September 1, 2007, unless laws require the university to use the SSN . The Director of Human Resources Management initiated the implementation of the business policy memorandum; the Chief Information Security Officer now has ultimate responsibility for the continuation of this policy’s implementation and enforcement.
All mission critical UT Dallas data (electronic files), including student records, are saved on network servers to ensure backup of the data. The Student Information System (SIS), which contains all student information, is backed up nightly; additional full backups of UT Dallas’ complete computer system occur weekly. Users of information systems are prohibited from accessing data or programs for which they are not authorized. UT Dallas personnel follow these guidelines and must sign statements agreeing to IR’s Acceptable Use Policy  and must successfully complete online compliance training each year on the confidentiality and handling of records. All employees who have access to computers or any student records undergo a criminal background check as outlined in D2-115.0 of the Administrative and Procedures Manual in order to ensure “campus safety and the security of personal and University property .” These background checks take place upon initial hiring and upon any transfers, promotions, or reclassifications.
Any employee who will have access to any of the student, financial, business, or human resources systems (SIS, FRS/FINS, BIS, or HRS) or to special accounts or special network drives must fill out a computer account request form (CAR) . Anytime someone asks for additional access to or loses access to a system, the CAR form is also required. And anytime anyone is terminated, the supervisor must notify the Information Resources Security Office. In addition, computer access is sponsored and must be recertified annually. This recertification requires the approval of the supervisor.
All records (electronic or paper) are maintained in accordance with the UT Dallas Records Management and Retention Policy    . UT Dallas continues to implement an updated version of the Record Retention policy, and as of summer 2007, a new project manager is responsible for the implementation.
Personally identifiable information is transmitted via encrypted e-mail. In June 2007, UT Dallas implemented a new, updated policy for the encryption of confidential data “at rest” . Computer systems that are sent to surplus have the hard drives removed and the hard drives are then physically shredded.
Individual student records are also maintained in secure environments by other student affairs offices, including The Dean of Students (Judicial Affairs), Student Health Center, Student Counseling Center, International Student Services, Career Center, Disability Services, Registrar, Office of Enrollment Services, and Financial Aid. FERPA guides the entire campus on matters related to the confidentiality of student education records. In addition to the other means of notification, students in attendance at UT Dallas are notified annually of their rights pursuant to FERPA via an official e-mail communication issued from the Office of the Vice President for Student Affairs
Confidential discipline records are maintained in the Dean of Students Office. The Dean’s staff receives FERPA training annually. Paper records are kept in locked file cabinets inside a locked room. Only authorized personnel are issued keys to that room. Electronic logs are kept in a secure folder on a secure drive that has permissions set such that only authorized personnel may access the data.Student Health Center
In addition to protecting paper records in locked file cabinets, the Student Health Center protects records under the guidelines as outlined by HIPAA .Student Counseling Center
Student records are maintained in the Student Counseling Center in accordance to procedures as outlined in the center’s policy and procedure manual .International Student Services
The International Student Services Office closely follows guidelines pursuant to the privacy, security, and confidentiality of international student records. Requests for information by the Department of Homeland Security are referred to the vice president for business affairs for review and approval.Career Center
The majority of student records are maintained through a Career Center online database, UT Dallas CareerWorks  . Students self-register for the UT Dallas CareerWorks account. The vendor, CSO Research, maintains a secure website that has been approved by UT Dallas Information Resources. Social security information is not included in this database.
Active student internship files are maintained in a locked file cabinet in the Internship Coordinators’ locked offices. Inactive student internship files are maintained in locked filing cabinets in the Career Center storage room. These forms are for internal purposes and are destroyed based on UT Dallas Records Management and Retention policy    .Disability Services
Current documentation of a student’s disability is retained in Disability Services files. This information is maintained in a locked filing cabinet, which is stored in a locked storage room in the Disability Services suite. The storage room remains locked at all times and is accessed by authorized staff only when examinations or other file materials are retrieved. Keys are issued on a limited basis to suite staff and are not issued to the cleaning crew or facilities management.Enrollment Services, Financial Aid and Registrar
In addition to following the provisions of the Family Educational Rights and Privacy Act (FERPA), the Office of Enrollment Services, the Office of Financial Aid and the Registrar have established policies and procedures to ensure the appropriate handling of student financial aid and academic records. Prior to the implementation of the On-Base electronic document management system in 2007, all financial aid information and student records were maintained in file storage rooms within the enrollment services office, the financial aid office and the registrar’s office, which were locked during the evenings when office staff were not working. Even today, individual offices are locked in the evenings with documents collected at the front lobby of each area stored in a locked document scanning office prior to closing. The On-Base system allows for the electronic imaging of all documents upon receipt, thereby eliminating the requirement to store paper documents in permanent storage. The electronic images are catalogued on a secure server that is backed up daily and are routed electronically through a secure, password protected, workflow process.Academic Personnel
Student records distributed to the faculty and other academic support personnel are provided most often through the Office of the Registrar. Class rolls and class photo rosters are distributed through secure channels only to authorized personnel as identified by the Office of the Registrar. Faculty members and support personnel are advised via e-mail about the proper handling of academic records and are provided training opportunities through the Office of the Registrar .Enforcement and Assessment
The institutional compliance program includes three monitoring areas related to the privacy and protection of student information. The quarterly report from November 2006 indicates the need for (as well as the plans for) monitoring of FERPA, SSN, and HIPAA provisions . These areas are all considered high risk and are therefore monitored closely.