2007 Reaffirmation Teams :: 3.9.2 - 2007 Reaffirmation Teams

2007 Reaffirmation Teams

3.9.2 - 2007 Reaffirmation Teams

The institution protects the security, confidentiality, and integrity of all student records and maintains special security measures to protect and back up data.

Compliance Judgment

Compliance

Narrative

The University of Texas at Dallas (UT Dallas) recognizes the importance of student record security (particularly in an environment where digital records increasingly form the bulk of student records) and therefore diligently protects the security, confidentiality, and integrity of student records by employing strict security measures to protect and back up data. As a result, UT Dallas extends federal law and maintains records in accordance with regulations from The University of Texas System (UT System). The policies and procedures for data security are available at the Information Security Office policies page [1], which also contains information about encryption, server management, and network connections as well as responses to frequently asked questions. The relevant state laws such as the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley are available online on the Information Security Offices’ state and federal law policies page [2], among others.

UT Dallas adheres to federal laws that protect the privacy of student records. The Office of the Registrar is responsible for registering students and maintaining academic records. Detailed information pertaining to the content and handling of Office of the Registrar is contained in the UT Dallas Handbook of Operating Procedures (HOP), Title V, Chapter 47 - Student Educational Records [3]. All student records are maintained under regulations established by FERPA [4]. Personally identifiable information retained in student educational records may be accessed or released only with the written consent of the student or under the provisions allowed by FERPA on a need-to-know basis. In addition to the procedures detailed in the HOP, individuals are notified of these rights through the hard copy and online versions of the undergraduate catalog [5] and the graduate catalog [6], and through FERPA information provided through the Bursar’s office [7]. An information packet, “FERPA and YOU

" id="citation_8">[8],” is made available by the Registrar online and includes the required permission forms needed for access and/or release of information.

Student records are protected through the policies and procedures of Information Resources as stated in the Information Resources Use and Security Policy, page A5-110.0, in the UT Dallas Administrative Policies and Procedures Manual, a document also seen online as the Information Resources Security Operations Manual [9]. The UT Dallas Information Security Office works with the various departments of Information Resources (IR), the support components in schools and departments, and internal audit and business continuity planning groups to ensure the integrity, authenticity, confidentiality and availability of computer-based data resources. It is the policy of UT Dallas to protect the confidential nature of social security numbers, and the university has taken measures to discontinue the use of the social security number (SSN) as an individual’s primary identification number by September 1, 2007, unless laws require the university to use the SSN [10]. The Director of Human Resources Management initiated the implementation of the business policy memorandum; the Chief Information Security Officer now has ultimate responsibility for the continuation of this policy’s implementation and enforcement.

All mission critical UT Dallas data (electronic files), including student records, are saved on network servers to ensure backup of the data. The Student Information System (SIS), which contains all student information, is backed up nightly; additional full backups of UT Dallas’ complete computer system occur weekly. Users of information systems are prohibited from accessing data or programs for which they are not authorized. UT Dallas personnel follow these guidelines and must sign statements agreeing to IR’s Acceptable Use Policy [11] and must successfully complete online compliance training each year on the confidentiality and handling of records. All employees who have access to computers or any student records undergo a criminal background check as outlined in D2-115.0 of the Administrative and Procedures Manual in order to ensure “campus safety and the security of personal and University property [12].” These background checks take place upon initial hiring and upon any transfers, promotions, or reclassifications.

Any employee who will have access to any of the student, financial, business, or human resources systems (SIS, FRS/FINS, BIS, or HRS) or to special accounts or special network drives must fill out a computer account request form (CAR) [13]. Anytime someone asks for additional access to or loses access to a system, the CAR form is also required. And anytime anyone is terminated, the supervisor must notify the Information Resources Security Office. In addition, computer access is sponsored and must be recertified annually. This recertification requires the approval of the supervisor.

All records (electronic or paper) are maintained in accordance with the UT Dallas Records Management and Retention Policy [14] [15] [16] [17]. UT Dallas continues to implement an updated version of the Record Retention policy, and as of summer 2007, a new project manager is responsible for the implementation.

Personally identifiable information is transmitted via encrypted e-mail. In June 2007, UT Dallas implemented a new, updated policy for the encryption of confidential data “at rest” [18]. Computer systems that are sent to surplus have the hard drives removed and the hard drives are then physically shredded.

Individual student records are also maintained in secure environments by other student affairs offices, including The Dean of Students (Judicial Affairs), Student Health Center, Student Counseling Center, International Student Services, Career Center, Disability Services, Registrar, Office of Enrollment Services, and Financial Aid. FERPA guides the entire campus on matters related to the confidentiality of student education records. In addition to the other means of notification, students in attendance at UT Dallas are notified annually of their rights pursuant to FERPA via an official e-mail communication issued from the Office of the Vice President for Student Affairs

" id="citation_19">[19].

Dean of Students

Confidential discipline records are maintained in the Dean of Students Office. The Dean’s staff receives FERPA training annually. Paper records are kept in locked file cabinets inside a locked room. Only authorized personnel are issued keys to that room. Electronic logs are kept in a secure folder on a secure drive that has permissions set such that only authorized personnel may access the data.

Student Health Center

In addition to protecting paper records in locked file cabinets, the Student Health Center protects records under the guidelines as outlined by HIPAA [20].

Student Counseling Center

Student records are maintained in the Student Counseling Center in accordance to procedures as outlined in the center’s policy and procedure manual [21].

International Student Services

The International Student Services Office closely follows guidelines pursuant to the privacy, security, and confidentiality of international student records. Requests for information by the Department of Homeland Security are referred to the vice president for business affairs for review and approval.

Career Center

The majority of student records are maintained through a Career Center online database, UT Dallas CareerWorks [22] [23]. Students self-register for the UT Dallas CareerWorks account. The vendor, CSO Research, maintains a secure website that has been approved by UT Dallas Information Resources. Social security information is not included in this database.

Active student internship files are maintained in a locked file cabinet in the Internship Coordinators’ locked offices. Inactive student internship files are maintained in locked filing cabinets in the Career Center storage room. These forms are for internal purposes and are destroyed based on UT Dallas Records Management and Retention policy [14] [15] [16] [17].

Disability Services

Current documentation of a student’s disability is retained in Disability Services files. This information is maintained in a locked filing cabinet, which is stored in a locked storage room in the Disability Services suite. The storage room remains locked at all times and is accessed by authorized staff only when examinations or other file materials are retrieved. Keys are issued on a limited basis to suite staff and are not issued to the cleaning crew or facilities management.

Enrollment Services, Financial Aid and Registrar

In addition to following the provisions of the Family Educational Rights and Privacy Act (FERPA), the Office of Enrollment Services, the Office of Financial Aid and the Registrar have established policies and procedures to ensure the appropriate handling of student financial aid and academic records. Prior to the implementation of the On-Base electronic document management system in 2007, all financial aid information and student records were maintained in file storage rooms within the enrollment services office, the financial aid office and the registrar’s office, which were locked during the evenings when office staff were not working. Even today, individual offices are locked in the evenings with documents collected at the front lobby of each area stored in a locked document scanning office prior to closing. The On-Base system allows for the electronic imaging of all documents upon receipt, thereby eliminating the requirement to store paper documents in permanent storage. The electronic images are catalogued on a secure server that is backed up daily and are routed electronically through a secure, password protected, workflow process.

Academic Personnel

Student records distributed to the faculty and other academic support personnel are provided most often through the Office of the Registrar. Class rolls and class photo rosters are distributed through secure channels only to authorized personnel as identified by the Office of the Registrar. Faculty members and support personnel are advised via e-mail about the proper handling of academic records and are provided training opportunities through the Office of the Registrar [24].

Enforcement and Assessment

The institutional compliance program includes three monitoring areas related to the privacy and protection of student information. The quarterly report from November 2006 indicates the need for (as well as the plans for) monitoring of FERPA, SSN, and HIPAA provisions [25]. These areas are all considered high risk and are therefore monitored closely.

Supporting Documents

Footnote Document
[1]Information Security Policies Website
PDF Document, 1 Page, 16.86 KB (statement1359)
[2]Information Security Relevant State Laws Website
PDF Document, 1 Page, 10.46 KB (statement1360)
[3]UT Dallas Handbook of Operating Procedures Title V, Chapter 47: Student Educational Records
PDF Document, 6 Pages, 32.60 KB (policy1138)
[4]Family Educational Rights and Privacy Act (FERPA) Family Policy Compliance Office (FPCO) Homepage - dated 20070427
PDF Document, 2 Pages, 40.91 KB (policy1152)
[5]UT Dallas 2006-2008 Undergraduate Catalog 2007 Supplement - Appendix I. Rules, Regulations, and Statutory Requirements
PDF Document, 3 Pages, 105.86 KB (catalog1045)
[6]Grad Catalog Appendix I Rules, Regulations, and Statutory Requirements
PDF Document, 4 Pages, 20.66 KB (catalog1033)
[7]UT Dallas Finance Family Educational Rights and Privacy (FERPA) description - y2007
PDF Document, 2 Pages, 27.23 KB (policy1129)
[8]"FERPA and You: A Guide to Information Disclosure" published by the UT Dallas Office of the Registrar
PDF Document, 8 Pages, 196.71 KB (manual1030)
[9]Information Resources Security Operations Manual from UT Dallas Information Security
PDF Document, 21 Pages, 127.01 KB (manual1031)
[10]Business Policy Memorandum 66 Protecting the Confidentiality of Social Security Numbers
PDF Document, 7 Pages, 38.11 KB (policy1116)
[11]Information Resources Acceptable Use Policy for UT Dallas networked computers and systems
PDF Document, 2 Pages, 71.65 KB (policy1108)
[12]Appointments Criminal Background Checks D2-115.0
PDF Document, 4 Pages, 60.99 KB (policy1166)
[13]Computer Account Request CAR Form
PDF Document, 1 Page, 31.06 KB (form1063)
[14]UT Dallas Records Management & Retention Administrative Policy and Procedure for the destruction of State records - dated 20020618
PDF Document, 1 Page, 52.06 KB (policy1109)
[15]UT Dallas Records Management & Retention Administrative Policy and Procedure for the policy on records management and retention - dated 20000207
PDF Document, 1 Page, 24.95 KB (policy1110)
[16]UT Dallas Records Management & Retention Administrative Policy and Procedure for records retention schedule - dated 20000207
PDF Document, 1 Page, 56.99 KB (policy1112)
[17]UT Dallas Records Management & Retention Administrative Policy and Procedure for Social Security Number Confidentiality (note: policy undergoing revision- dated 20070518
PDF Document, 5 Pages, 57.66 KB (policy1113)
[18]UT Dallas Updated Policy for the Encryption of Data Website
PDF Document, 1 Page, 10.25 KB (statement1361)
[19]E-mail to UT Dallas student body re: "Annual Notice of Your Rights Under FERPA" - dated 20070212
PDF Document, 3 Pages, 23.52 KB (email1021)
[20]UT Dallas Medical Record and Medical Media Policy HIPAA Privacy Notice
PDF Document, 4 Pages, 17.98 KB (policy1078)
[21]Procedure for storing, filing, and disseminating Student Counseling Center Records
PDF Document, 5 Pages, 28.34 KB (procedure1035)
[22]UT Dallas CareerWorks Home Page
PDF Document, 1 Page, 17.77 KB (statement1113)
[23]Portion of manual re: Fiscal Management for the UT Dallas Career Center
PDF Document, 8 Pages, 128.59 KB (manual1032)
[24]FERPA and Graduation Training Email
PDF Document, 1 Page, 14.04 KB (email1024)
[25]UT Dallas Institutional Compliance Program Quarterly Report for the quarter ended November 30, 2006 - dated y2006
PDF Document, 9 Pages, 90.88 KB (report1332)