Data Access Privacy and Security Policy

Updated: January 2022

I. POLICY DESCRIPTION
Transylvania University collects and maintains data containing confidential personal information of students, parents, faculty, staff, alumni, donors, prospective students and families, and trustee records in accordance with federal and state laws and regulations. Data is utilized for university operations, federal and state reporting and research. Transylvania University does not permit access to, or the disclosure of, confidential personal information, student education records, or personally identifiable information contained therein except for purposes authorized under law, regulation or agreement.

II. PURPOSE
This policy establishes the procedures and protocols for collecting, maintaining, protecting, disclosing, and disposing of confidential data records, including data containing personally identifiable information collected by the University.

III. SCOPE OF POLICY
This policy and procedures apply to all employees, contractors, and students of Transylvania University and are applicable to other entities requesting access to confidential, sensitive, or restricted information.

Restricted information is protected by:

  1. Family Educational Rights and Privacy Act (FERPA) 34 CFR, Part 99 located at http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.
  2. Gramm-Leach-Bliley Act (GLBA) https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
  3. General Data Protection Regulation (GDPR) https://gdpr.eu/
  4. HIPPA https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
  5. Other applicable law, regulation
  6. Any agreement between University and outside agencies or entities.

IV. DEFINITIONS

  1. A. Confidentiality refers to a person’s obligation not to disclose or transmit information to unauthorized parties; how personally identifiable information collected is protected and when an individual’s consent is required to disclose.
  2. Data Collection includes any collection of records, which may include data collected in an enterprise-level system (e.g., Student Information System) or through alternate collection means.
  3. De-identification is a process that renders data safe to utilize and share by removing or obscuring all identifying fields such as name or identification numbers, thus making it very difficult to identify an individual based on a combination of variables.
  4. Disclosure or Disclose means to permit access to or the release, transfer, or other communication of personally identifiable information contained in records by any means, including oral, written, or electronic means (internally or externally).
  5. Records describe any information or data recorded in any medium—including but not limited to handwriting, print, or system—which contains personally identifiable information which is maintained by an institution or a person acting for the institution.
  6. Linkage consists of the ability to combine records through use of common identifiers for the purpose of research or re-identification
  7. Memorandum of Understanding (MOU) refers to the data disclosure and confidentiality agreement between University and the entity requesting data.
  8. Personally Identifiable Information (PII) includes any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records and any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information
  9. Privacy defines the right of individuals to have their personal information adequately protected to avoid the potential for harm, embarrassment, inconvenience, and/or unfairness.
  10. Re-disclosure describes the sharing or use of data collection beyond the original approved intent.
  11. Security means technical procedures that are implemented to ensure that records are not lost, stolen, vandalized, illegally accessed, or improperly disclosed.
  12. Enterprise Identification (EID) Number is a unique number assigned by the University enterprise data systems that does not contain any series of numbers matching a Social Security number.
  13. Suppression denotes withholding information from publication. Some information is withheld from publication to protect small counts that could lead to a disclosure. Other information is withheld from publication in a table to prevent the calculation of the data based on small counts from the published information; this is known as complementary suppression.
  14. Vendor-Partner includes any university contract holders with access to confidential records.

V. INFORMATION COLLECTED AND MAINTAINED
Transylvania University collects, through enterprise data systems and other collection methods, data from students and their families, alumni, donors, prospective students and families, trustees, and employees, including but not limited to:

  1. Personally Identifiable Information that identifies each person. This data may include name, identification number, address, race/ethnicity, gender, date of birth, place of birth, etc.
  2. Participatory data including employment, attendance, degree completion, donor relations, board or committee assignments, etc.
  3. Financial data includes financial aid eligibility and awards, employee pay rates and benefits, donor contributions, vendor payments, etc.

Records may be maintained in one or more secure data systems.

VI. MEASURES TO MAINTAIN SECURITY OF CONFIDENTIAL DATA
Transylvania University shall utilize the following procedures and measures to ensure the security of confidential records.

A unique Enterprise Identification number (EID) is assigned to each individual. The ID is system-generated and contains no embedded meaning. This EID is encouraged to use when record linkage is needed

Security protocols limit who has access to the data and for what purposes.

Statistical cut-off procedures are utilized to prevent student identification in aggregate-level reports. For Transylvania University, it is recommended for record count less than 5.

Transylvania University shall maintain a current listing of university personnel who have access to personally identifiable information through authentication and internal links.

Confidential data shall be communicated or transferred electronically to external entities through a secure site, location only accessible by the authorized entity (Google Drive, network shared drive, or secure FTP site).

Confidential data should be password protected prior to any exchange through e-mail or alternative transfer method. The password should not be included in the email; it must be provided through a separate communication.

If possible, make every attempt to follow this protocol while sending or receiving confidential information.

De-identification rules should be followed which involve the removal of personally identifying information in order to protect personal privacy. With the exception of disclosure of records for required audits, evaluations and studies, data is provided in a de-identified or aggregate form. The Enterprise Identification (EID) Number such as Colleague ID can be provided to allow for matching of data records or re-identification but must be excluded from any publically produced reports

Other safeguards — All university employees, contractors and other entities with direct access to confidential information are responsible for protecting the data via the following procedures:

Prevent disclosure of data by protecting visibility of reports and computer monitors when displaying and working with confidential information.

Workstations must be locked or shut down when left unattended for any amount of time.

Data and electronic files containing confidential information must be stored in a secure location.

Confidential information will not be sent via text or fax.

When no longer needed, paper reports must be shredded and electronic files must be destroyed.

Reports, external storage drives, and/or any other media containing confidential information must be stamped or otherwise marked as confidential prior to being released outside the university. The envelope containing the information also must indicate that the contents are confidential.

VII. SECURITY INCIDENT NOTIFICATION
Users suspecting an unauthorized disclosure of personally identifiable or confidential information shall immediately notify university technical staff and cooperate with technical staff as part of any necessary investigation.

VIII. DATA ACCESS
This section describes the conditions under which Transylvania University will release confidential information.

Transylvania University Employees –Any employee, including students who have a need to access confidential information must sign Non-Disclosure agreements at the time of employment.

University employees who have a need to access confidential information are permitted access through system access protocols established and maintained by University’s IT system administrators. Supervisors must indicate that the employee needs access to this information in the performance of his or her assigned duties and responsibilities. Supervisors will ensure that the appropriate safeguards are instituted to protect the confidential information and that the employee has received appropriate training.

Employees may not access confidential information for personal purposes (for example, research for a dissertation). Employees must maintain the confidentiality of all protected data. Data will be destroyed in accordance with the university’s record retention policy.

Public – University may disclose, without consent, information in aggregate form that is not easily traceable to an individual. Public access is limited to aggregate level reports. Suppression rules set forth in this policy are adhered to for all public reporting.

Research – University may disclose confidential, personally identifiable information to authorized individuals and/or organizations for research and analysis purposes to improve instruction; develop, validate, or administer predictive tests. Such disclosures also may be made to authorized representatives conducting required audits or program evaluations. The requesting entity or individual must sign and have an approved Memorandum of Understanding. Disclosures should be authorized by law, regulations, agreement or contract. Authorization must be evaluated periodically (agreement due date) to ensure access to the data is still required. Use of data is only for purposes as defined in the agreement.

IX. TRAINING NEEDS
All university employees shall be made aware of the Data Access and Security Policy changes and will receive subsequent information through newsletter articles, e-mail messages, and/or training classes.

X. RECORD OF ACCESS
In compliance with protected data guidelines, the university shall maintain a record indicating the name of any individual or organization external to the university that requests and is allowed access to records containing PII. The record of access shall indicate the interest, such as person or organization, in obtaining the information as well as the date the requested data were disclosed.

XI. DESTRUCTION OF DATA
Any entity receiving personally identifiable information must destroy such information when it is no longer needed for the purpose specified in the request for disclosure. The manner of destruction shall protect the confidentiality of the information and must be done at the conclusion of the intended purpose.

XII. PENALTIES FOR VIOLATION OF DATA USE
Enforcement penalties for violation of data privacy security, unauthorized disclosure, or re-disclosure may include loss or denial of access to confidential information, revocation of network access privileges, and any other penalties as prescribed by federal or state law.