Data Access Privacy and Security Policy

Updated: January 2024

Description

Transylvania University collects and maintains data containing confidential, personal information of students, parents, faculty, staff, alumni, donors, prospective students and families, and trustee records for its legitimate business purposes and to comply with federal and state laws and regulations. This data is utilized for university operations, federal and state reporting, and scholastic research. Transylvania University does not permit access to, or the disclosure of, confidential personal information, student education records, or Personally Identifiable Information contained therein except for purposes authorized under law, regulation, or agreement.

Purpose

This policy establishes the procedures and protocols for collecting, maintaining, protecting, disclosing, and disposing of confidential data records, including data containing Personally Identifiable Information collected by Transylvania University.

Scope

This policy applies to all Transylvania University employees, students, and representatives, including any contractor or third-party provider of services to Transylvania University, with access to confidential, sensitive, or restricted information that Transylvania University has collected or otherwise has in its possession. This policy applies to all confidential, sensitive, or restricted information collected, maintained, transmitted, stored, retained, or otherwise used by Transylvania University, regardless of the medium on which that information is stored.

Restricted information is protected by: 

• Family Educational Rights and Privacy Act (FERPA)
  http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html. 
• Gramm-Leach-Bliley Act (GLBA) 
  https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
• General Data Protection Regulation (GDPR)
  https://gdpr.eu/
• Health Insurance Portability and Accountability Act (HIPAA)
  https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
• Federal Information Security Management Act (FISMA)
• Other applicable laws, regulations
• Any agreement between Transylvania University and outside agencies or entities.

Definitions

Confidentiality

Confidentiality refers to a person’s obligation to not disclose or transmit information to unauthorized parties; how Personally Identifiable Information collected is protected and when an individual’s consent is required for disclosure.

Data

Data refers to any items of information that are received, created, collected, maintained, accessed, provided by a third party, used, transmitted, or disclosed, whether in electronic, paper, or other format.

Data Collection

Data Collection includes any collection of records, which may include data collected in an enterprise-level system (e.g., Student Information System) or through alternate collection means.

De-identification

De-identification is a process that renders data safe to utilize and share by removing or obscuring all identifying fields such as name or identification numbers, thus making it very difficult to identify an individual based on a combination of variables.

Disclosure

Disclosure means to permit access to or the release, transfer, or other communication of Personally Identifiable Information contained in records by any means, including oral, written, or electronic means (internally or externally). 

Enterprise Identification Number

Enterprise Identification Number is a unique number assigned by Transylvania University enterprise data systems that does not contain any series of numbers matching a Social Security Number.

Linkage

Linkage consists of the ability to combine records through use of common identifies for the purpose of research or re-identification.

Memorandum of Understanding

Memorandum of Understanding (MOU) refers to the data disclosure and confidentiality agreement between Transylvania University and the entity requesting data. 

Personally Identifiable Information

Personally Identifiable Information (PII) includes any information that can be reasonably used to distinguish or trace an individual’s identity, such as name, email address, phone number, race, Social Security Number, date and place of birth, mother’s maiden name, biometric records, and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Privacy

Privacy defines the right of individuals to have their personal information adequately protected to avoid the potential for harm, embarrassment, inconvenience, and/or unfairness.

Re-disclosure

Re-disclosure describes the sharing or use of data collection beyond the original intent.

Records

Records describe any information or data recorded in any medium—including but not limited to handwriting, print, or system—which contains Personally Identifiable Information which is maintained by an institution or a person acting for the institution.

Security

Security means technical procedures that are implemented to ensure that records are not lost, stolen, vandalized, illegally accessed, or improperly disclosed.

Security Incident

Security Incident refers to an adverse event in an information system. A Security Breach may include a violation of an explicit or implied security policy, unauthorized access, unwanted denial of resources, unauthorized use, or changes without knowledge, instruction, or consent.

Suppression

Suppression denotes withholding information from publication. Some information is withheld from publication to protect small counts that could lead to disclosure. Other information is withheld from publication in a table to prevent the calculation of the data based on small counts from the published information; that is known as complementary suppression.

User

User refers to an individual who creates, accesses, processes, enters, reads, deletes, or otherwise “uses” data.

Vendor-Partner

Vendor-Partner includes any university contract holders with access to confidential records.

Information Collected and Maintained

Transylvania University collects, through enterprise data systems and other collection methods, data from students and their families, alumni, donors, prospective students and families, trustees, and employees, including but not limited to:

• Personally Identifiable Information that identifies each person. This data may include, but is not limited to, name, email address, address, race/ethnicity, gender, date of birth, Social Security Number, and place of birth.
• Participatory data, including, but not limited to, employment, attendance, degree completion, donor relations, and board or committee assignments.
• Financial data, including, but not limited to, financial aid eligibility and awards, employee pay rates and benefits, donor contributions, and vendor payments.

This information is maintained in one or more secure data systems.

Maintaining Security of Confidential Data

Transylvania University shall utilize the following procedures and measures to ensure the security of confidential data:

• A unique Enterprise Identification Number is assigned to each individual. The Enterprise Identification Number is system-generated and contains no embedded meaning. This Enterprise Identification Number is encouraged when record linkage is needed.
• Security protocols which limit which persons, organizations, or entities have access to confidential data and for what purposes. Statistical cut-off procedures are utilized to prevent student identification in anonymized, aggregate-level reports. For Transylvania University, it is recommended for record count less than 5.
• Transylvania University shall maintain a current listing of university personnel who have access to Personally Identifiable Information through authentication and internal links.
• Confidential data shall be communicated or transferred electronically to external entities only through secure mediums, the location of which shall only be accessible by the authorized entities.
• Confidential data shall be password-protected prior to any exchange through e-mail or alternative transfer method. The password to said confidential data shall not be included in the same communication as the confidential data; rather, it must be provided through separate communication.
• If possible, users make every attempt to follow this protocol while sending or receiving confidential information.
• De-identification rules should be followed which involve the removal of Personally Identifiable Information in order to protect personal privacy. With the exception of disclosure of records for required audits, evaluations and studies, data is provided in a de-identified or aggregate form. The Enterprise Identification Number, such as Colleague ID, can be provided to allow for matching of data records or re-identification but must be excluded from any publicly produced reports.
• Other safeguards – All Transylvania University employees, students, contractors, and other entities with direct access to confidential information are responsible for protecting the same via the following procedures:
  • Prevent disclosure of data by protecting visibility of reports and computer monitors when displaying and working with confidential information.
  • Workstations must be locked or shut down when left unattended for any amount of time.
  • Data and electronic files containing confidential information must be stored in a secure location.
  • Confidential information shall not be sent via text or facsimile.
  • When no longer needed, paper reports containing confidential information shall be shredded and electronic files shall be destroyed.
  • Reports, external storage drives, and/or any other media containing confidential information must be stamped or otherwise marked as confidential prior to being released outside Transylvania University. The envelope containing the information also must indicate that the contents are confidential.

Security Incident Notification

Users that suspect an unauthorized disclosure or breach of confidential information shall immediately notify the Transylvania University technical staff listed below and cooperate with technical staff as part of any necessary investigation. 

Jared Duncan, Systems and Security Administrator
jduncan@transy.edu
(859) 281-3554

Data Access

This section describes the conditions under which Transylvania University will release confidential information.

• Transylvania University Employees – Any employee, including students, who have a need to access confidential information must sign Non-Disclosure agreements at the time of employment.
• Transylvania University employees who have a need to access confidential information are permitted access through system access protocols established and maintained by Transylvania University’s Information Technology system administrators. Supervisors must indicate that the employee needs access to the confidential information in the performance of his or her assigned duties and responsibilities. Supervisors will ensure that the appropriate safeguards are instituted to protect the confidential information and that the employee has received appropriate training.
• Employees may not access confidential information for personal purposes (for example, research for a dissertation). Employees must maintain the confidentiality of all protected data. Data shall be destroyed in accordance with Transylvania University’s record retention policy (Section H.V.).
• Public – Transylvania University may disclose, without consent, information in anonymized, aggregate form that is not easily linkable to an individual. Public access is limited to anonymized, aggregate level reports. Suppression rules set forth in this policy are adhered to for all public reporting.
• Research – Transylvania University may disclose confidential, Personally Identifiable Information to authorized individuals and/or organizations for research and analysis purposes to improve instruction: develop, validate, or administer predictive tests. Such disclosures also may be made to authorized representatives conducting required audits or program evaluations. The requesting entity or individual must sign and have an approved Memorandum of Understanding. Disclosures shall be authorized by law, regulations, or contract. Authorization must be evaluated periodically (agreement due date) to ensure access to the data is still required. Use of data is only for purposes as defined in the agreement.

Training Needs

All Transylvania University employees shall be made aware of the Data Access and Security Policy changes and will receive subsequent information through newsletter articles, e-mail messages, and/or training classes.

Record of Access

In compliance with protected data guidelines, Transylvania University shall maintain a record indicating the name of any individual or organization external to the university that requests and is allowed access to records containing Personally Identifiable Information. The record of access shall indicate the interest such person or organization has in obtaining the information as well as the date the requested data were disclosed.

Destruction of Data

Any entity receiving data contemplated by this policy must destroy such data when it is no longer needed for the purpose specified in the request for disclosure. The manner of destruction shall protect the confidentiality of the information and must be done at the conclusion of the intended purpose.

Penalties for Violation of Policy

Enforcement penalties for violation of data privacy security, unauthorized disclosure, or re-disclosure may include loss or denial of access to confidential information, revocation of network access privileges, and any other penalties as prescribed by federal or state law.