Southeastern Louisiana University's commitment to protecting the security, confidentiality, and integrity of its student academic records is evident in the policies and procedures the University has implemented to maintain security, confidentiality, and the integrity of its records. Southeastern abides by federal and state regulations and standards regarding the protection of student academic records. Laws and policies followed include those established through the Family Educational Rights Privacy Act (FERPA) and the American Association of Collegiate Registrars and Admission Officers, of which Southeastern Louisiana University is a member. For the purposes of this standard, security of student academic records is the level in which a record is safe from unauthorized access or use, as well as the prevention of unauthorized access or use. Confidentiality of student academic records means that those who have access to student records use them in a professional manner, appropriate to their job responsibility. Integrity of student academic records means that the ability to record data is given
to those who have the appropriate authority to do so and safeguards are in place to monitor changes to data.
Security of Student Paper Records
Paper records of currently enrolled students are kept in a secure room in departmental offices. These rooms are keyed so that they are accessible
by the department head and the departmental secretary. Paper records of all students are kept in a secure room by the University Registrar. These records are backed up on microfilm and kept in a secure off-campus location. Southeastern's Policies and Procedures Relating to the Family Educational Rights Privacy Act governs the release of student information and academic records by the University.
Technology Policies and Standards for Security of Electronic Records
Southeastern has detailed policies that are directly related to security of electronic records and data, including student academic records. Initially developed in 1999 with the inauguration of a new system, these policies have been implemented and further developed since then:
- Southeastern's Data and Computer Security and Access Policy , designed to ensure that personal and confidential information of employees and students is protected, and that only certain authorized persons will have access to this data;
- Southeastern's Intrusion Prevention/Response Guidelines and Procedures , which describes how to identify, assess, and respond to an external attack on Southeastern's computer system. The policy also describes ways to protect the University's computer system from attacks, as well as procedures to ensure the protection and security of information when computers are surplused or transferred;
- Southeastern's Technology Business Continuity Plan , a contingency plan in the case of a major disruption to the main computing system. In part the document states the following:
A major objective of the plan is to define procedures for a business continuity plan for recovery from disruption of computer and/or network services. This disruption may come from total destruction of the central site or from minor disruptive incidents. Special attention and emphasis is given to an orderly recovery and resumption of those operations that concern the critical business of running the university, including providing support to academic departments relying on computing. Consideration is given to recovery within a reasonable time and within cost constraints.
The document is considered sensitive and is not available to the public; however, the document may be obtained for review with permission from the Assistant Vice President of Technology. The procedures outlined in the Technology Business Continuity Plan are fully tested annually.
Confidentiality of Student Records
Southeastern's employee handbooks, which are available to all faculty and staff online, provides policies that reinforce the University's commitment to confidentiality of student records. Part IV, Section E. Confidentiality of Information states that faculty and staff are to keep all information with respect to the operations, activities, and business affairs of the University and its students in the strictest confidence. Part VI, Section K. Policies and Procedures Relating to the Family Educational Rights and Privacy Act states that students are entitled to the rights as set forth in the 1974 Family Educational Rights and Privacy Act (FERPA); Section 513, P.L. 93-380, Educational Amendment of 1974, amending the General Education Provisions Act, Section 438, and amended by Section 2 of P.L. 93-568.
Confidentiality policies are printed in the University's General Catalogue and are reviewed and updated as needed. On page 68 of the 2003-2004 General Catalogue, reference and guidance is offered regarding the Family Educational Rights and Privacy Act as it relates to notification of students enrolled at Southeastern Louisiana University. The University may release personally identifiable information from the education records of a student to appropriate parties only in connection with an emergency, if this information is necessary with regard to the health or safety of the student or other individuals.
Student record protection is also defined according to Policies and Procedures Relating to the Family Educational Rights Privacy Act, a website maintained by the Office of Records and Registration. A student desiring access to his/her educational records initiates this process with a written request, whether it be for records related to admissions, academic, financial aid, counseling, disciplinary, security, school/departmental, employment, or health matters. Parents are permitted access to these records only with prior written consent of the student or in instances where the student is a dependent.
In addition, as of the 2003-2004 academic year each employee is required to sign the following Confidentiality Agreement:
Employees of Southeastern Louisiana University frequently have access to and/or work with a variety of records and information which may be confidential in nature. Such information must not be shared with, made available to or accessible by any persons other than professional associates with a need to know in the normal course and scope of work. Confidential information otherwise must not be discussed or shared without appropriate authorization.
Copies of these statements are kept by the supervisor of the employee and in the Human Resources Office. All new employees are required to sign this Confidentiality Agreement as a part of the hiring process. In addition to this generic agreement that is signed by all employees, many individual departments on campus have their own more detailed agreements that must be signed by employees of that division. Examples are the Office of Records and Registration and the Office of Technology.
The Office of Records and Registration maintains all student academic records. Anytime there is a change in records policy, the Office's procedures require that students be notified by letter and/or e-mail. The Office of Records and Registration secures all paper records in a vault and electronic information is password-protected.
Each Southeastern student is assigned a unique identification number that requires a password to access individual records. Staff and student workers have their own IDs and passwords so that alterations to records can be tracked and monitored to insure the integrity of the information contained in each student record. Monitoring is accomplished through a monthly audit of any student grades that have been changed.
In addition to providing guidelines for choosing and maintaining secure passwords (page 7), Responsible Computing at Southeastern Louisiana University: General Policies for All Computer Users states in part that:
Computer and/or network access accounts are assigned to users for their exclusive use. It is violation of policy to exchange, reveal, steal or misappropriate passwords without the express consent of the authorized user. Protecting account passwords is critical. Also, active computer sessions, such as People Soft, Time-Center, registration and web mail, should never be left unattended.
The responsibility of faculty, staff, and students to be familiar with and adhere to Southeastern's Responsible Computing policy is communicated on page 44 of the 2003-2004 General Catalogue, in Southeastern's employee handbooks (Part VI, Section F), and in the Student Handbook. The policy is easily accessed from Southeastern's home page.
Integrity of Student Records
There are a limited number of personnel at Southeastern Louisiana University who have “write access” to student records. The extent of these privileges is determined by the employee's position. (See Security Administration and Application for Faculty/Staff Account in the Data and Computer Security and Access Policy for a description of the approval process ) . Furthermore, all activities by any person accessing records through Southeastern's administrative systems are logged electronically and are backed up regularly.
Backup of Electronic Data
All of Southeastern's electronic data is backed up every night. This data is kept at two separate local locations, one on the southern part of the campus and another nearly a mile away on the northern part of the campus. Furthermore, all electronic files, including all student financial aid information, are backed up every week and stored in a remote location 150 miles away from the University. The ACS Image Solutions storage facility in Flora, Mississippi provides this service for the University.
Ongoing Efforts to Insure Record Security
In fall 2003 at the request of the Provost, the University established a Privacy and Security Committee whose membership consists of representative from a cross-section of campus departments. The committee has been charged with reviewing all areas of privacy and confidentiality campus-wide, and with helping to ensure Southeastern's compliance with the requirements of FERPA, HIPAA, and the Gramm-Leach-Bliley (GLB) Act.
In addition, the University has hired an archival specialist to help the University develop a uniform records retention and destruction policy. During fall 2004, the consultant will confer with academic and business units on campus to develop a classification system for records, a policy for records retention and destruction, and a schedule for records destruction.