Sam Houston State University (SHSU) protects the security, confidentiality, and integrity of student records and maintains security measures to protect and back up data. SHSU complies with the Texas Administrative Code, Chapter 202, Subchapter B, Rule 202.20 [1] and the Family Education Rights and Privacy Act (FERPA) [2] to ensure the security, confidentiality, and integrity of student records. The University’s Academic Policy 810806, Student Educational Records [3], is established to assure FERPA compliance and designates types, locations, and custodians of various student records. Academic Policy 830823, Reproducing of Hard Copy of Student Academic Records [4], provides guidelines for the printing of hard copy student academic records.
The University has established an Information Security Program [5] that provides direction for managing and protecting the confidentiality, integrity, and availability of SHSU information technology resources. The program contains administrative, technical, and physical safeguards to protect student and University privileged information. The program defines the roles and responsibilities related to information security, including that of a full-time Information Security Officer (ISO) to oversee the program’s various components.
The SHSU Information Security User Guide [6] is used as an easy reference for policies associated with the SHSU Information Security Program and Information Security Policies that pertain to employee use of information technology resources. The guide [6] summarizes acceptable practices to educate individuals on the basic responsibilities needed to begin utilizing information resources in a manner that minimizes risks to students and the campus community. Upon employment, computer accounts are created for faculty and staff activation. Activation of these accounts requires the user to agree to abide by the information resources Acceptable Use Policy (IT-03) [7] and users must sign a non-disclosure agreement. Further, in accordance with the Technology Security Training Policy (IT-13) [8] all employees must participate in information security awareness training [9] within 30 days of account activation and then annually thereafter.
Passwords for accounts are regulated by a User Accounts Password Policy (IT-02) [10] that mandates checks to ensure the strength of passwords. Campus users must also change their password on a scheduled basis. Information Technology (IT@Sam) staff members participate in the development of the new employee orientation program conducted by the Department of Human Resources and provide guidance on the use of the University’s computer systems. Additionally, new employees receive a document concerning FERPA, which outlines their responsibilities regarding the use of information to which they may have access based on their employment. Access to administrative information systems is controlled by individual username/password authentication. Levels of access within administrative information systems are determined by job duty and individual need and are maintained by the parties responsible for the given data. System access is removed as employees separate from the University.
Access to the online course management system used at SHSU is granted via the same username/password combination as for other administrative information systems. The Information Technology Data Backup and Recovery Policy (IT-11) [11] outlines steps for the protection of information technology data assets. Electronic data is stored on physically and electronically secured servers. Daily backup procedures are in place. Backup tapes are stored in a vault in a building separate from the servers. Academic records that predate electronic storage are retained in a vault within the Registrar’s Office. Any student data passed from Banner SIS, the institution’s student information system, to Blackboard, the institution’s learning management system, is protected. Blackboard is behind a firewall; utilizes the single-sign-on framework provided by IT@Sam for access by students, faculty, and staff; uses role-based permissions to restrict access to data; and is a cloud-hosted solution for backups and redundancy. The Information Technology Data Classification Policy (IT-06) [12] provides a framework for applying the appropriate levels of protection to institutional data based upon proprietary, ethical, operational, and privacy considerations. The policy identifies confidential data that all campus users must protect including, but not limited to, student grades, test scores, usernames, and ID numbers.
Students are informed each semester of their right to privacy via the Schedule of Classes. This information defines the data that are considered to be directory information and as such available for release to the general public. Students may restrict the release of information through requests submitted prior to the census date of the term. These requests may be made either by written notification to the Registrar’s Office or through an online program provided for this purpose.
In addition to the student privacy guidelines established by formal policy, the Registrar at SHSU, who serves as the FERPA campus official, publishes additional information and procedures relating to FERPA on the institution’s website. Privacy rights webpages are published for the various audiences that may be impacted by or involved with the protection of student privacy and are intended to emphasize key FERPA-related information in an easily digestible manner. Privacy rights webpages exist for the following topics: Family Education Rights and Privacy Act (F.E.R.P.A.) [13], Responsibilities as a Faculty and Staff Member [14], Responsibilities as a Student Employee [15], and Parental Access to Children’s Education Records [16].
Regarding the privacy rights webpage [13] that details FERPA, the institution clearly articulates its requirement to “maintain the confidentiality of student educational records.” The webpage also reiterates the list of student data that has been established as directory information under FERPA and is included in Academic Policy Statement 810806 [3] and the Student Handbook [17].
In addition to basic FERPA information, the site provides guidance to University personnel in the use of data contained in Banner SIS. Explanations are provided to employees to assist them in recognizing when a student’s directory information has been restricted for release. Further, the webpage [13] details actions that are specifically prohibited and defined as violations of FERPA:
Additional student privacy guidelines for institutional personnel are detailed within the Responsibilities as a Faculty and Staff Member privacy rights webpage [14]. The webpage reminds faculty and staff that the confidentiality, use, and release of student records are governed by FERPA. In addition, the guidelines inform the faculty and staff of the following:
. . . all student information must be treated as confidential. Even public or “directory” information is subject to restriction on an individual basis. Unless your job involves the release of information and you have been trained in that function, any requests for disclosure of information, especially from outside the University, should be referred to the Registrar’s Office.
The Responsibilities as a Faculty and Staff Member privacy rights webpage also reminds faculty and staff of their responsibility for the proper use of their employee computer accounts, passwords, and personal identification numbers in relation to data security [14]. Data security protocols will be addressed in greater depth in the following sections of this narrative.
Much like the privacy rights webpage for faculty and staff, the Responsibilities as a Student Employee webpage exists for student employees [15]. The webpage details the following student privacy expectations:
In addition to faculty, staff, and student employee expectations, a privacy rights webpage addresses parental access to student educational records. The Parental Access to Children’s Education Records webpage informs parents and employees that parents have no inherent right to inspect a student’s education records [16].
Finally, both the Student Health Center and the Student Counseling Center take steps to protect the security, confidentiality, and integrity of student records, which are retained per SHSU and state regulations. The Student Health Center follows specific policies related to access to patient information [18] [19], as well as the retention and disposal of patient records [20]. Adult records are kept for 7 years from the date of the last treatment, and minor patient records are retained for 7 years after the date of the last treatment or until the patient reaches age 21, whichever date is later. The Student Counseling Center also takes steps to maintain student confidentiality. Staff members are not allowed to discuss confidential client information with anyone outside of the Counseling Center unless a signed release of information form has been signed by the client. The form must be signed and dated by the client, as well as by a witness other than the counselor named in the release [21].