Privacy of Confidential Information

Approved: 05/08/2017
Last Reviewed: 05/08/2017
Last Modified: 05/08/2017

Statement

Santa Fe College (SF) collects, produces, disseminates, and stores a significant amount of diverse information in a variety of formats during the normal course of business operations. A portion of this information includes confidential documents, materials, or data which may be protected by federal, state, or local laws and regulations, and/or college rules. This restricted data includes, but is not necessarily limited to: Personally Identifiable Information (PII); Private Educational Records (PER) protected under FERPA; credit card data regulated by the Payment Card Industry (PCI); Electronic Protected Health Information (ePHI) protected by HIPAA and/or Florida medical privacy laws; personal information covered by the Gramm-Leach-Bliley Act (GLBA); and information specifically identified by contract as restricted (see sections 2 and 3 of the SF IT Policies Appendix A for more information).

During the course of employment, employees, student employees, volunteers, agents acting on behalf of SF, or other individuals may have access to information that is considered confidential. This document will establish the principles, processes, and safeguards by which electronically stored confidential information entrusted to the care of SF will be maintained and managed that ensures its confidentiality, and outlines expectations regarding the ongoing protection of this information.

Purpose

Every individual at SF entrusted with the care of confidential information needs to possess a level of understanding of the responsibilities involved in identifying, governing, protecting, and securing confidential information that they may have access to during the fulfilment of their daily job responsibilities and functions.

Scope

This policy applies to all individuals who have access through SF IT Resources, as defined in section 4, below, to SF information that contains personal, academic, business, or other information that is considered confidential or of a proprietary nature.

Definitions

Information Technology (IT) Resources - Equipment or services used to input, store, process, transmit, and output information, including, but not limited to, desktops, laptops, mobile devices, portable storage devices, servers, telephones, fax machines, copiers, printers, wired and wireless networks, Internet, email, cloud storage, and social media sites.

Destruction Record - An inventory method for describing and documenting the physical or electronic information in any format authorized for destruction, as well as the date, authorizing individual, and method of destruction. The destruction record itself does not contain confidential information. The destruction record information can be kept in either physical or electronic format.

Confidential Data - For the purposes of this policy, confidential data or confidential information is information stored and/or housed by electronic methods for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be required. Unauthorized access to or disclosure of confidential information could constitute an unwarranted invasion of privacy and cause financial loss and damage to the College’s reputation and the loss of community confidence.

Electronic Protected Health Information (ePHI) - Any information that links an individual with their physical or mental health condition such as:

• Name of individual or relative
• Any address smaller than state
• Dates such as birth, admission or discharge
• Telephone numbers
• Electronic mail address
• Social security numbers
• Account numbers
• Health plan beneficiary number
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic or code

FERPA - Family Educational Rights and Privacy Act - The Family Education Rights and Privacy Act (FERPA) is a Federal law that protects and safeguards the privacy of student educational records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Individuals cannot bring a case against the institution, but the Department of Education can enforce FERPA by depriving an institution of federal funding (including financial aid to students). You can read more about FERPA at www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

FERPA - Family Educational Rights and Privacy Act - Requires covered entities, which includes certain government entities, conducting business in Florida that acquire, maintain, store or use personal information, to inform Florida residents of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information. FIPA provides the following definitions of what constitutes protected personal information:

• The first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are neither encrypted nor redacted:
  • Social Security Number
  • A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity.
  • Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial accounts.
  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
• A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

Federal Information Security Management Act (FISMA) of 2002 - Requires program officials and the head of each agency to take specific measures to mitigate cybersecurity risks. The Department of Homeland Security monitors and reports agency progress to ensure the effective implementation of this guidance.

Federal Information Processing Standard 199 (FIPS 199) - Part of the mandatory security standards as required by FISMA that require Federal agencies to assess their information systems in each of the categories of confidentiality, integrity and availability, rating each system as low, moderate or high impact in each category.

GLBA - Gramm-Leach-Bliley Act - The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, is a comprehensive, federal law that governs a financial institution’s retention, use and disclosure of customer records and information. GLBA sets forth a financial institution’s privacy obligations to its customers and its duties concerning the safeguarding of customer’s personal information. The GLBA is composed of several parts, including the Privacy Rule (16 CFR § 313) and the Safeguards Rule (16 CFR § 314). The GLBA applies to the College because it processes student loans and provides other financial services. As such, the College falls within the definition of “financial institution” under the GLBA and must comply with the law’s requirements. “Financial Institution” means any institution which engages in financial activities. Examples of financial activities that are covered by GLBA include the following: student or other loans, including receiving application information, and the making and servicing of such loans, collection of delinquent loans, check cashing services, financial or investment advisory services, credit counseling services, travel agency services provided in connection with financial services, tax planning or tax preparation, obtaining information from a consumer report career counseling services for those seeking employment in finance, accounting or auditing. Additional guidance regarding GLBA is available at: www.ftc.gov/privacy/privacyinitiatives/glbact.html.

HIPAA - Health Insurance Portability and Accountability Act - The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of medical records for health care providers, health maintenance organizations and health records clearinghouses. A major goal of HIPAA is to assure that individual’s health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and protect the public’s health and well-being. HIPAA establishes, for the first time, a foundation of federal protections for the privacy of protected health information. However, it does not replace federal, state, or other law that grants individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices. You can read more about HIPAA at www.hhs.gov/ocr/hipaa/.

PCI DSS - The Payment Card Industry Data Security Standard is a proprietary set of security controls that businesses are required to implement to protect credit card data.

Payment Card Information (PCI) - Credit card account number alone with any of the following:

• Cardholder name
• Service code
• Expiration date

Personally Identifiable Information (PII) - Unencrypted electronic information that includes an individual’s first name or initial and last name, in combination with any one or more of the following:

• Social security number
• Driver license number
• Financial account number, credit card number, or debit card number in combination with any security code, access code, or password

Private Educational Record (PER) - Includes the following information:

• Name of the student’s parent or other family member
• Address of student’s family
• Personal identifier, such as the student’s Social Security Number (SSN)
• A list of personal characteristics that would make the student’s identity easily traceable
• Disciplinary status
• Financial – aid, tuition, payments, account balances
• Grades, exam scores, or GPA (grade point average)
• Class roster
• Applications and admissions information
• Schedules
• Evaluations, forms, memos, or correspondence to and about the student
• Birth date
• Gender
• Citizenship
• Marital status
• Religion

Restricted Data - A particularly sensitive category of confidential data. Restricted data is defined as:

Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transmission.

Restricted data includes, but is not necessarily limited to:

• Personally Identifiable Information (PII)
• Private Educational Records protected under FERPA
• Credit card data regulated by the Payment Card Industry (PCI)
• Electronic Protected Health Information (ePHI) protected by Federal HIPAA legislation or Florida medical privacy laws
• Information specifically identified by contract as restricted
• Other information for which the degree of adverse effect that may result from unauthorized access or disclosure is high

Sensitive Information - information that “because of legal, ethical, or other external-imposed constraints, may not be accessed without specific authorization or to which only limited access may be granted”. In the context of the definition of a serious incident, sensitive information is defined as non-public information, as defined by law or practice, whose disclosure may have serious adverse effect on individuals and/or the College. Sensitive information includes personally identifiable information such as protected by FERPA, credit card numbers and any other information designated as sensitive by the College.

Student Directory Information - Includes a student's name, local address, telephone number, date of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student.

Limited-access Area - An area where access shall only be granted to employees who are approved by the appropriate members of management of that location, or to anyone already approved to access more than one restricted area (ITS employees). This does not include people admitted to an area as a visitor.

Restricted Area - An area where access shall only be granted to ITS employees who are approved by the appropriate members of management. This does not include people admitted to an area as a visitor.

Additional definitions of the terms used in this policy can be found in the SF IT Policies Appendix A.

Policy

5.1 Requirements and Responsibilities

All members of the SF community who deal with confidential data are expected to become familiar with all sections of this policy and take the steps necessary to stay current with all regulations and guidelines regarding the handling of confidential data outlined within the sections listed below.

5.1.1

All members of the SF community who have been granted access to confidential, sensitive, or proprietary information in any electronic format have an obligation to protect, maintain, and handle that information in a secure manner throughout all stages of the data lifecycle including:

• Creation
• Use
• Storage
• Release
• Receiving and Transmitting
• Retention
• Destruction

5.1.2

All individuals will be granted privileges consistent with their job duties to access confidential information and understand that they may not release that information to any individual or entity without appropriate authorization.

5.1.3

Prior to releasing confidential information, any individual who is uncertain about the legitimate use or release of confidential information to others should always refer questions about the appropriateness of the release to his or her supervisor.

5.1.4

All members of the SF community who deal with confidential data must understand all rules and regulations which apply to the data under their control that relate to the transference of confidential information outside of SF. This includes taking all steps required to obtain prior authorization and acquiring all necessary signatures on the appropriate release forms to allow SF to disclose confidential information.

5.1.5

All individuals are responsible for confidential information under their control and will be held accountable for any intentional or unintentional disclosure of confidential information to unauthorized individuals or entities. See Sections 5.9 and 6.0 of this policy for disciplinary actions as a result of policy violation.

5.1.6

To protect confidential information from any possible misuse, all individuals responsible for confidential information must comply with the latest rules and regulations regarding the appropriate handling of confidential information and materials.

5.1.7

Individuals responsible for confidential data should attend training to foster understanding of -- and compliance with -- appropriate secure handling rules and regulations as required by relevant federal, state, and local laws.

5.2 Inappropriate Use

Confidential information is only to be accessed for purposes directly related to your job duties or for other authorized and approved SF business. Listed below are some examples of inappropriate uses of confidential information.

5.2.1

Disclosing, discussing, or distributing confidential information to any individual not authorized to view or access that data, and only as needed to conduct campus business or as required by job requirements or supervisor directive.

5.2.2

Using information viewed or retrieved from the systems for unauthorized or unlawful use, or for the purpose of personal gain.

5.2.3

Attempting to gain unauthorized access to systems or data that is not relevant to your job duties.

5.2.4

Deleting, or altering any information without prior authorization, or intentionally generating false or misleading information.

5.2.5

Sharing your system credentials, or utilizing the credentials of others to gain unauthorized access.

5.3 Security of the Electronic Environment

Every member of the SF community who is authorized to work with confidential information must be aware of the proper procedures and protocols to safeguard electronic data within their possession, and take all steps and proactive actions necessary to ensure that confidential information stored in an electronic format remains secure. Listed below are some examples on how to secure the electronic environment.

5.3.1

All computers containing confidential information must be logged off or locked when unattended. Computers owned/managed by SF are protected by a screen lock timer function. If you discover a SF computer that does not lock after going to the screen saver, you must contact the ITS Help Desk to report the problem.

5.3.2

Any electronic device housing confidential information must have password protection enabled and adhere to the SF Password Policy and Guidelines. If you need assistance with enabling password protection, contact the ITS Help Desk.

5.3.3

Storing confidential information on any non-SF computer equipment is prohibited.

5.3.4

When there is an authorized and legitimate need to provide electronic records containing confidential information to an authorized third party, the electronic records must be password-protected and encrypted.

5.3.5

Storing confidential information on any portable or external storage device (e.g., laptop, tablet, smart phone, flash-drive, SD card, DVD) is not allowed unless written permission is granted by the individual(s) responsible for that information and the portable or external storage device is password-protected.

5.3.6

Unless specifically authorized and approved, confidential information should never be stored on local computer drives. It must either be stored on secured servers or secured authorized desktop computers.

5.3.7

Prior to storing confidential information on any computer, individuals should verify with ITS that the computer meets the minimum acceptable security requirements:

• The anti-virus software is up-to date.
• The operating system is up-to date.
• The password has been changed recently and adheres to the SF Password Policy and Guidelines.
• The computer has been recently scanned for malware, spyware, keystroke monitor software, or any other possible malicious software.
• The computer is protected by the network firewall.

5.4 Disposal of Confidential Electronic Information

5.4.1

Electronic documents and other digitally-maintained information not actively involved in an investigation, litigation or legal hold, has a finite life cycle and should be permanently deleted pursuant to and in compliance with College Rule 5.11, Procedure 5.11P, Chapter 119, Florida Statutes, and Chapter 257, Florida Statutes, as applicable.

5.4.2

Prior to disposal, the retention schedule (if applicable) for each document type should be verified.

5.4.3

The destruction of SF electronic records should be authorized by the senior officer of each administrative or academic office of responsibility, in compliance with College Rule 5.11, Procedure 5.11P, Chapter 119, Florida Statutes, and Chapter 257, Florida Statutes, as applicable.

5.4.4

All digital information will be deleted using the procedures outlined in the SF Digital Media Sanitation policy.

5.4.5

The destruction of the data should be noted in the destruction record files.

5.5 Security of the Physical Environment

Every member of the SF community who is authorized to work with confidential information must take the proper precautions to ensure that the workplace environment provides the security measures necessary to safeguard that information. Listed below are some examples on how to secure the physical environment.

5.5.1

Computer display screens must be positioned so that only authorized individuals can view confidential information.

5.5.2

Any server containing confidential information must be housed within a restricted area that features strict access control, and is protected by video surveillance and/or motion-detecting devices.

5.5.3

Every SF laptop/netbook that is not in use must be stored within a limited-access area and protected by a cable lock or locked in a cabinet/cart where feasible. This policy applies whether the equipment is located on campus or off-site.

5.5.4

All handheld electronic devices, including portable storage units and mobile devices, must be kept in a locked drawer or cabinet when not in use.

5.5.5

Photocopiers, fax machines, and scanners must be located within a limited-access area.

5.5.6

Printers that routinely print confidential information must be located within a limited-access area.

5.5.7

Windows in offices that regularly access protected/sensitive information should be protected in such a way that a passerby cannot see in but the employee has an unobstructed view to see outside. If mirror tinting is not available or has been ordered but not installed, then the employee must account for the window when abiding by Section 5.5.1 above.

5.7 Removal of Confidential Materials

All materials and other property containing confidential information are the property of SF. Unless directed or pre-approved by a supervisor, members of the SF community will not remove confidential data off-campus.

5.7.1

If approved for off-campus removal, all members of the SF community are responsible for the confidential data in their care and must safeguard the information and control access as necessary, until that information is safely returned to SF.

5.7.2

All confidential data taken off-campus must be password-protected and encrypted.

5.7.3

Any supervisor permitting confidential information in electronic form to be taken off-campus must implement formal written control procedures for the information, which will establish the following:

• The name of the individual taking the confidential information off-campus.
• The start date and time the material was taken off-campus and the agreed-upon date and time of its return.
• The purpose for which the material has been taken off-campus.
• The type and format of the confidential information that has been taken off-campus.

5.8 Termination or Completion of Assignment or Project

5.8.1

After the completion of an assignment or project, an employee will return all confidential or proprietary data pertaining to that assignment or project. The employee’s supervisor (or their designee) will verify that all information has been returned.

5.8.2

After voluntary or involuntary termination of employment, the former employee must safely return all SF IT resources to their supervisor before they leave on the final day of their employment. The former employee must also securely delete all confidential data from any non-SF device that has come in contact with such data during the course of its life. The employee’s former supervisor (or their designee) will verify that all SF IT resources have been returned and all known confidential information has been removed from any non-SF device.

5.8.3

After employment with SF ends, all former employees will hold all confidential or proprietary information in trust and confidence, while complying with federal, state, and local laws regarding its access, use, and disclosure.

5.9 Violations

5.9.1

Unauthorized access or disclosure of confidential information in any form may violate college policy and federal, state, or local laws, resulting in criminal or civil penalties or corrective action, up to and including termination.

5.9.2

Employees must report actual or suspected disclosure of confidential electronic records immediately to their supervisor, department head, or IT Services.

5.9.3

Employees must report actual or suspected violation of this policy by any member of the campus community immediately to their supervisor, department head, or IT Services.

Policy Enforcement

Every SF user ID and password acts as a unique identifier granting access to the associated account on a particular SF system, which may contain SF confidential information. Any work or activity performed under an SF account is assumed to be performed by the person assigned to that account. Defying or circumventing this policy shall be deemed a violation of this policy, as well as the Information Technology Appropriate Use Policy (AUP), and will be reported to the SF Chief Information Officer (CIO). The CIO reserves the right to deny or immediately remove access privileges to individuals or groups without prior notice to protect SF technology resources. The CIO may delegate further enforcement of this policy to the appropriate persons in coordination with disciplinary procedures for students, faculty, and staff.

Contacts

Questions regarding this Policy should be directed to Information Technology Services at 352-395-5999 or emailed to help.desk@sfcollege.edu.

History/Revision Dates

Approved: 05/08/2017