Confidential Information Access (IT Security) Policy #501
|Policy #501||Approved: February 17, 2011|
|UNIVERSITY OF NORTH CAROLINA SCHOOL OF THE ARTS
Confidential Information Access (IT Security) Policy
|Source of Authority:||N.C.G.S. § 116-34(a);
UNC Code § 502(A)
|History:||First Issued: February 17, 2011|
|Related Policies:||FERPA, 20 U.S.C. § 1232g;
FTC Red Flag Rules, 16 C.F.R. 681;
Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6827;
HIPPA Security & Privacy Regulations, 45 C.F.R. 164;
The Privacy of State Employee Personnel Records, N.C.G.S. § 126, Art. 7;
FERPA Policy #803;
Technology Use Policy #508;
Records Request Policy #118;
Red Flat Rules/Identity Theft Policy #505
|Responsible Offices:||Information Technology Department|
|Effective Date:||February 17, 2011|
This policy addresses the protection of records that include confidential and sensitive information that employees view or have access to during the course of employment or service with UNCSA. Records may be confidential and sensitive by virtue of the state personnel file privacy law (N.C.G.S. § 126-22 et seq.), the Family Educational Rights and Privacy Act (“FERPA”) (20 U.S.C. § 1232g), federal Privacy Act provisions governing social security numbers, the Health Insurance Portability and Accountability Act (“HIPAA”), the Gramm-Leach-Bliley Act, the Federal Trade Commission’s Red Flag Rules, other applicable state and federal laws, and UNCSA information technology/security policies and regulations.
This policy applies to all UNCSA employees (including student employees) and to all information, regardless of format (paper, digital, etc.).
A. Employees may not disclose confidential information about computer passwords and identification characters, University employees, University students, or any personally identifiable financial or health or medical information unless authorized by law.
B. Employees may only have access to student, personnel, and student loan records only as required to perform assigned job duties.
V. Revision History
A. February 17, 2011 – Adopted by Board of Trustees as part of UNCSA Policy Manual
UNIVERSITY OF NORTH CAROLINA SCHOOL OF THE ARTS
Confidential Information Access (IT Security) Procedures
I. Disclosure or Release of Information
1. Confidential information may be disclosed if required to comply with federal or state law.
2. If in doubt about the confidentiality of any record or the ability legally to disclose information, employees must consult with their supervisor (who in turn may consult with their supervisor, Human Resources, the General Counsel or other appropriate University official) before disclosing any information.
B. Student Information
1. Directory information, as defined by the UNCSA FERPA policy, is public unless the student the records concern has “opted out” of disclosure by notifying the registrar.
2. All other student information is private and may only be released with the student’s written permission or in accord with a statutory exception. In the event that the student is under the age of 18, information may only be released by permission of the student’s parent or legal guardian.
C. Personnel Records
1. Information defined as public by the UNCSA Public Records Request policy is public and may be disclosed.
2. Other information from personnel records is private except where there is statutory authority or the employee’s consent to release it.
II. Breaches of Information Security
A. An employee who becomes aware of any breach or suspected breach of information security must promptly report the breach to his/her supervisor.
B. Supervisors must in turn report the matter to the appropriate University official(s), the General Counsel, and, in cases of student information, to the registrar.
III. Securing Confidential Information. Employees must secure all records that may contain confidential information from view of or access by unauthorized persons.
A. Confidential Paper Files
1. Must be stored in locked cabinets or drawers whenever feasible;
2. Must not be left unattended in areas where visitors may enter; AND
3. Must be disposed of by shredding or other secure method in accordance with the UNCSA Document Retention policy.
B. Confidential Electronic Files
1. Must be appropriately secured to prevent unauthorized access;
2. Must be destroyed in accordance with Information Technology protocols; and
3. May not be opened, sent, or received over the internet except via VPN.