Confidential Information Access (IT Security) Regulation 501

Regulation 501 Approved: February 17, 2011
Confidential Information Access (IT Security) Regulation
Regulation 501
Source of Authority: N.C.G.S. § 116-34(a);
UNC Code § 502(A)
Revision Authority: Chancellor
History: First Issued: February 17, 2011
Related Policies and Regulations: FERPA, 20 U.S.C. § 1232g;
FTC Red Flag Rules, 16 C.F.R. 681;
Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6827;
HIPPA Security & Privacy Regulations, 45 C.F.R. 164;
The Privacy of State Employee Personnel Records, N.C.G.S. § 126, Art. 7;
FERPA Regulation 803;
Technology Use Regulation 508;
Records Request Regulation 118;
Red Flat Rules/Identity Theft Regulation 505
Responsible Offices: Information Technology Department
Effective Date: February 17, 2011

I. Purpose

This regulation addresses the protection of records that include confidential and sensitive information that employees view or have access to during the course of employment or service with UNCSA. Records may be confidential and sensitive by virtue of the state personnel file privacy law (N.C.G.S. § 126-22 et seq.), the Family Educational Rights and Privacy Act (“FERPA”) (20 U.S.C. § 1232g), federal Privacy Act provisions governing social security numbers, the Health Insurance Portability and Accountability Act (“HIPAA”), the Gramm-Leach-Bliley Act, the Federal Trade Commission’s Red Flag Rules, other applicable state and federal laws, and UNCSA information technology/security policies and regulations.

II. Scope

This regulation applies to all UNCSA employees (including student employees) and to all information, regardless of format (paper, digital, etc.).

III. Definitions

IV. Regulation

A. Employees may not disclose confidential information about computer passwords and identification characters, University employees, University students, or any personally identifiable financial or health or medical information unless authorized by law.

B. Employees may only have access to student, personnel, and student loan records only as required to perform assigned job duties.

V. Revision History

A. February 17, 2011 – Adopted by Board of Trustees as part of UNCSA Policy Manual


Confidential Information Access (IT Security) Procedures

Procedure 501

I. Disclosure or Release of Information

A. Generally

1. Confidential information may be disclosed if required to comply with federal or state law.

2. If in doubt about the confidentiality of any record or the ability legally to disclose information, employees must consult with their supervisor (who in turn may consult with their supervisor, Human Resources, the General Counsel or other appropriate University official) before disclosing any information.

B. Student Information

1. Directory information, as defined by the UNCSA FERPA Regulation, is public unless the student the records concern has “opted out” of disclosure by notifying the registrar.

2. All other student information is private and may only be released with the student’s written permission or in accord with a statutory exception. In the event that the student is under the age of 18, information may only be released by permission of the student’s parent or legal guardian.

C. Personnel Records

1. Information defined as public by the UNCSA Public Records Request Regulation is public and may be disclosed.

2. Other information from personnel records is private except where there is statutory authority or the employee’s consent to release it.

II. Breaches of Information Security

A. An employee who becomes aware of any breach or suspected breach of information security must promptly report the breach to his/her supervisor.

B. Supervisors must in turn report the matter to the appropriate University official(s), the General Counsel, and, in cases of student information, to the registrar.

III. Securing Confidential Information. Employees must secure all records that may contain confidential information from view of or access by unauthorized persons.

A. Confidential Paper Files

1. Must be stored in locked cabinets or drawers whenever feasible;

2. Must not be left unattended in areas where visitors may enter; AND

3. Must be disposed of by shredding or other secure method in accordance with the UNCSA Document Retention Regulation.

B. Confidential Electronic Files

1. Must be appropriately secured to prevent unauthorized access;

2. Must be destroyed in accordance with Information Technology protocols; and

3. May not be opened, sent, or received over the internet except via VPN.