Narrative

University of North Georgia is compliant with this comprehensive standard.  There has been an ongoing process to assess the overall impact of consolidation on the security, confidentiality, integrity, availability of student records, and the maintenance of special security measures to protect and back up data and ensure compliance in these areas. Catalogs, handbooks, policies, plans, procedures, and guidelines are being completely restructured (evidence provided for this standard may be noted as "draft" and will exclude sensitive information).  For example, the newly ratified Appropriate Usage Policy[1] and the Information Security Program Policy[2] are being implemented at all four campuses.  Although some of the technologies by which we protect student data have changed and the scope of protection has grown to be consistent across all four campuses, the institution’s protection of the security has not been impacted.  For instance, the Banner system is still located in the same area protected with the same technical, physical and administrative controls, the Registrar still uses FERPA privacy rules to protect student data and FERPA is unchanged, and since the Banner system’s location is unchanged, the backup of student records continues uninterrupted.

 

Student Academic Records

The definition of student academic records and the policies and procedures governing their confidentiality, access, release, and security are set forth by the Family Educational Rights and Privacy Act of 1974, as amended.  Student academic records are those records which are directly related to a student and are maintained by UNG or a party acting for the UNG.  The definition of student academic records and the policies and procedures governing the release of these records are published on the UNG public website[3] in the FERPA Annual Notification GSC [4]and FERPA Annual Notification NGCSU[5] statements. As the UNG website continues to be developed, a UNG FERPA Annual Notification will be added.  Notification of students’ rights regarding the privacy and release of their student academic records is also made available in the UNG Undergraduate Catalog[6]  and in the UNG Student Handbook[7].  The Registrar is the designated steward for students’ education records. 

 

Students and others in the community are informed of policies and procedures governing student records through a variety of methods.  At freshmen orientation, parents of new students are introduced verbally to their student’s FERPA rights concerning student academic records.  Additional information regarding the privacy of student academic records is available to parents via the UNG website [3](GSC[8] and NGCSU[9]).  UNG recognizes the confidential nature of the student information that is collected and maintained. In accordance with the Family Educational Rights and Privacy Act of 1974, as amended, students are notified annually of the types of records that are maintained and custodians for each type of record. Information concerning the types of records as well as policies concerning access, disclosure, and correction of records has been provided in the UNG 2013-2014 Student Handbook[7];  FERPA guidelines are available on the Registrar’s UNG[3] web page (GSC[10] and NGCSU[11] FERPA Rights).  Section 10. 6 of the UNG Faculty Handbook[12] also states the University’s commitment to privacy of student records. The Registrar consults with the University System of Georgia Legal Affairs, the Family Policy Compliance Office with the U.S. Department of Education, the American Association of Collegiate Registrars and Admission Officers (AACRAO), and the Council on Law in Higher Education (CLHE) to ensure compliance with FERPA law and when translation or interpretation of the law is needed to clarify ambiguous FERPA issues.

  

Policies and Procedures

Access to both printed and electronic student academic records is restricted to those permitted by UNG policy to gain access and is granted only for the purposes of employment on a need-to-know basis.  Each UNG student is assigned a unique identification number that requires a password to access individual records. Staff and student workers have their own IDs and passwords so that alterations to records can be tracked and monitored to ensure the integrity of the information contained in each student record.  In addition to providing guidelines for choosing and maintaining secure passwords, Appropriate Usage Policy states in part that: 

Appropriate use should always be legal, ethical, reflect academic honesty, reflect community standards, and show restraint in the consumption of shared resources demonstrating respect for intellectual property; ownership of data; system security mechanisms; and individuals’ rights to privacy and to freedom from intimidation, harassment, and unwarranted annoyance…. Computer accounts, passwords, and other types of authorization are assigned to individual Users and must not be shared with others.

 

Examples of policies and procedures used by UNG include the User Account Policy[13] (currently under revision), User Account Management Policy[14] (currenly being ratified), and the BOR Policy Manual – Section 10.4 Records Retention and BOR Records Retention Schedule[15].  Beginning with Section 2.0 of the Appropriate Usage Policy[16], UNG stipulates that access to information requires specific authorization from the unit responsible for the information.  The University has enacted policies for the purpose of restricting access to student academic records where appropriate.  Access to the database containing student records is controlled by user ID and password.

  

Best Practices

The policies regarding student records in accordance with federal regulations and how they follow educational best practices are located within: UNG Catalog[6], UNG Counseling Consent Forms[17], UNG Disability Services Confidentiality Agreement[18], Student Privacy (FERPA) UNG[3] website (GSC[4] and NGCSU[5]), UNG Student Handbook[7] and the Disclosure and Authorization Forms (GSC[19] and NGCSU[20]).  Faculty and staff, as well as student workers whose job duties involve viewing and/or maintaining student academic records, are required to complete the online FERPA tutorial located on the Registrar's UNG web page[3] (GSC[21] and NGCSU[22] tutorials) before gaining access to the Banner Student Information System.  New faculty and staff complete the FERPA tutorial as part of their new employee orientation through the Department of Human Resources.  Upon completion of the tutorial, the employee submits an electronic confidentiality agreement, whereupon an electronic copy is forwarded to Human Resources and to the Registrar’s Office for permanent storage.  The Department of Human Resources stores a printed copy in the employee’s personnel file, and the Registrar maintains an electronic spreadsheet of employees and their tutorial completion date.  University employees who are rehired after a minimum one-year absence from the employ at the University must retake the online FERPA tutorial. 

 

Student workers are not granted access to the Banner Student Information System.  However, student workers whose duties require them to view and/or handle student academic records must complete the online FERPA tutorial upon their hire date, or they must attend a FERPA awareness training session presented by the Registrar’s Office.  Each immediate supervisor maintains the student workers’ signed confidentiality agreement.  The Registrar receives an electronic copy of the electronic confidentiality agreement and stores it permanently. 

 

The Primary Designated School Official (Coordinator of International Admissions) in the Office of Admissions maintains confidential immigration files on each F-1 status international student, per federal immigration regulations, Title 8 of Code of Federal Regulations (8 CFR) \ 8 CFR Part 214 -- Nonimmigrant Classes\ § Sec. 214.2(f) .  These physical documents remain in a locked cabinet in a secure area of the Admissions Office and are accessible only to the Designated School Officials (Director of Admissions, Registrar, and Coordinator of International Services) when reporting to the Department of Homeland Security each semester.  Access to students’ online immigration records in the Student and Exchange Visitor Information System (SEVIS) is restricted by Department of Homeland Security to only the approved Designated School Officials(Title 8 of Code of Federal Regulations (8 CFR) \ 8 CFR Part 214 -- Nonimmigrant Classes\ § Sec. 214.2(f)).

  

Securing Student Academic Records

Student academic records consist of printed and/or electronic records.  Both printed permanent record cards for pre-electronic students and eight years of printed student academic records for students who have a combination of printed and electronic records are maintained and stored within secured vaults located within the Registrar’s Offices.  The Registrar’s Office, student workers and Financial Aid Office have key-card access to these vaults.  Staff in Undergraduate Admissions, Graduate Studies, Core of Cadets, Financial Aid, Academic Affairs and Student Affairs may access the Registrar’s vault on a need-to-know basis.  Student academic information are imaged through a module within the student information system and are stored permanently as an electronic record.  Most University employees have access to some form of the electronic student record, mainly through access to the student’s TRANGUID in Banner Web or access to students’ contact information: all faculty, the Physical Fitness Center or PE facilities, the President’s Office, University Affairs, Campus Police, Financial Aid, Admissions, Student Life, Counseling and Career Services, Dean of Students Office, Institutional Diversity, Institutional Effectiveness, Disability Services, Health Services, Housing Office, Card and Student ID office, Business Office, the Advising Centers, Game Room, Foundation and Student Scholarships, Library, Bookstores, and Parking Offices.

 

Each office within Student Affairs that maintains paper educational records maintains those records under lock and key. Individual offices construct guidelines that are appropriate for the type of record the office maintains. For example, Student Health Services and Student Counseling Services maintain student health records in accordance with HIPPA regulations and provide training to staff members regarding the confidentiality and security of records. These records are kept for three years in accordance with the law before being destroyed and are accessible only to the healthcare professional or administrative assistant.  Student Health Services employees receive training on procedures relating to the privacy of student health records and sign a confidentiality statement. The UNG Student Health Services website[23] contain information on confidentiality[24] and privacy.  The Student Counseling Services website[25] contains information about the importance of maintaining confidentiality. Staff members are engaged in discussions of maintaining records and information security. The form Informed Consent for Psychological and Counseling Services describes the management of confidentiality and paper records.  The Office of Career Services requires all student assistants and staff working in the office sign an Acknowledgment of Understanding agreeing to maintain the confidentiality and security of records as a condition of employment.  The University also requires its student workers to sign an acknowledgement of understanding.

 

In addition to the records maintained and stored by the Registrar and Information Technology, Career Services, Student Counseling, Residence Life, and other offices of Student Affairs also maintain student-oriented records.  The Disability Services Offices secures student academic records in locked cabinets with limited key access. Electronic student records are maintained solely by disability services staff members. Faculty does not have access to student disability files.  However, UNG officials who have been determined by Disability Services to have a legitimate educational need-to-know may be granted access to relevant records. Disability-related documents created by Disability Services will not be released to an outside third party without the written consent of the student.  Disability-related documents obtained from a third party (i.e. medical records, diagnostic reports) will be released only to the student with the appropriate written authorization.  Any information regarding a disability obtained from the student or other sources shall be considered confidential and will not be disclosed without prior written permission.  Neither disability nor the use of accommodations is noted on students’ academic transcripts.  Disability Services stores printed copies of student academic records for seven years past the semester of last enrollment.

 

The Personal Counseling and Wellness Centers and Career Centers operate jointly and store all student records in locked file cabinets inside offices or closets that remain locked when unoccupied.  In the Career Centers, electronic student records are maintained by the offices of Career Services in accordance with the Appropriate Usage Policy.  The Counseling and Wellness Centers at Gainesville and Oconee have begun maintaining student records on a computerized client records system, Titanium Schedule, which stores the records on a dedicated MS SQL Server that is accessible to only Counseling and Wellness Center administrators and to the Division of Information Technology for server maintenance.  The student records are securely stored and backed up according to Gainesville’s policy.  Supplementary records for students (e.g., test results, letters, and e-mails) are scanned and entered directly into the Titanium system.  Titanium Schedule has HIPAA compliant features such as required user names, passwords, internal security levels, login audit trails, and inactivity timeouts.  The Personal Counseling and Wellness Centers abide by the ethical standards set by the American Psychological Association (APA).  Printed records are maintained and stored for seven years after the last date of service delivery for adults or for ten years for minors.  Electronic records are maintained and stored in accordance with the Unversity System of Georgia Board of Regents document-retention schedule.

 

The Testing Centers are located in secure, locked offices. Records maintained by the Testing Centers include: COMPASS Placement and Exit tests, College Level Examination Program (CLEP), Dante’s Subject Standardized Test (DSST), the Residual ACT, the institutional TOEFL, and disability accommodation forms at the Oconee campus only. Disability accommodation forms are stored in a locked desk drawer to which only the Coordinator of Testing and Financial Aid/Testing Specialist have access.  Electronic copies of these testing records are saved in electronic files that are password- protected and are subject to the Appropriate Usage Policy, and can only be accessed by the Office of Testing and Financial Aid. Printed copies of testing records are stored in a locked storage. Printed test records are maintained by the Testing Centers for ten years and then are shredded.  Electronic test score records are stored indefinitely.  To comply with FERPA, students who wish to have their scores submitted to another institution or third party must submit a signed form to the Testing Center.

 

Totally online and hybrid courses are supported by the institution’s course management platform, Desire 2 Learn, which is known as eLearning. UNG uses Kerberos authentication for eLearning access. Kerberos is a system that allows students to use the same UNG user name and password that is used to access their student records in order to access eLearning. All information is pulled from Banner, which requires that a student must first apply and be accepted before registering for an online course. ELearning is hosted on a secure (https) server by the University System of Georgia Information Technology Services. If changes are made to student enrollment, the change must be made verified through Banner first. Students may view their grades for an individual course within the course itself while logged into eLearning, but the use of their unique UNG user name and password to log in ensures that each student only has access to his or her individual record in the grade book feature.

 

Physical Security

UNG manages the physical security of record storage through the use of a number of security plans that are reviewed annually by the University System of Georgia, which are: Securing the Physical Infrastructure Plan[26] and the System Security Plan[27]. The purpose of the Securing the Physical Infrastructure Plan is to supplement the System Security Plan with documents that focus on the physical security needs of the IT infrastructure.  These needs are the physical locking and safeguarding of the data closets and computer centers/server rooms.  Also addressed are the identification and protection of the power systems that services the University after an event has taken place, and the network infrastructure that supports the communications across campus locations.  The System Security Plan is the cornerstone document that supports all Gainesville’s Information Technology security-based plans, policies, procedures, standards, and configuration guides.  Whereas in Dahlonega, the NGCSU Security Plan [28]serves as the de facto document governing security measures and controls (this is to be consolidated into one document).  These are audited following the Audit and Vulnerability Scan Policy.  The Audit and Vulnerability Scan Policy establishes Information Technology’s responsibility to conduct audits and vulnerability scans and the authority to conduct such activity, while understanding that such scans may have potential costs.

 

Other departments have established policies for record retention and confidentiality that are consistent with the Board of Regents record retention policies. The policy Safeguarding Confidential Information covers all state and federal compliant data sets including, but not limited to, FERPA and GLBA.  To aid in protecting the confidentiality of student academic records, UNG does not use Social Security Number as the primary identifying key in the Banner Database. A unique student identification number is assigned to all students. Students may also elect to restrict access of their directory information by submitting a written request to the Registrar’s Office. Physical student records are maintained in locked filing cabinets in designated student affairs offices.  Access to files is restricted to authorized personnel.  All student housing records and/or other information regarding residential students housed in the traditional residence halls are maintained in two areas: in the Banner system and in hard copy files kept in the Residence Life Office. Student information contained in the Banner system can be accessed only through user identification and password and the Residence Life Office uses only student ID number access these records. Hard copy records are maintained in filing cabinets in the Residence Life Office. These cabinets are kept behind two locked doors and are only accessed by professional Residence Life Staff.

 

The Office of Student Affairs maintains judicial records, commuter affidavits, requests for medical withdrawal, and other confidential documents in a secure room within the suite of the Vice President for Student Affairs.  Office personnel, including student assistants, are trained on the confidentiality and security of student records.  Proper handling and disposal of the records are the responsibility of the Administrative Assistant to the Vice President of Student Affairs. 

  

Records Retrieval

The Securing the Logical Infrastructure Plan[29] is the flag-ship document designed to secure Gainesville/Oconee systems, networks, and ancillary services through the use of best practices and checklists.  UNG has detailed policies that are directly related to security of electronic records and data, including student academic records: Appropriate Usage Policy is the university-wide policy intended to allow for the proper use of all UNG IT resources, effective protection of individual users, equitable access, and proper management; Incident Response Plan details the steps taken to respond to incidents and follow-up afterwards.  These documents focus on security threats and risk assessments, breach and hacking prevention, and the processes of response; and, the Disaster Recovery Plan’s primary focus is to provide a programmed response to a disaster that destroys or severely cripples the University’s central computing and networking systems operated by the Division of Information Technology. 

The secondary focus is to describe a number of measures taken to mitigate or minimize the effects of a potential disaster; The Business Continuity Plan (BCP) establishes procedures to recover the IT infrastructure following a disruption. The following objectives that have been established for this plan are: maximize the effectiveness of continuity operations through an established plan that consists of the following phases; 1) Notification/Activation Phase to detect and assess damage and to activate the plan; 2) Recovery Phase to restore temporary IT operations and recover damage done to the original system based on Information Technology’s Disaster Recovery Plan; and 3) Reconstitution Phase to restore IT system processing capabilities to normal operations.  The Incident Response, Disaster Recovery, and Business Continuity Plan documents are considered sensitive and are not available to the public; however, the documents may be obtained for review with permission from the Chief Information Officer. The procedures outlined in the Business Continuity Plan are reviewed annually and are referenced within the University's Emergency Operations Plan.

 

UNG has several policies related to the security of electronic student records. The Appropriate Usage Policy ensures that personal and confidential information is protected and that only certain authorized employees have access to student data. The Incident Response Plan and Disaster Recovery Plan outline steps to be followed in an external attack on the University's computer system. The Business Continuity Plan provides a contingency plan in the event of a major disruption to the computing system. For example, data are “automatically” backed up each night.  In Gainesville, critical electronic student records are backed up every evening. This data is kept in two formats: an electronic format known as “disk-to-disk” and a tape format known as “disk to tape”. Furthermore, all electronic student files, including all students financial aid information, are backed up every week and stored in a remote location’s safe-deposit-box away from the University or may be stored within IT’s fire-rated safe.  In Dahlonega, student academic data is stored on the Banner Database Server, which is backed up onto tape daily, with thirty daily tapes and one monthly tape. The manual for backup and recovery of data is stored in a fireproof safe in the server room. The University has specified procedures to ensure physical security of the server room and remote tape storage sites.  Other student data is also stored on the Banner Database Server, which is backed up onto tape daily, with thirty daily tapes and one monthly tape. The manual for backup and recovery of data is stored in a fireproof safe in the server room. The University has specified procedures to ensure physical security of the server room and remote tape storage sites.

 

All Banner electronic files are backed up weekly and are either stored in a safe-deposit-box in a remote location or within the Division of Information Technology’s fire-rated safe.  The Incident Response and Disaster Recovery Plans outline steps to be followed in an external attack on the University's computer system. The Information Technology’s Business Continuity Plan provides a contingency plan in the event of a major disruption to the computing system.  Physical records are managed in accordance with the University System of Georgia Records Management, and records retention guidelines are in compliance with federal and state law, including the Georgia Records Act [34] and The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99). 

   

Challenges and Expectations

Throughout this narrative the duality of the documentation and web-site representation is unavoidable this early in the consolidation process.  The consolidation of North Georgia College & State University and Gainesville State College into the University of North Georgia has posed challenges in providing current, ratified, and unified governance instruments, plans, guidelines, and informational communiqués. Examples of this challenge are the catalogs and handbooks once used now needing to be completely restructured to include information for muliple campuses and all levels of students.  

Evidence
[ 1 ]   File  UNG Appropriate Usage Policy 
[ 2 ]   File  UNG SecurityPolicy 
[ 3 ]   File  FERPA UNG 
[ 4 ]   File  FERPA Annual Notice GSC 
[ 5 ]   File  FERPA Annual_Notice NGCSU 
[ 6 ]   File  2013-14_UndergradCatalogTOC_Linked_June6 Page 76
Student Privacy
[ 7 ]   File  UNG Student Handbook 2013-2014 updated 6.12.13 Page 22
[ 8 ]   File  FERPA for parents GSC 
[ 9 ]   File  FERPA for parents NGCSU 
[ 10 ]   File  FERPA Rights GSC 
[ 11 ]   File  FERPA Rights NGCSU 
[ 12 ]   File  Faculty Handbook_July13-updatedTOC Page 42
[ 13 ]   File  UNG AccountPasswordPolicy 
[ 14 ]   File  UNG AccountMgmtPolicy 
[ 15 ]   File  USG Records Management and Archives webpage 
[ 16 ]   File  UNG Appropriate Usage Policy Page 4
[ 17 ]   File  UNG Counseling Constent Forms Menu 
[ 18 ]   File  UNG Disability Services Confidentiality and Records Security Agreement 
[ 19 ]   File  FERPA Request to Prevent Disclosure GSC 
[ 20 ]   File  FERPA NGCSU Open Disclosure Form 
[ 21 ]   File  FERPA Tutorial GSC 
[ 22 ]   File  FERPA_Tutorial NGCSU 
[ 23 ]   File  UNG Student Health Services website 
[ 24 ]   File  NGCSU Student Health Services Confidentiality 
[ 25 ]   File  UNG Student Counseling website 
[ 26 ]   File  SecuringPhysicalPlan_SACS 
[ 27 ]   File  System Security Plan_SACS 
[ 28 ]   File  NGCSUSecurityPlan_SACS 
[ 29 ]   File  SecuringLogicalPlan_SACS