Added: 1/22/2018
SECTION: General Information NUMBER: M/1.11
SUBJECT: Public and Sensitive Data Policy
SOURCE REFERENCE:
Public and Sensitive Data Policy
1. Purpose
The purpose of this policy is to minimize the risk of loss or exposure of sensitive information maintained by Gadsden State Community College.
2. Scope
This policy applies to all Gadsden State Community College (GSCC) employees, students, vendors, contractors and others that may use or have access to personally identifiable information(PII) or any other sensitive GSCC data.
3. Policy
GSCC recognizes its obligation to protect the privacy of PII that it maintains regarding its students, faculty, staff and others. Therefore, the College defines two types of information, "public" and "sensitive”, which guide the categorization of information and the development of guidelines for handling and disclosing each type of information.
Public information is any information that GSCC has not designated as sensitive information by policy. Public information is typically available to anyone who requests it. Public information must be appropriately vetted for accuracy before it is released. Summary data that has been aggregated to de-identify PII is by default considered public data. Only authorized GSCC employees may release public information.
Sensitive information can only be released to the subject of the information and to those within the college that have a legitimate need-to-know. In certain cases, outside entities may be provided the information if the subject of the information provides written permission or as otherwise allowed by law. In many cases, either state or federal law, including the following, protects the use of this information:
1. Graham-Leach-Bliley Act of 1999 (GLBA) - governs privacy and use of financial information
2. Health Insurance Portability and Accountability Act of 1996 (HIPAA) - governs privacy and use of health care information
3. Family Educational and Privacy Rights Act of 1974 (FERPA) - governs privacy and use of student information
The College recognizes the following as sensitive information:
· Otherwise public information about a student that the student has requested not be released without express written permission.
· Social security numbers
· Credit card and debit card numbers
· Bank account numbers and routing information
· Driver’s license numbers
· ID card numbers
· Student account files
· Academic advising records, admission files, standardized tests, transcripts
· Financial aid awarded, financial assistance application files, student federal work-study information, scholarships
· Athletics:Injury reports, scholarship contacts, performance records, height and weight information
· Records:Permanent record of academic performance (grades, transcript, including supporting documents), course schedules
· Residential life and housing files
· Student activity files, student disciplinary files, multi-cultural programs and services files
· Career planning files, including placement information and employers' files,
· International program files
· Admission files on prospective students
· Librarycirculation records
· Personal health records
· Health Insurance Information
· Patient information encountered in clinical situations
4. Policy Compliance
4.1 Compliance administration and monitoring
The Chief Information Officer (CIO) will implement IT policies and procedures to protect sensitive data in accordance with the National Institute of Standards and Technology standards for Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST 800-171).
The CIO will monitor compliance to this policy through various methods, including but not limited to, periodically auditing the College’s compliance with NIST 800-171.
4.2 Exceptions
The President must approve any exception to the policy.