DCC student and employee information must be safeguarded.

Transcription

1 1

2 2 Raise Awareness EVERYONE at DCC must know their responsibilities. DCC student and employee information must be safeguarded. What kinds of risks exist? Risk of theft Risk of simple misplacement such as losing a report Risk of unauthorized disclosure

3 3 Vassar Brothers Hospital Laptop stolen with social security numbers, names, and addresses of thousands of patients. Nassau Community College Printed document with social security numbers, names, addresses and phone numbers of more than 21,000 students SUNY Sungard Banner consultant had his laptop stolen. Data on the laptop was not encrypted. Over 5000 student records were on the laptop containing social security numbers. One of them was a DCC student. We were lucky!

4 4 Protection of information is REQUIRED BY LAW FERPA and HIPAA NYS requires us to adhere to a minimum set of information security standards. Policy is posted on the Campus Documents page in mydcc.

5 5 Information security is the responsibility of EVERYONE who has access to information from college administrative systems. Access to information residing on computer systems. Access to information on paper reports. If you have access to confidential data it is YOUR responsibility to: Understand how to properly handle/dispose the information. To safeguard it s integrity and dissemination. To raise an alarm if you think information is not being properly handled.

6 6 Information Owner Information owners must be familiar with the legal requirements for access and disclosure of their information. Responsible for assigning the initial information classification and the access privileges of users. Information owners are responsible for developing secure disposal and disaster plans for their information. Responsible for the birth to death lifecycle of data.

7 7 Information Owners at DCC Student Information The Registrar Debbie Weibman Student Accounts Director of Student Accounts - Cathy McCue Financial Aid Director of Financial Aid Susan Mead Alumni Data Director of the DCC Foundation Trish Prunty Credit Free Data Director of Community Services Russ Pirog Course Catalog Director of Scheduling Susan Moore

8 8 Information Data Custodian EVERYONE at DCC who has access to DCC administrative information is an Information Data Custodian. An Information Data Custodian must be familiar with the legal requirements for access and disclosure of the information they have access to. Information Data Custodians are responsible for complying with policies regarding to access, and the secure disposal for information they have access to. Information Data Custodians are accountable for their actions.

9 9 What data is confidential? MOST personal student and employee data is confidential and must be protected. Only directory information is considered public. Directory information is limited to: Name Dates of attendance Date of graduation Degree Enrollment status A student may submit a waiver prohibiting the college from releasing his/her directory information, so even releasing directory information requires judgment.

10 10 Be vigilant with protecting your own identity as well as the identity of students whose records are in your custody. Do not release information over the phone unless you can confirm the identity of the caller. Close files that are not in use or when a third party is present. Be on guard for fraud. If you suspect a document is fraudulent, save it including the envelope and tell your supervisor. Change or update only data in your area of authority. Report any security breaches to the Help Desk.

11 11 Never use an obvious or easily guessed password. Never save your password in a browser. Never write your password down and stick it on your monitor. NEVER share access to your sign on and password. This breaks the fundamental basis of data security accountability. If a colleague can t perform a function with their id contact the Help Desk to have the person s id configured appropriately. Don t share your id for expediency reasons.

12 12 Storage ALWAYS keep reports locked up Treat reports as you would your personal tax returns. Be sure records on your desk cannot be viewed by the public. Keep reports an arm s length away from public areas. Limit the printing of hard copy reports. View the information on the screen. If you must print, print to a local printer located in a secure area. NEVER download personal data to diskettes and flash drives. They are easily lost or stolen.

13 13 Disposal Shred or discard in secure disposal containers all forms and print outs with student information. Not just social security numbers. Make a particular effort to dispose of old records. Save the minimum data required by the NYS Records Retention and Dispersal Schedule available in your office.

14 14 Lock your screen when you step away by using the Windows Key/L keys. Voice your concerns about information security questions or if you witness any security breaches. Contact any of the data owners or the Help Desk. Ask for the minimum amount of information you require. If you need to know how many students are in a program, you probably don t need their social security numbers and addresses.

15 15 REMEMBER without YOUR diligence and support, student and employee information cannot be protected.