NGCSU Home Link
North Georgia College and State University Logo and Campus Photo

Site Index | Directory | Text

Left breadcrumb arrow icon Return to:  NGCSU Home
spacer image
 »
Task Force
 »
BOR Policy
 »
NGCSU SSN Policy
 »
Best Practices
 »
FAQs
spacer image
Image of NGCSU ID logo

 

Student Records

GLBA

Introduction

North Georgia College and State University (the "University") is committed to the ongoing protection of confidential financial information that it may collect from faculty, staff, students, alumni and others. The Gramm-Leach-Bliley Act* ("GLBA") addresses the privacy of non-public identifying information and describes the necessity for administrative, technical and physical safeguarding of that type of information. GLBA mandates that the University develop, implement and maintain a comprehensive information security program (the "Plan") to insure the safeguarding of Confidential Financial Information ("CFI"). The University obtains CFI from students, faculty, staff and others that may include, but is not limited to:

*15 U.S.C. §6801

• Names
• Social Security Numbers
• Date and location of birth
• Gender
• Credit card numbers
• Drivers license information
• Salary history
• Personal check information
• Tax or financial information from a student or a student's parents

Specific Authority
The GLBA is implemented by 16 CFR Part 314 and the Federal Trade Commission (FTC) Rules on "Standards for Safeguarding Customer Information". This policy statement sets the University's policy to ensure ongoing protection of CFI and serves as written evidence of a Security Plan in compliance with 16 CFR Part 314.3(a). The GLBA uses the term "customer" to describe persons whose information is to be protected under the Act.

GLBA Objectives and Requirements
The objectives of GLBA are to:

  • Insure the security and confidentiality of customer information
  • Protect against any anticipated threats or hazards to the security and integrity of such information
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer

"Customers" of the University include, but are not limited to faculty, staff, students, alumni and others. To comply with safeguarding confidential financial records and related personal information and achieve these objectives, the University is required to:

  • Designate one or more employees to coordinate the safeguards
  • Identify and assess risks to customer information and evaluate the effectiveness of the current safeguards
  • Designate and implement a safeguards program that includes regular compliance monitoring and evaluation
  • Select appropriate service providers and ensure that contracts with those providers include adequate safeguards for customer information
  • Provide for evaluating and adjusting the program in light of relevant circumstances
  • Ensure that all new and existing employees who are involved in activities covered under the Act receive safeguarding training.

Who Receives Information and Why
As required by GLBA, the University does not disclose any non-public financial information about our students/customers, or former student/customers, to anyone, except as permitted by law. The University may exchange such information with its affiliates and certain nonaffiliated third parties (under limited circumstances) to the extent permissible under law to service accounts, report to credit bureaus, provide loan services, or provide other financial services related activities.

Upon request, a student/customer shall be informed of the existence, use and disclosure of their information, and shall be given access to it. Students/customers may verify the accuracy and completeness of their information, and may request that it be amended, if appropriate. Each department/unit is responsible for obtaining and presenting information when requested by a customer.

I. Scope of this Policy

This policy applies to all University personnel who administer, manage, maintain or use CFI. It also applies to the supervisors and unit administrators of those individuals. It applies to all locations of this information, whether on campus or from remote locations.

CFI includes any paper or electronic record containing non-public personal information about a customer that the University, or its affiliates, handle and maintain. CFI includes any personally identifiable information provided by students or others (such as loan applications, credit card numbers, account histories, and related consumer information) in order to obtain a financial product or service from the University (such as financial aid).

A. Network Security Officer

The person and/or department that is responsible for the implementation and execution of the Plan at the University is James Webb ("Network Security Officer" or "NSO"). All correspondence and inquiries should be directed to the Network Security Officer at Information and Instructional Technology. The Office of Business and Finance will coordinate with the Network Security Officer to maintain the Plan.

The NSO should assist the various offices of the University that have access to CFI to identify and reasonably foresee internal and external risks to the security of CFI. University Offices likely to be affected are the Business and Finance Offices, the Registrar's Office, the Admissions Office, the Student Financial Aid Office, Graduate Studies, the Office of Residence Life, Career Services, the Infirmary, Public Safety Offices, Alumni Affairs, and  Continuing Education. Further, the NSO should (1) evaluate the effectiveness of the current safeguards for controlling these risks; (2) regularly monitor and test the Plan; and (3) design and implement any necessary changes to the Plan. The NSO should also work with other relevant Schools and Departments to identify third-party providers who have access to CFI so that the University secures contracts with those third party providers to ensure the protection of CFI.

B. Identification of Risks and Risk Assessments

Each University department or office that handles or maintains CFI is responsible for identifying the type and form of the CFI within their departments or offices and taking appropriate measures to mitigate those risks. Examples of relevant areas to be considered when assessing the risks of unauthorized customer information disclosures includes, but is not limited to:

  • Unauthorized access to CFI by employees, third-parties or through requests
  • Compromised system security as a result of "hacking" or other unauthorized access
  • Failure to properly protect passwords (e.g. posting passwords in publicly viewable places)
  • Interception of data during transmission
  • Physical loss of data in a disaster
  • Corruption of data or systems
  • Paper forms containing CFI that are not restricted to authorized employees
  • Paper forms and computer systems vulnerable to break-in after hours
  • Paper forms and computer systems left unattended during business hours, and
  • Errors introduced into the system by authorized or unauthorized persons

The University recognizes that this may not be a complete list of the risks associated with the protection of CFI. Since technology growth is not static, new risks are created regularly. Accordingly, the NSO will monitor for the development of new risks.

II. Implementation of Policy

NGCSU's Safeguarding Program has six key components:

• Employee Training and Management
• Information System Security
• Detecting, Preventing and Responding to Attacks, Intrusions and Other System Failures
• Physical Security of Paper Records
• Disposal of Records
• Oversight of Service Providers and Contracts

Employee Training and Management

All University employees that will have access to CFI shall receive proper training on the importance of confidentiality of certain records, such as student records, student financial information, credit card numbers, credit checks, bank accounts, tax records and any other CFI maintained by the University, and the proper storage of CFI materials. All University employees with access to computers shall be trained in the proper use of CFI and the use of passwords to prevent the transmission or communication of CFI to unauthorized persons.

B. Information System Security

Access to CFI through the University's computer network shall be limited to those University employees who have a valid legitimate reason to have such information. All CFI that may be accessed through the University's computer network shall be protected by, and each University employee that needs to have access to CFI shall be assigned, a user name and password. Such user names and passwords shall expire periodically and shall not be posted in public spaces. The University will take all reasonable and appropriate steps consistent with current technological development to ensure that all CFI remains secure.

Information systems include network and software design, information processing, storage, transmission, retrieval, and disposal.

Network and software systems will reasonably limit the risk of unauthorized access to covered data.

Safeguards for information processing, storage, transmission, retrieval and disposal may include:

  • requiring electronic data (covered by the GLBA) be entered into a secure, password-
    protected system
  • using secure connections to transmit data outside the University; using secure servers;
  • ensuring data is not stored on transportable media (floppy drives, zip drives, etc.)
    permanently erasing covered data from computers, diskettes, magnetic tapes, hard drives,
    or other or other electronic media before re-selling, transferring, recycling, or disposing of
    them
  • storing physical records in a secure area and limiting access to that area; providing
    safeguards to protect covered data and systems from physical hazards such as fire or
    water damage
  • disposing of outdated records under a document disposal policy; shredding confidential
    paper records before disposal
  • other reasonable measures to secure data during its life cycle in the University's
    possession or control

C. Detecting, Preventing and Responding to Attacks, Intrusions and Other System Failures

The University will maintain effective systems to prevent, detect, and respond to attacks, intrusions and other system failures. Such systems may include maintaining and implementing current anti-virus software; checking with software vendors and others to regularly obtain and installing patches to correct software vulnerabilities; maintaining appropriate filtering or firewall technologies; alerting those with access to covered data of threats to security; imaging documents and shredding paper copies; backing up data regularly and storing back up information off site, as well as other reasonable measures to protect the integrity and safety of information systems.

Systems will be implemented to regularly test and monitor the effectiveness of information security safeguards. Monitoring will be conducted to reasonably ensure that safeguards are being followed, and to quickly detect and correct breakdowns in security. The level of monitoring will be appropriate based upon the potential impact and probability of the risks identified, as well as the sensitivity of the information provided. Monitoring may include sampling, system checks, reports of access to systems, reviews of logs, audits, and any other reasonable measures adequate to verify that information security's controls, systems and procedures are working.

D. Physical Security of Paper Records

Only employees who have a legitimate and valid reason to have CFI shall have access to any physical paper records. The records should be kept in a secure place, such as a locked office or file drawer, to prevent unauthorized access. Such records should be secured in locked cabinets whenever an authorized employee is not present with the records, particularly overnight.

E. Disposal of Records

The University should only keep physical paper records and electronic documents for as long as they are being actively used by the University, or as necessary to comply with state, federal or local law, or the University's document retention policy. Paper documents containing CFI should be shredded at the time of disposal. Electronic records should be deleted and magnetic media should be erased.

F. Oversight of Service Providers and Contracts

GLBA requires that the University take reasonable steps to select and retain service providers that will maintain safeguards necessary to protect CFI. Contracts entered into with such service providers after the effective date of this policy should include a commitment by such service providers to the safeguarding of CFI. The NSO will work with the Procurement Office and Auxiliary Services to put such agreements in place.

III. Review and Revision of the Plan

GLBA mandates that the Plan be subject to periodic review and adjustment. The Plan shall be evaluated and adjusted in light of relevant circumstances, including changes in the University's business arrangements or operations, or as a result of testing and monitoring the safeguards. Periodic auditing of each relevant area's compliance shall be done at the joint discretion of the University's Internal Auditor and the Network Security Officer, but no less often than annually.


*16 C.F.R. Part §314.5(b)

FERPA

Accuracy and Privacy of Records
North Georgia College & State University recognizes its responsibility for maintaining accurate student information and academic records. NGCSU students have the assurance that their educational records, compiled and maintained by university officials, are recorded and retained in confidence in accordance with the regulations contained in the Family Education Rights and Privacy Act of 1974. Briefly, this act calls for:

  1. Full access to student records by parents of students under 18, and to students 18 years of age and over.
  2. Hearings to contest contents of personal records that are suspected to be inaccurate; and
  3. Requirements of notice and written consent by students 18 and over, and parents of students under 18, before the records can be transmitted to most third parties.

The university will furnish annual notification to students of their right to inspect and review their educational records; the right to request amendment of educational records that are incorrect or misleading or that violate privacy or other rights; and of their right to a hearing to amend such records if necessary. This annual notice is published in the university catalog in greater detail listing the university official responsible for specific records as well as the hearing and appeal procedure.

Access to Records
Students have the right to be provided a list of the types of educational records maintained by the university that are directly related to the student; the right to inspect and review the contents of these records; the right to obtain copies of these records; the right to a response from the university to reasonable requests for explanation and interpretation of these records; the right to an opportunity for a hearing to challenge the content of these records; and if any material or document in the educational record of a student includes information on more than one student, the right to inspect and review only the part of such material or document as relates to the student. Students do not have the right to access financial records of their parents; confidential letters and statements of recommendation that were placed in the educational record prior to January 1, 1975, provided such letters or statements were solicited or designated as confidential and are not used for purposes other than those for which they were specifically intended; confidential recommendations, if the student signed a waiver of the right of access, respecting admission, application for employment, and the receipt of an honor or honorary recognition.

Students do not have the right to access instructional, supervisory and administrative personnel records that are not accessible or revealed to any other individual except a substitute; campus security records that are maintained apart from educational records, which are used solely for law enforcement purposes and which are not disclosed to individuals other than law enforcement officials of the same jurisdiction; employment records except when such employment requires that the person be a student; and the alumni records.

Students do not have the right to access physical or mental health records created by a physician, psychiatrist, psychologist or other recognized professional acting in his/her capacity or to records created in connection with the treatment of the student under these conditions and that are not disclosed to anyone other than individuals providing treatment. These records, however, may be reviewed by a physician or appropriate professional of the student's choice.

Procedures for Access to Educational Records
Students should contact the appropriate university official (see listing in catalog) to inspect and review their records. The registrar may require that a university official be present when a student inspects or reviews his/her educational records.

The university will release a student's educational record(s) upon the student's written request. In doing so, the student must:

  1. Specify the records to be released.
  2. Include the reasons for such release.
  3. Specify to whom the records are to be released.
  4. Have no outstanding financial obligations to the university.

The student may, upon request, receive without charge a copy of the record that is released. The university may release a student's educational records, without the student's prior written consent, to the following:

  1. University officials who have a legitimate educational interest.
  2. Officials of other schools where the student seeks to enroll.
  3. Representatives of federal agencies authorized by law to have access to educational records.
  4. State and local officials to whom information must be released pursuant to a state statute adopted prior to November 19, 1974.
  5. Appropriate persons in connection with a student's application for or receipt of financial aid.
  6. Organizations conducting studies for the university.
  7. Accrediting organizations and associations.
  8. Parents of a dependent student as defined in Section 152 of the Internal Revenue Code of 1954.
  9. Appropriate persons in emergency situations to protect health and safety of the student or other individuals.
  10. Persons designated in lawfully issued subpoena or judicial order with the understanding that the student will be notified in advance insofar as possible.

No personal information on a student will be released without a statement from the university to the party receiving the information that no third party is to have access to such information without the written consent of the student.

Each office with educational records will maintain a record of each request and disclosure of personally identifiable information of a student except for information requested in writing by the student, information released to the student or the student's parents, directory information, and information released to university officials and instructors who have a legitimate educational interest in the records.

Release of Directory Information
Directory information may be released by the university without the student's written consent. Directory information consists of name, address, telephone number, major, advisor, holds, participation in recognized activities and sports, weight and height of athletic participants, dates of attendance and degrees received. Students may deny the release of directory information by requesting in writing to the registrar that such information not be released each semester they are enrolled. However, requests that directory information be withheld from a written publication must be received in sufficient time to prevent a delay in processing that publication.

Amending Education Records
Students may request that any information contained in their educational records that they consider to be inaccurate, misleading or in violation of their privacy or other rights be amended or deleted from the records (a grade or other academic evaluations may not be amended, except that the accuracy of recording may be challenged).

A student who requests that information in his/her records be amended should first contact the official with primary responsibility for the information. (See listing in catalog.) If the matter is not resolved to the student's satisfaction, the student should direct his/her request to the Associate Vice President for Academic Affairs.

Students wishing to file a complaint directly to the review board of H.E.W. should write to the Family Educational Rights and Privacy Office, Department of Health, Education and Welfare, 330 Independence Avenue, S.W., Washington, D.C. 20201. This policy is adopted pursuant to the Family Educational Rights and Privacy Act of 1974, as amended, and is not intended to impose any restrictions or grant any rights not specifically required by this act.

Types of Educational Records and Officials Responsible for Their Maintenance
The following are lists of student records and the officials responsible for their maintenance. Copies of these records will be made available to students upon individual written requests. Such requests must be addressed to the official responsible for the maintenance of the record.

Director of Admissions
Application for Admission
Application Processing Fee
High School and University Transcripts
University Entrance Exam SAT or ACT Scores
General Equivalency Development (GED) Examination Scores
GRE and GMAT Examination Test Scores
Immunization Certificate
International Admission Documents

Director of Student Financial Aid
Regents' Scholarship Application
Stafford Student Loan Application
Financial Aid Form
Pell Grant Student Aid Report
University Work/Study Job Assignment
Award Notification
Statement of Acceptance of Award
Academic Scholarship Application

Director, Division of Academic Support Programs
University Placement Examination Scores (Placement and Exit)
Individual Standardized Test Scores
Regents' Testing Program Scores
Georgia and U.S. History & Constitution Test Results

Registrar
University Level Examination Program Scores
Grades and Academic Standing Status
Petition for a Degree
Regents' Test Results
Georgia and U.S. History and Constitution Test Results
Registration Information—Enrollment Data
Veterans' Records
Rules and Regulations

Vice President for Student Affairs
Discipline File
Insurance Roster
Letters of Recommendation
Student Health Services
Counseling and Student Development Records

 

North Georgia College & State University
82 College Circle, Dahlonega, GA 30597
706.864.1400

:: Disclaimer    :: Accessibility    :: Contact Us

© 2004 NGCSU. All rights reserved.

 

This page last modified on: Tuesday, 23-Nov-2004 08:44:40 EST