Student Data Security, Classification and Handling

1
Student Data Security, Classification and Handling

• Student Data at Purdue University
• (Updated March 11, 2009)

2

Why is Data Security Important?
3
Avoid Risking Safety

• Some students at Purdue University have chosen
  to withhold their information from being
  published in the Purdue directory. They may have
  chosen this for numerous reasons, but their
  privacy needs to be respected. Unfortunately,
  some students may be in a situation where they or
  their families personal safety may be in jeopardy
  if this information fell into the wrong hands.

4
Avoiding Federal Penalties and Fines

• We are bound by federal guidelines such as FERPA,
  GLBA and HIPAA. These guidelines require us to
  handle data in a certain way. If we fail to
  comply with these guidelines, Purdue could
  receive penalties and/or fines.

5
Embarrassment to the University

• When data is compromised, letters are typically
  sent out to those who were potentially affected.
  Articles and reports as well as news releases
  may be seen in local or national newspapers or
  television stations.

6
Financial Resources

• Some areas of the University have access to
  bank account information (such as the Bursar).
  Therefore, we need to protect this information in
  order to avoid its falling into the wrong hands.

7
Why Should I Care?

• Often we become desensitized to the data that
  we handle in our everyday job. However,
  somewhere, someone is handling your information.
  Think about how you would want your own
  information protected and use those same measures
  for protecting the information of individual
  students at Purdue University.

8
Security Policies and Memorandums
9
Data Security and Access Policy C-34

• Applies to administrative computing resources
  regardless of where they may reside. The three
  major guiding principles are
• Access To assure that employees have access to
  relevant data they need to conduct University
  business.
• Data Security To prevent unauthorized access to
  systems, data, facilities, and networks.
• Physical Security To prevent any misuse of or
  damage to computer assets or data.
• This policy specifically states that, No
  University employee will knowingly damage or
  misuse computing resources or data. The
  employees need to access data does not equate to
  casual viewing. It is the employees obligation
  and his/her supervisors responsibility, to
  ensure that access to data is only to complete
  assigned functions.

10
Other Policies You Should Know

• FERPA http//www.purdue.edu/policies/pages/recor
  ds/c_51.html
• GLBA http//www.itap.purdue.edu/security/policies
  /GLBPurdue1.doc
• HIPAA http//www.purdue.edu/policies/pages/recor
  ds/vi_2_1_healthprov.html
• AND
• http//www.purdue.edu/policies/pages/records/vi_2_
  1_fwdental.htm
• Release of Student Information
  http//www.purdue.edu/SSTA/datasteward/policies/fi
  les/Policy20procedures20for20release20of20inf
  o.doc

11
Information Technology Policies

• SSN Policy
• All new systems purchased or developed by Purdue
  will NOT use SSN as identifiers
• All University forms and documents that collect
  SSNs will use the appropriate language to
  indicate whether request is voluntary or
  mandatory.
• Unless the University is legally required to
  collect an SSN, individuals will not be required
  to provide their SSN. The PUID may be provided
  instead.
• http//www.purdue.edu/policies/pages/information_t
  echnology/v_5_1_print.html

12
Information Technology Policies

• Email Policy
• Employees are granted email accounts for the
  purpose of conducting University business.
• Emails sent by users or which reside on
  University email facilities may be considered as
  public records (Indiana Public Records Act)
• Users should exercise caution and any information
  intended to remain confidential should not be
  transmitted via email.
• Refrain from improper use (i.e. commercial or
  private business purposes, organized political
  activity), to harass or threaten other
  individuals or to degrade or demean other
  individuals.
• http//www.purdue.edu/policies/pages/information_t
  echnology/v_3_1.html

13
Information Technology Policies

• IT Resource Acceptable Use Policy
• Only access files or data if they belong to you,
  are publically available, or the owner of the
  data has given you permission to access it.
• Complies with applicable laws and University
  policies, regulations, procedures and rules.
• Prohibits use of IT resources for operating
  business, political activity or personal gain.
• http//www.purdue.edu/policies/pages/information_t
  echnology/v_4_1.html

14
Policies Resulting from State/Federal Guidelines
or Mandates
15
Indiana SSN Disclosure

• Indiana Code 4-1-10 Release of Social
  Security Number - Except where otherwise
  permitted, a state agency may not disclose an
  individuals SSN.
• Disclosure is only permitted when
• The person gives their written or electronic
  consent
• Where required by federal or state law
• Where required by court order
• Various other federal law requirements (Patriot
  Act)
• A state agency discloses the SSN internally or to
  another state, local or federal agency
• A state agency discloses the SSN to a contractor
  who provides goods or services if the SSN is
  required for the provision of the goods or
  services (contractual safeguards are required)
• A state agency discloses the SSN to a contractor
  for the permissible purpose set forth in HIPAA
  and FERPA
• Example SSN is collected when applying for
  Federal Financial Aid. This process is allowed
  under the law and is an acceptable business
  practice.

16
Notice of Security Breach

• Indiana Code 4-1-11 Notice of Security
  Breach Any state agency that owns or licenses
  computerized data that includes personal
  information shall disclose a breach of the
  security of the system following a discovery or
  notification of the breach to any state resident
  whose unencrypted personal information was or is
  reasonably believed to have been acquired by an
  unauthorized person.
• Personal information under the law is defined as
  a persons first AND last name OR first initial
  AND last name in addition to one of the
  following
• SSN
• Drivers license or state ID number
• Account number, credit card number, debit card
  number, security code, access code, password to
  an account
• The notification that must occur to the affected
  individuals must be made without reasonable delay
  and except in certain circumstances must be made
  in writing.

17
FERPA

• Family Education Rights and Privacy Act of 1974
• Outlines what rights the student has to his/her
  education records. It also outlines when
  education records can be disclosed and to whom.
• Examples of FERPA protected data are
• Grade transcripts and degree information
• Class Schedule
• Students information file including demographic
  information.
• More information on FERPA protected data is
  provided at the time you take your yearly FERPA
  certification.
• https//www2.itap.purdue.edu/SSTA/certifications/r
  eview.cfm?id1

18
GLBA

• Gramm Leach Bliley Act
• GLBA was set forth by the Federal Trade
  Commission. Its intent is to protect personally
  identifiable information in situations where a
  consumer has provided information with intent to
  receive a service.
• Examples of financial services at Purdue include
• Student loans
• Information on delinquent loans
• Check cashing services
• More information on GLBA protected data
  is provided at the time you take your yearly GLBA
  certification.
• https//www2.itap.purdue.edu/SSTA/certifications/r
  eview.cfm?id2

19
HIPAA

• Health Insurance Portability and Accountability
• Act of 1996
• Requires that Purdue must preserve the privacy
  and confidentiality of protected health
  information.
• Examples of protected health information are
• Past, present or future physical or mental health
  condition
• Past, present, or future payment for health care
  that identifies an individual (i.e. name,
  address, SSN, birth date).
• Note that additional training may be required
  according to the area in which you work. You
  will be contacted if training is required.
• https//www2.itap.purdue.edu/SSTA/certifications/r
  eview.cfm?id3

20
Summary

• You should only access data that is needed to
  complete your assigned work function.
• Use the PUID instead of an SSN whenever possible.
• Users should exercise caution and any information
  intended to remain confidential should not be
  transmitted via email.
• An employee can be held personally responsible if
  improper disclosure of SSNs is impermissibly
  made.
• FERPA refers to student data that is protected by
  federal law.
• GLBA refers to personally-identifiable
  information in situations where a consumer has
  provided information with intent to receive a
  service.
• HIPAA refers to protected health information.
• FERPA and GLBA require yearly certifications.
• You will be notified if HIPAA training is
  required.
• You should not store any restricted data on your
  desktop or on your C drive.

21
Data Classification At Purdue University
22
Data Classification

• For the purposes of handling data appropriately,
  data is classified by the data stewards and
  information owners into one of the following
  three categories
• Public
• Sensitive
• Restricted

23
Public Student Data

• May be or must be open to the public.
• The student has the option to choose whether they
  want their directory information restricted or
  not. In Banner, a student requesting a
  restricted directory will restrict ALL data, not
  just portions of it as is done in the current
  mainframe system.
• Examples of student data included in this
  category are
• Summary reporting data as appearing in the data
  digest.
• The course catalog
• Directory information Name, local and home
  address, local and home telephone listing, email
  address, school and curriculum, classification
  and credit hour load, dates of attendance,
  degrees, awards and honors received,
  participation in officially recognized
  activities, height, weight and position of
  members on athletic teams.

24
Sensitive Student Data

• Sensitive student data is information that should
  be guarded due to proprietary, ethical or privacy
  considerations. This classification applies even
  though there may not be a civil statue requiring
  this protection.
• Examples of student data in this category
  include
• PUID (the PUID and name may be shared internally
  between offices via email and fax)
• Major Program of Study
• Admissions Applications
• Decision Letters
• Date of Birth
• Ethnicity

25
Restricted Student Data

• Restricted student data is information protected
  by statute, FERPA, HIPAA, GLBA, and represents
  information that isnt by default protected by
  legal statute, but for which the Information
  Owner has exercised their right to restrict
  access.
• Examples of student information in this category
  include
• Student Academic Record
• Social Security Number
• NOTE You should NOT store any restricted
  information on your desktop, or, on your C drive.

26
Personally Identifiable Information (PII)

• PII information includes the following
• Date of birth
• Mothers maiden name
• Drivers license number
• Bank account information
• Credit card information
• When the above information is used in combination
  with PUID, the information becomes HIGHLY
  SENSITIVE and additional steps should be taken
  to protect the information. Refer to the data
  handling guidelines for details on how to handle
  these data.
• PII can also be personal characteristics that
  make a persons identity easily traceable. For
  example, if you did a query against the data
  warehouse and returned information related to
  gender, ethnicity and residency in a small
  department or school, it could be easy to
  determine who an individual is.

27
Student Confidentiality

• A students confidentiality should be paramount,
  and if in doubt as to how to handle the
  information, please contact the Student Services
  data steward.
• http//www.itap.purdue.edu/ea/stewards/

28
What is Confidential?

• The term Confidential is often used
  interchangeably with other security terminology.
• Confidential is not a data classification like
  sensitive or restricted. It describes how
  information should be treated. For example, a
  conversation between an academic advisor and
  student may be confidential and the student
  wishes that the advisor not share the information
  with anyone else.

29
More Detail on Student Data

• More detail on Sensitive Student Data
• http//www.purdue.edu/SSTA/datasteward/security/fi
  les/Data20Classified20Sensitive.pdf
• More detail on Restricted Student Data
• http//www.purdue.edu/SSTA/datasteward/security/fi
  les/Data20Classified20Restricted.pdf

30
We are all Data Custodians

• Data Custodians Responsible for implementing
  the policies and guidelines established by the
  Information Owners. This includes every staff
  member within the University. Each individual is
  in the best position to monitor daily data usage
  and ensure that information is securely handled
  in the most appropriate manner.

31
Who Owns the Information?

• Information Owners Provide policies and
  guidelines for the proper use of the information
  and may delegate the interpretation and
  implementation of these policies and guidelines
  to appropriate personnel. The following
  represents the Information Owners in Student
  Services

32

• Thank you for reviewing this information. You
  now need to take the quiz.