Student Information System

1
Student Information System

• SIS Basics Managing Sensitive Data

2
What is SIS?

• Student Information System MSUs official
  source record of student information
• Information on
• People, e.g., prospects and students
• Admissions
• Academic History
• Courses
• Financial Aid and fee payment
• Support tables including MSUs organization
  structure, majors, fees, and other codes
• Online real-time transactional system

3
SIS Partners

• Academic Units
• Administrative Information Services
• Client Advocacy Office
• Controllers Office
• Enrollment Services
• Office of Admissions
• Office of Financial Aid
• Office of the Registrar
• Office of Planning and Budgets

4
SIS Basics Course Outline

• Managing Sensitive Data and SIS
• Diana DAngelo, Assistant Director, Client
  Advocacy Office
• SIS Basics Part A General Navigation
• Rochele Cotter, Director, Client Advocacy Office
• SIS Basics Part B Student Academic History
  Data Organization
• Rochele Cotter, Director, Client Advocacy Office

5
Managing Sensitive Dataand SIS

• Lesson I - Managing Sensitive Data at MSU
• Lesson II Data Governance, Data Stewardship and
  Protecting the Privacy of Confidential Student
  Records

6
Managing Sensitive Data and SIS

• Lesson I - Managing Sensitive Data at MSU

7
Data Management Initiatives at MSU

• Managing Sensitive Data Initiative
• Complying with regulations, contracts, policies,
  guidelines and procedures in protecting data and
  its appropriate use
• Protecting individual privacy and reducing the
  potential for identity theft
• Education and awareness
• Data Stewardship and Data Governance
• Privacy and Confidentiality Policy for
  Institutional Data
• Access Principles, guidelines and procedures
• Guidelines for managing research data

8
Data Management Initiatives at MSU (cont)

• Payment Card Industry Data Security Standards
  (PCI DSS) compliance initiative
• Social Security Number Privacy Policy
• Statement of Acceptable Use

9
What Constitutes Institutional Data?

• Any data/information the MSU workforce
• Collects
• Creates
• Stores
• Distributes
• Uses
• in the normal course of University business

10
Facets of Institutional Data
11
Data Stewardship Institutional Individual
Responsibility

• We have a legal and ethical responsibility to
  protect the privacy and confidentiality of
  institutional data.
• Legal Comply with federal state law,
  government and other regulations, MSU contracts,
  policies, guidelines and procedures
• Ethical Meet responsibilities to students,
  employees, alumni, and affiliates (clients,
  patients, patrons, partners, public, etc.)

12
CIA in Data Management

• Confidentiality vs. Availability
• Confidentiality
• Only authorized people access the data
• Integrity
• The data are accurate/trustworthy
• Availability
• Use the data effectively and efficiently while
  safeguarding confidentiality

13
Data Privacy and Security Guidelines

• Data are made available on a need-to-know basis
• Institutional data are only to be used in the
  context of University business
• Members of the workforce understand that
• They are in a position of trust
• Each individual is responsible for appropriate
  use and release of data

14
Degrees of Data Sensitivity

• Confidential
• Protected by law, regulation, contract, policy,
  guideline
• Sensitive
• Not disclosed without good reason due to private
  nature, institutional risk
• Protected by procedures, practice and high
  ethical standards
• Public
• Not protected and generally made publicly
  available

15
Degrees of Data Sensitivity (cont)

• Public
• Not protected, and generally made publicly
  available
• Examples include
• Directories (excluding restricted individuals
  and/or information)
• Library card catalogs
• Course catalogs
• Institutional policies

16
Degrees of Data Sensitivity (cont)

• Sensitive
• Not disclosed without good reason due to private
  nature, institutional risk, or to maintain a
  competitive advantage
• Protected by procedures and high ethical
  standards
• May be subject to disclosure by specific written
  request under the Freedom of Information Act
• Includes
• Employment Data
• Other data, such as certain maps and detailed
  institutional accounting and budget data

17
Degrees of Data Sensitivity (cont)

• Confidential
• Student Records
• Protected by Family Educational Rights and
  Privacy Act (FERPA)
• Protected by University policies and guidelines
• Guidelines Governing Privacy and Release of
  Student Records
• MSU Privacy Guidelines

18
Degrees of Data Sensitivity (cont)

• Confidential (cont)
• Personally Identifiable Financial Data
• Protected by Gramm-Leach-Bliley Act (GLB)
• Data used in identity theft
• Examples name, address, date of birth, SSN,
  payment card numbers, bank and electronic funds
  transfer account numbers, and drivers license
  numbers
• Health Records
• Protected by Health Insurance Portability and
  Accountability Act (HIPPA)

19
Degrees of Data Sensitivity (cont.)

• Confidential (cont)
• Social Security Numbers
• Protected by Michigan Social Security Number Act
  and University policy
• Payment Card Data
• Protected by contract, PCI DSS (Payment Card
  Industry Data Security Standards)
• Research Data
• Protected by federal regulations (45 CFR 46, 21
  CFR 50, 21 CFR 56) and MSUs Internal Review
  Boards (www.humanresearch.msu.edu)

20
We all have data stewardship roles to play in
managing sensitive data
21
We all have data stewardship roles to play in
managing sensitive data
and we need to share our ideas and concerns with
each other
22
Role and Responsibilities of Unit Security
Contacts/Administrators

• Prior to granting access need to verify
• Need-to-Know Access to the system is necessary
  in the performance of an individuals job
  responsibilities
• It is helpful when the supervisor is consulted in
  making this determination
• Individual understands policies, laws and
  contractual terms that govern access to, use and
  release of the data available in the system
• Individual understands their position of trust
  and individual responsibility for handling, using
  and releasing the data appropriately

23
An Action Plan for Units and for Individuals

• Step 1 Survey Your Data
• Survey your own electronic and paper files for
  sensitive data and identify problem areas
• Step 2 Assess Your Risk
• Assess the risk involved with storing the data,
  the business need and how it is stored
• Step 3 Mitigate Your Risk
• Find ways to manage the risk and take appropriate
  action
• System and personal workstation security -
  Anti-virus, security patches, firewall,
  anti-spyware

24
End of Managing Sensitive Data and SIS Lesson I -
Managing Sensitive Data at MSU
25
Managing Sensitive Data and SIS

• Lesson II Data Governance, Data Stewardship and
  Protecting the Privacy of Confidential Student
  Records

26
Data Governance and SIS

• Laws, Guidelines and Procedures for Protecting
  Student Privacy
• Family Educational Rights and Privacy Act (FERPA)
• MSU Guidelines Governing Privacy and Release of
  Student Records
• Access procedures

27
What is FERPA?

• The Family Educational Rights and Privacy Act,
  enacted in 1974, protects the privacy of student
  education records
• Education records disclosed only with students
  permission or as allowed by law
• Grants students certain rights concerning
  inspection and review of their educational
  records
• Applies to all educational institutions that
  receive funding from the U.S. Department of
  Education
• Non-compliance can result in the loss of federal
  funding

28
What are MSU Guidelines?

• As a means of complying with FERPA, MSU has
  developed detailed Guidelines Governing Privacy
  and Release of Student Records
• Protect students right to privacy
• Provide reasonable guidelines for release or
  disclosure
• Extend beyond FERPA in respecting the
  confidentiality and protecting the privacy of
  student records
• Available on the Web at www.reg.msu.edu by
  clicking on Guidelines Governing Privacy and
  Release of Student Records

29
Confidential and Sensitive Data on Students

• All student information is considered
  confidential and sensitive except that which MSU
  has defined as directory information
• Examples of confidential student information
• Grades
• Enrollment records
• Schedules
• Class Lists
• PID (personal identification number)
• SSN
• Student employment and payroll information
• Directory information that the student has
  requested be restricted

30
Directory Information

• FERPA identifies directory information,
• Personally identifiable information that would
  not generally be considered harmful or an
  invasion of privacy if disclosed
• May be disclosed to third parties without the
  students consent
• Student may restrict disclosure of directory
  information

31
Directory Information (cont)

• name of student,
• the student's local address (if listed),
• the student's local phone (if listed),
• MSU NetID email address (if listed),
• the student's permanent address (if listed),
• the student's permanent telephone number (if
  listed),
• current enrollment status or dates of attendance,
• program level (undergrad, graduate,
  professional),
• class (freshman, sophomore, junior, senior,
  etc.),
• major,
• current term candidacy for degree and/or teacher
  certification,

• employment status as a graduate teaching or
  research assistant, office address and office
  phone number,
• information pertaining to awards and honors,
• degree(s) earned from MSU and effective date(s),
• State of Michigan certification for teaching and
  effective date(s),
• participation in officially recognized University
  activities and sports, including weight and
  height of athletic team members,
• the registration documents of student
  organizations which contain the names and
  addresses of the officers and the statement of
  purpose of the organization.

32
Getting Access to SIS

• Access authorization delegated to MAU for typical
  business needs through Access Request Memorandum
  and SIS bubble sheets http//aissecuritycontact.
  ais.msu.edu/arms
• Security centrally administered by AIS
• Training
• Managing Sensitive Data in SIS
• SIS Basics General Navigation Part A
• SIS Basics Student Academic History and Data
  Organization Part B

33
Getting Access to SIS (cont)

• Prior to approving access unit security contact,
  with assistance from individuals supervisor
  needed to determine and verify
• Need-to-Know Access to SIS is necessary in the
  performance of the individuals job
  responsibilities
• Individual understands policies, laws and
  contractual terms that govern access to, use and
  release of the data
• Role in Data Stewardship - Individual understands
  their position of trust and individual
  responsibility for handling, using and releasing
  the data appropriately

34
Getting Access to SIS (cont)

• Access granted based on job responsibilities
• Whose records are needed?
• All MSU students
• By college
• By department
• By group, e.g., international students, athletes,
  persons with disabilities

35
Getting Access to SIS (cont)

• Access granted based on job responsibilities
• Which records are needed?
• Academic, e.g., grades, courses, admissions
• Non-academic, e.g., student receivables,
  financial aid
• SIS Modules and Screens

36
Getting Access to SIS (cont)

• Access granted based on job responsibilities
• What action needs to be taken?
• Inquiry
• Permits a user to only view the information
  displayed on a screen
• Most common type of access
• Update
• Permits a user to add, change or delete the
  information displayed on a screen
• More limited number of employees require this
  access

37
Individuals Role in SIS Data Stewardship

• Student educational records are confidential and
  may generally not be released without written
  consent of the student
• Re-disclosure of student information ONLY with
  PRIOR verification that disclosure is to a
  university official with a legitimate educational
  interest and consistent with MSU Guidelines
  Governing Privacy and Release of Student Records

38
Individuals Role in Stewardship of SIS Data

• Student information should only be kept as long
  as it is valid and useful otherwise destroy
  responsibly.
• the Retention and Disposition of Student Academic
  Records Memorandum, dated August 16, 1991, and
  Guidelines Student Academic Records, Advisers
  and Deans Folders (www.reg.msu.edu/read/retention
  sched.pdf)
• Managing Sensitive Data Web site at
  www.lct.msu.edu/security

39
When can Confidential Student Records be
Disclosed?

• According to the section entitled Practice
  Governing Disclosure in MSU Guidelines Governing
  Privacy and Release of Student Records
• Contact the Office of the Registrar, the Client
  Advocacy Office and/or the Office of the General
  Counsel for advice, clarification or direction
• Contact the Office of Planning and Budgets for
  advice or direction in responding to external
  surveys and other requests for information

40
When can Confidential Student Records be
Disclosed? (cont)

• To the individual student
• To third parties
• With prior written consent by the student
• Without prior written consent
• To school officials with a legitimate educational
  interest on a Need to Know basis
• Limited other legal conditions and MSU
  operational conditions listed in the Guidelines
• Service providers are required to have a contract
  with MSU and to sign a non-redisclosure statement

41
Some Dos and Donts for Faculty and Staff Who Use
SIS

• DO
• Use randomly assigned numbers or codes to display
  scores or grades
• Keep any personal notes relating to individual
  students separate from educational records
• Keep only those individual student records
  necessary for fulfillment of your job
  responsibilities.
• Refer information requests to the proper
  educational record custodian RO, CAO, General
  Counsel, OPB

42
Some Dos and Donts for Faculty and Staff Who Use
SIS (cont)

• DO NOT
• Display personally identifiable student scores,
  grades, Social Security Numbers, or PIDs
  publicly
• Put papers, projects, graded exams, or reports in
  publicly accessible places
• Share student information, including grades or
  GPAs with other faculty or staff unless their
  responsibilities warrant a need-to-know
• Discuss a students progress with anyone
  (including parents and spouses) without written
  consent of the student

43
Security Conscious Work Habits

• Secure/lock up printed data
• Use discretion when viewing sensitive data
• Shred all reports with confidential data when no
  longer needed
• Always sign off the system when leaving your work
  area
• Never share your user id and password

44
When in Doubt

• Err on the side of caution and do not release
  student educational information.
• Contact the Office of the Registrar, the Client
  Advocacy Office or the Office of General Counsel
  for guidance
• See Office of the Registrars Web site at
  www.reg.msu.edu

45
Summary

• Whatever level of SIS access you have been
  granted, be certain to follow FERPA and MSUs
  Guidelines
• Remember to be vigilant in your protection of a
  students educational records
• In your daily work, evaluate if each use of
  confidential information is appropriate

46
Additional Resources

• Tutorials and additional information on FERPA and
  MSU Guidelines Governing Privacy and Release of
  Student Records available at www.reg.msu.edu
• What Every Student Should Know
• What Every University Employee Should Know
• Especially for Administrators, Security Contacts
  and Support Staff
• FAQs
• Records Retention
• Guides, training, meetings, resources and
  additional information on managing sensitive data
  available at www.lct.msu.edu/security

47
Questions?

• Client Advocacy Office
• Phone 517-353-4856
• Email CAO_at_msu.edu

48
End of Managing Sensitive Data and SIS Lesson II
Data Governance, Data Stewardship and
Protecting the Privacy of Confidential Student
Records