Policy 2318 - Security and Confidentiality of Student Records
Effective Date: 3/20/2015
Responsible Office: University Registrar
Reference: Family Educational Rights and Privacy Act (FERPA) of 1974 (34. C.F.R. 99)
It is the responsibility of each faculty, staff, and administrative member of Louisiana Tech University to ensure the security and confidentiality of all student education records entrusted by students to the University for safeguarding. While the federal regulations provide general guidelines for the protection and use of education record data, it is incumbent on those faculty, staff, and administrators that are granted access to this information to actually protect it.
This policy outlines the process and procedures for the protection of student education record information, establishes the faculty and staff responsibility for maintaining confidentiality and physical protection of those records, and the process for determining eligibility and granting access to student education records.
- Louisiana Tech University uses the SunGard SCT IA Plus 2000 Student Information System (SIS). Installed during AY 1998-1999 on an IBM mainframe platform, it went fully operational during the Fall Quarter 1999 (AY 1999-2000). Only the Plus SIS module is installed and operational. There are data interfaces that have been programmed to interface SIS with the Comptroller’s legacy accounting programs, Financial Aid’s “POWERFAIDS” software, Undergraduate Admissions’ Hobson’s “Connect” software, Graduate Admissions’ Hobson’s “Apply Yourself” software (transitioning to AMP), and several other peripheral commercial software packages that interface with SIS for student support (e.g. traffic/parking permits and ticketing operations and campus wide ID (CWID) card production/maintenance. There are separate databases maintained for specific (non-academic) functions such as campus police investigations, judicial affairs, medical records, and counseling center medical records). These are not linked to the SIS, but are supported by demographics that may have originated from the SIS.
- Louisiana Tech University maintains a legacy system database of student academic records on the same IBM mainframe platform that date back to the mid 1970’s when records were first computerized. Access is limited to specific officials within the Offices of Graduate and Undergraduate Admissions, Office of the Comptroller, Office of Student Financial Aid, and the Office of the University Registrar (access control OPR).
- Access to the SIS software is based on legitimate educational need - also known as legitimate educational interest. There are essentially two types of access to the SunGard SCT IA Plus 2000 software – (1) YES, you are approved for access to specific screens, or (2) NO, you are not approved to access the screens. If approved for access the question then becomes whether or not the individual is approved for (I) inquiry (look at the data) or (U) update (actually change the data). Most faculty and administrative staff have inquiry access to limited groups of screens containing student information needed to accomplish their specific duties and responsibilities as educators and/or academic administrators. This access is highly dependent on the function of the person or office.
- Inquiry access to screens containing SSNs, and PINs, is restricted to the Registrar’s Office (SSN’s and PINs), and to select personnel within the Comptroller’s Office (SSN’s), Financial Aid (SSN’s), Judicial Affairs (SSN’s), and Campus Police (SSN’s). There are a limited number of Academic Administrators, primarily those associated with Grant Administration, that have access to SSNs as required for federal and state reporting.
- All update access to screens containing mechanisms to load or change master academic calendar configuration, registrations, grades, change drop/add actions, update transcripts are held by select individuals within the Office of the Registrar and two SIS programmers in the University Computing Center.
- Access to the Student Information System (SIS) is controlled through a multi-step
- Step 1: Access to mainframe. Department of assignment sends letter/e-mail to Computing Center requesting access to the IBM mainframe, and access to programs resident on the mainframe.
- Step 2: Coordinate access approval of request. Computing Center coordinates approval for access to the various program areas requested (e.g. SIS with University Registrar; Accounts Receivable, Budget, Property with Information Systems, etc.).
- Step 3: Access to SIS. Registrar determines legitimate educational interest and need-to-know based on department of assignment, duties and responsibilities, and any further justification provided by the department to determine approval for access to the SIS. This establishes yes or no to the access question.
- Step 4: Type of access to SIS. Registrar applies hierarchy of security templates programmed into the SIS security program to establish level of access - which screens and what type access to elements on each screen – inquiry or update. Very few personnel have update access to any screens in SIS as this is restricted with respect to Registrar function screens.
- Step 5: Access loaded. Registrar, in conjunction with Computing Center loads template codes authorizing access to the SIS program, and to the specific approved screens. Computing Center notifies requesting department of action, USERID and initial Password set.
- Step 6: Registrar coordinates Faculty BOSS PIN (if required).
- University Registrar conducts SIS and FERPA training classes in the Center for Academic and Professional Development for new faculty and staff as part of New Faculty Academy. All faculty, staff, and administrators employed by Louisiana Tech University are required to enroll in and complete UNIV 289a-084 at least once every two years to update all Risk Management training. This course includes a FERPA module to refresh and update enrollees on records use, protection, and privacy.
- University Registrar maintains a report that provides listing of Screen Operator ID Numbers, and security template access codes (SRS05C). Two individuals, the University Registrar and a specified Systems Programmer from the Computing Center, have access to and authority to load, change, and terminate security template access to the SIS screens.
- Personnel leaving employment at the University go through a reverse process that terminates access. The Director of Human Resources notifies the Computing Center of employment terminations. The Computing Center terminates access to the mainframe and loads a screen denial security code template to the former employee’s account in the SIS program to further deny access. This code can also be loaded by the University Registrar if needed.
- Education Record information is initially keyed into the admissions management software (Connect, or ApplyYourself/AMP). When an admission decision is rendered by the appropriate admissions authority, the data is then electronically transferred to the student information system from the admissions management software (Connect, or ApplyYourself). Verification of the initial admissions data set (academics and demographics) is accomplished by staff members within the Office of the University Registrar. This would include verification of receipt of all official transcripts and loading of all data from official transcripts (undergraduates only). The official education record for TECH (paper and electronic) is established at that point.
- Academic updates result from the normal conduct of the academic calendar and enrollment by the student. This would include registration, tuition/fee payment, drop/add actions, resignation, grades, academic suspension/probation, and ultimately graduation. Data update access is limited to those persons responsible for the collection, verification, and reporting of the elements of information required to conduct the various processes. Data integrity, validity, and security are central to employee responsibility.
- Demographic updates are the responsibility of the student to initiate notification of change (or enact online where applicable and allowable), and the staff office responsible for the update of the information in the student information system.
- Hardware and software maintenance is the responsibility of the University Computing Center. The University Registrar and specific programmers in the University Computing Center are responsible for internal table maintenance and updates.
- Should there be an inadvertent release of student Personally Identifiable Information (PII) such as SSN, the University will take appropriate and immediate steps to notify students/alumni involved whose records may have been breached and begin arrangements for credit report support to the affected cohort.