Policy 2318 – Security and Confidentiality of Student Records

Effective Date: 3/20/2015

Responsible Office: University Registrar

Reference: Family Educational Rights and Privacy Act (FERPA) of 1974 (34. C.F.R. 99)

It is the responsibility of each faculty, staff, and administrative member of Louisiana
Tech University to ensure the security and confidentiality of all student education
records entrusted by students to the University for safeguarding.  While the federal
regulations provide general guidelines for the protection and use of education record
data, it is incumbent on those faculty, staff, and administrators that are granted
access to this information to actually protect it. 

This policy outlines the process and procedures for the protection of student education
record information, establishes the faculty and staff responsibility for maintaining
confidentiality and physical protection of those records, and the process for determining
eligibility and granting access to student education records.

  1. Louisiana Tech University uses the SunGard SCT IA Plus 2000 Student Information System
    (SIS). Installed during AY 1998-1999 on an IBM mainframe platform, it went fully operational
    during the Fall Quarter 1999 (AY 1999-2000). Only the Plus SIS module is installed
    and operational. There are data interfaces that have been programmed to interface
    SIS with the Comptroller’s legacy accounting programs, Financial Aid’s “POWERFAIDS”
    software, Undergraduate Admissions’ Hobson’s “Connect” software, Graduate Admissions’
    Hobson’s “Apply Yourself” software (transitioning to AMP), and several other peripheral
    commercial software packages that interface with SIS for student support (e.g. traffic/parking
    permits and ticketing operations and campus wide ID (CWID) card production/maintenance. 
    There are separate databases maintained for specific (non-academic) functions such
    as campus police investigations, judicial affairs, medical records, and counseling
    center medical records). These are not linked to the SIS, but are supported by demographics
    that may have originated from the SIS.
  2. Louisiana Tech University maintains a legacy system database of student academic records
    on the same IBM mainframe platform that date back to the mid 1970’s when records were
    first computerized.  Access is limited to specific officials within the Offices of
    Graduate and Undergraduate Admissions, Office of the Comptroller, Office of Student
    Financial Aid, and the Office of the University Registrar (access control OPR).
  3. Access to the SIS software is based on legitimate educational need – also known as
    legitimate educational interest. There are essentially two types of access to the
    SunGard SCT IA Plus 2000 software – (1) YES, you are approved for access to specific
    screens, or (2) NO, you are not approved to access the screens. If approved for access
    the question then becomes whether or not the individual is approved for (I) inquiry
    (look at the data) or (U) update (actually change the data). Most faculty and administrative
    staff have inquiry access to limited groups of screens containing student information
    needed to accomplish their specific duties and responsibilities as educators and/or
    academic administrators. This access is highly dependent on the function of the person
    or office.
  4. Inquiry access to screens containing SSNs, and PINs, is restricted to the Registrar’s
    Office (SSN’s and PINs), and to select personnel within the Comptroller’s Office (SSN’s),
    Financial Aid (SSN’s), Judicial Affairs (SSN’s), and Campus Police (SSN’s). There
    are a limited number of Academic Administrators, primarily those associated with Grant
    Administration, that have access to SSNs as required for federal and state reporting.
  5. All update access to screens containing mechanisms to load or change master academic
    calendar configuration, registrations, grades, change drop/add actions, update transcripts
    are held by select individuals within the Office of the Registrar and two SIS programmers
    in the University Computing Center.
  6. Access to the Student Information System (SIS) is controlled through a multi-step
    approval process.

    1. Step 1: Access to mainframe. Department of assignment sends letter/e-mail to Computing
      Center requesting access to the IBM mainframe, and access to programs resident on
      the mainframe.
    2. Step 2: Coordinate access approval of request. Computing Center coordinates approval
      for access to the various program areas requested (e.g. SIS with University Registrar;
      Accounts Receivable, Budget, Property with Information Systems, etc.).
    3. Step 3: Access to SIS. Registrar determines legitimate educational interest and need-to-know
      based on department of assignment, duties and responsibilities, and any further justification
      provided by the department to determine approval for access to the SIS. This establishes
      yes or no to the access question.
    4. Step 4: Type of access to SIS. Registrar applies hierarchy of security templates programmed
      into the SIS security program to establish level of access – which screens and what
      type access to elements on each screen – inquiry or update. Very few personnel have
      update access to any screens in SIS as this is restricted with respect to Registrar
      function screens.
    5. Step 5: Access loaded. Registrar, in conjunction with Computing Center loads template
      codes authorizing access to the SIS program, and to the specific approved screens.
      Computing Center notifies requesting department of action, USERID and initial Password
    6. Step 6: Registrar coordinates Faculty BOSS PIN (if required).
  7. University Registrar conducts SIS and FERPA training classes in the Center for Academic
    and Professional Development for new faculty and staff as part of New Faculty Academy.
    All faculty, staff, and administrators employed by Louisiana Tech University are required
    to enroll in and complete UNIV 289a-084 at least once every two years to update all
    Risk Management training. This course includes a FERPA module to refresh and update
    enrollees on records use, protection, and privacy.
  8. University Registrar maintains a report that provides listing of Screen Operator ID
    Numbers, and security template access codes (SRS05C). Two individuals, the University
    Registrar and a specified Systems Programmer from the Computing Center, have access
    to and authority to load, change, and terminate security template access to the SIS
  9. Personnel leaving employment at the University go through a reverse process that terminates
    access. The Director of Human Resources notifies the Computing Center of employment
    terminations. The Computing Center terminates access to the mainframe and loads a
    screen denial security code template to the former employee’s account in the SIS program
    to further deny access. This code can also be loaded by the University Registrar if
  10. Education Record information is initially keyed into the admissions management software
    (Connect, or ApplyYourself/AMP). When an admission decision is rendered by the appropriate
    admissions authority, the data is then electronically transferred to the student information
    system from the admissions management software (Connect, or ApplyYourself). Verification
    of the initial admissions data set (academics and demographics) is accomplished by
    staff members within the Office of the University Registrar. This would include verification
    of receipt of all official transcripts and loading of all data from official transcripts
    (undergraduates only). The official education record for TECH (paper and electronic)
    is established at that point.
  11. Academic updates result from the normal conduct of the academic calendar and enrollment
    by the student. This would include registration, tuition/fee payment, drop/add actions,
    resignation, grades, academic suspension/probation, and ultimately graduation. Data
    update access is limited to those persons responsible for the collection, verification,
    and reporting of the elements of information required to conduct the various processes.
    Data integrity, validity, and security are central to employee responsibility.
  12. Demographic updates are the responsibility of the student to initiate notification
    of change (or enact online where applicable and allowable), and the staff office responsible
    for the update of the information in the student information system.
  13. Hardware and software maintenance is the responsibility of the University Computing
    Center. The University Registrar and specific programmers in the University Computing
    Center are responsible for internal table maintenance and updates.
  14. Should there be an inadvertent release of student Personally Identifiable Information
    (PII) such as SSN, the University will take appropriate and immediate steps to notify
    students/alumni involved whose records may have been breached and begin arrangements
    for credit report support to the affected cohort.