North Central College Private Information Security Program
Gramm-Leach-Bliley Act --Safeguarding Program
The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLB), regulates the disclosure of non-public personal information by financial institutions. By making/processing student loans, collecting financial information for financial aid purposes and processing checks and credit cards, colleges and universities are covered under this Act which goes beyond the requirements of the Family Educational Rights and Privacy Act (FERPA). North Central College has, therefore, instituted privacy principles and policies designed to safeguard personal information about students, employees and other members of the North Central College community against such risks as theft, unauthorized access, destruction, misuse, modification, unauthorized disclosure or other compromise of information.
The GLB information security program has five components:
- Designation of an employee(s) or office responsible for coordinating the program.
- Identification of reasonably foreseeable internal and external risks to the security, integrity and confidentiality of personal information.
- Ensuring that safeguards are employed to control the risks identified and that the effectiveness of the safeguards is regularly tested and monitored.
- Ensuring that service providers are capable of maintaining appropriate safeguards of information.
- Adjusting the information security program in light of developments that may materially affect the College’s safeguards.
I. Security Program Coordinators
The Assistant Vice President for Information Technology Services (ITS) and the Assistant Vice President for Human Resources (HR) are assigned to data security and coordination of the program.
II. Risk Assessment
The department head of each unit of the College is required to assess their operation and organization and provide the Office of Human Resources with a departmental plan which includes the assessment study and the measures implemented and/or recommended that will secure and protect all student, employee and other persons’ records and guard personally identifiable information against theft, unauthorized access, destruction, misuse, modification or unauthorized disclosure. Personal information is defined in the Act as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic or another form, that is handled or maintained” by the College. Examples include, but are not limited to, social security number, bank account or credit card information, family financial information and academic records.
In addition to compliance with the Family Educational Rights and Privacy Act, this policy requires all North Central College faculty, staff, students and volunteers:
-
To respect the privacy of students, employees and others and to protect the security, confidentiality and integrity of nonpublic personal information.
-
To maintain the security of all student, employee and others’ information, including physical access restriction to computer operations, password restriction and changes, files which contain personally identifiable information, restriction of former employees from gaining access to computers and paper files, and securing or storing information after use.
-
To protect against unauthorized access to or use of records or information, and limit access to personal information to only those within the organization with a specific need to see it.
-
To identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of student, employee and others’ information and assess the sufficiency of any safeguards in place to control the risks.
-
To be cognizant that personal information collected will be for the purpose of performing official College business and obtained by lawful and fair means. Only information applicable to the function will be collected.
-
To be careful that personal information is not disclosed unnecessarily for secondary purposes without the consent of the subject or by authority of law.
The enforcement of these policies mandates the Office of Human Resources and ITS will:
-
Work with each department head to design and implement safeguards to address the risks and monitor the effectiveness of these safeguards.
-
Conduct periodic internal audits (at least annually) to ensure that safeguards are in place and maintained.
-
Regularly communicate this policy to new employees during orientation, to existing employees, and to students/parents utilizing student and employee handbooks, the internet and intranet web sites, and other appropriate communications.
III. Monitoring Safeguards
Each department head, or designee, will periodically review the safety, confidentiality and integrity of personal information maintained and/or transacted in that office, and immediately report any potential risks to ITS or HR. In all instances, the department head shall be held accountable for complying with the privacy policy and principles.
IV. Service Provider Safeguards
The coordinators and department head, as appropriate, shall create a registry of all third-party contractors with whom the College contracts for services. This includes either the maintenance or transaction of personal information. Among such contracts are banks, bookstore services, food services, and loan servicing agencies. All such service contractors must be required to implement and maintain personal information safeguards that are in compliance with the Act. While contracts entered into prior to June 24, 2002 are grandfathered until May 2004, responsible parties must ensure that all relevant future contracts include a privacy clause and that all existing contracts are in compliance with GLB.
V. Changes in Procedures
HR and ITS will communicate any changes made to the GLB Act or institutional processes to department heads.
As changes in technology and office procedures arise, the department head will make adjustments to safeguard program for the unit and report such changes to HR and ITS.
Required Security Practices
-
When providing copies of information for others, remove non-essential information and personally identifiable information that has no relevance to the transaction.
-
Do not leave computer terminals unattended when personally identifiable information is on the screen.
-
Properly dispose of personally identifiable information, whether stored in paper micrographic or magnetic/electronic (computer) media.
-
Fax machines should be in a secure or supervised area, off limits to unauthorized persons. Use should be restricted to authorized personnel only.
-
When confidential information is faxed, a notice of confidential nature should be indicated on the cover sheet.
-
Take precautions to ensure that when confidential and highly sensitive messages are expected or left on answering machines or voice mail systems, permission has been given to leave messages or for individuals to access message.
-
Take precautions when discussing personal or confidential information over the phone. It may be wise to close your door upon receiving a personal or confidential call.
-
Ensure that employees who work from home are trained and emphasize their responsibility in correctly handling employee, student and customer information.
-
The use of SSNs for record-keeping purposes and personal identifiers is strongly discouraged. The College prohibits the displaying of SSNs on any documents that are widely seen by others, i.e., time cards, parking permits, student rosters, mailing labels and paycheck stubs.
A security violation is any act, which fails to comply with data security standards or represents an effort to undermine, override, or otherwise circumvent security standards or controls.
Many privacy abuses are the result of errors and carelessness by those who handle personal information. Some are caused by inadequate security. Responsible information-handling practices begin with the implementation of the safeguard methods within this policy. Failure to implement and apply the required safeguard measures may result in disciplinary action.
Reviewed by Security Program Coordinators on 5-16-16