Part 3 - Comprehensive Standards
  

3.9.2  The institution protects the security, confidentiality, and integrity of student records and maintains security measures to protect and back up data. (Student records)

Compliance
Partial Compliance
Non-Compliance

Narrative

The University of New Orleans is committed to protecting the security, confidentiality, and integrity of its student records.  The registrar’s office maintains the integrity of academic records, including the enforcement of the Family Educational Rights and Privacy Act.  The Family Educational Rights and Privacy Act of 1974, known as FERPA or the Buckley Amendment, is the federal law that protects student records, privacy review and disclosure rights.  Additionally, offices with primary responsibility for student records management have safeguards in place as detailed in this section. Attached is the University of New Orleans' administrative policy AP-AA-12.2 FERPA Compliance.

Registrar’s Office

The Office of the University Registrar is responsible for student academic records.  All employees who have authorized access to student data receive appropriate training and instruction concerning confidentiality and protection of student records using the guidelines established by FERPA. 

The University uses as its guide the recommended archive and security measures published by the American Association of Collegiate Registrars and Admissions Officers.  All student data subject to FERPA reside on electronically and physically secured databases/servers, or in secure, fireproof filing cabinets.  Designated data custodians oversee the security and authorization process.  Access to requested information may be any combination of the authority to query, change, or delete information.  Access is granted relative to position and function.

The University assigns student record access to students and University officials with a legitimate educational interest. Requests for access to student academic records require approval of the University Registrar.  Upon approval, the request is forwarded to the Office of Information Systems.

Individuals requiring access to information must log in through a single secure login process.  The user is authenticated and then granted access to the data using State of Louisiana security protocols (unique identifiers and passwords). Access by students to these services is controlled via the secure login profile established by each eligible user.  The profiles and unique identifiers are maintained in a secured database or server that follows the State of Louisiana security standard with regard to the creation of a username and password.  The password must conform to the State of Louisiana and university standards established in regard to length, type, and number of symbols and characters. When appropriate or necessary, data passed over the Internet through the web applications for faculty, staff, or students are encrypted.

University Computing Center (UCC)

University Computing and Communications has established policies and procedures to protect the security of student records.  Individuals requiring access to information must log in using their unique computer credentials (user name and password) through a single secure login process.  The user is authenticated and then granted access to the data using Louisiana state security protocols (unique identifiers and passwords).  Access by students to these services is controlled via the secure login profile established by each eligible user.  The profiles and unique identifiers are maintained in a secured database or server that follows state security standards with regard to the creation of a username and password as per the State of Louisiana, Office of Information Technology Policies.  The password must conform to the state security and university standards established in regard to length, type, and number of symbols and characters, verified via the password reset system.  Data passed over the Internet through PeopleSoft (UNO’s Enterprise Resource Planning system) for faculty, staff, or students are encrypted.

Student academic records are maintained in PeopleSoft’s ERP which is provided and maintained by University Computing and Communications.  The student system as installed at UNO is known as WebSTAR (Web Student Admission and Registration) and it includes integrated Web portal modules for student admissions, records, registration, financial aid, financials and student accounts receivable, transcripts, and degree audit.  WebSTAR Mobile provides the same services as the Web portal as well as access to a campus map, emergency notifications, course catalog, news, and other services.  

WebSTAR user access is controlled by standard system access profiles prescribed by administrative personnel for various user categories.  Student system access for administrative users is granted based on a formal approval from the respective departmental data steward and is based on the user’s position and responsibilities.  The office of the Registrar is the designated data steward for student records and WebSTAR.  Designees restrict access to sensitive system functions and capabilities to the smallest practical number of administrative users.  The office of the Registrar must approve all external requests for student data. Access permissions to WebSTAR are removed upon the exit of student, faculty, or staff from employment or from any change on University role status.

Web-based student access to their personal records requires a secured socket layer connection across the Internet (128-bit encryption).  Such access requires authentication using a password selected by the student.  Students can also request that certain information be repressed.  All staff members with access to electronic records are trained on proper procedures for access and warned of their responsibilities concerning university data in accordance with Louisiana and Federal privacy records laws: LA R.S. 44:1-44:4; LA R.S. 14:73.1-14.73.7; and the Electronic Communications Privacy Act, 18 U.S.C. 2701. The Database Security Breach Notification Law requires notification to any Louisiana resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person as a result of a security breach.

UCC Data Security Remediation Directive

In the event that a UNO server is infected by malware or otherwise compromised, the following procedures are followed.

  1. Logon to the affected system using local administrative credentials
  2. Run all necessary forensic tests and diagnostics to ascertain the extent of compromise or infection
  3. If the system is no longer secure, the system must be declared as compromised
  4. For compromised systems, the system must be removed from the campus network.
  5. A determination must be made of what data resides on the system and who the data stewards are for that system
  6. The Chief Information Officer, and data stewards must be immediately notified of the breach
  7. Depending on the classification of the data present, appropriate steps must be taken according to state and federal statutes.
  8. One reporting and notification obligations have been met, steps to prevent future breaches must be identified if possible.
  9. The server should be formatted, reinstalled and put back into production

UCC Media Disposal and Data Sanitation Directive

  1. Laptops and desktops that are transferred to another UNO department have their hard-drive reformatted and the OS re-installed.   
  2. Servers, laptops and desktops that are surplus have their hard drives removed and kept by UCC for proper disposal. 
  3. CD and DVD media are placed in secure containers for recycling by private company or shredded on premises.

UNO has contracted with a recycling company for proper disposal of hard drives.  All removed hard drives are kept and collected for the company to destroy them on our premises A Certificate of Destruction is issued upon disposal.

Bursar’s Office

The Bursar’s Office is responsible for most of the financial information for each student. All paper forms are securely stored in file cabinets located either in the storage area or at each employee’s desks. The Bursar’s Office and the building remain locked during non-business hours. Only authorized personnel have a key to enter the office, and a more-restricted group of employees have a key to the building. All electronic records are stored in a secure environment. Electronic documents and scans are saved on the office’s shared files. Only Bursar’s Office staff members have access to these shared files. Student account information is maintained in Oracle’s PeopleSoft. Only authorized users have access to this data. The Bursar is responsible for administering the security levels given to individual employees.

Online payments are processed in PeopleSoft. The University’s processor is Elavon. Both are secured sites that are compliant with payment card industry data security standards. Credit/Debit cards are accepted on site and require presentation of a picture ID.

Student Accountability and Advocacy

This office houses records on referred student discipline cases.  Electronic notation of found Student Code of Conduct violations are made in the WebSTAR software system. Physical records are maintained in locked filing cabinets in the office for a period of 5 years, then converted to electronic format and stored on a secure server.  Access to these records, both digital and physical, is limited to staff in these offices that have a legitimate educational interest. 

Disability Services

The Office of Disability Services (ODS) maintains medical documentation, intake information, and letters of accommodation deemed confidential under the Americans with Disabilities Act and Section 504 of the Rehabilitation Act.  Other items including but not limited to summary notes of telephone and individual meetings, copies of staff/student correspondence, and faculty/staff correspondence are also considered confidential and part of student records.  Electronic records are kept on a secure server to which access is only granted to ODS staff; hard copies of student files are kept in the office for seven years as specified in the Records Retention schedule. Then, the files are converted to an electronic format and securely stored.  Confidentiality of student records and information is a high priority, and ODS requires all employees to complete confidentiality training and sign confidentiality agreements [Page: 4]

Career Services

Career Services maintains hard copies of the students’ cooperative/internship package in a filing cabinet in a locked office.  Also, hard copies are completed and kept regarding Career Services Activity Logs and Student Learning Surveys/Outcomes and stored in a filing cabinet in a locked office.   Aggregated data and information may be posted for staff and student review, public viewing results, and used in quality improvement and effectiveness initiatives.  

Career Services Graduate Assistants and Career Services Student Workers’ files are kept in the office, with the personnel application package, any performance reviews, and copies of payroll sheets for the student workers; these files are kept in a filing cabinet in a locked office.

Digital records, including a student profile, resume, self-assessment, and other career preparation and job search documents are stored in a Career Services web-based database system and are password protected.

Student Health Services

Student Health Services (SHS) maintains medical records in accordance with the privacy regulations of both FERPA and HIPAA.  When any portions of these regulations are not congruent, the more stringent policy is applied.  All personnel participate in training exercises on an annual basis.  A privacy officer is responsible for enforcing policy and procedures required by HIPAA.  Current medical records are kept in a secure area, and are locked when not attended by personnel.  Access to active records is restricted to personnel who have a medically necessary interest.  

SHS outlines and describes policies and procedures in a series of manuals.  The “Student Health Services Policies and Procedures Manual” as well we the “Nursing Standing Orders Manual” describes medical procedures for administering and documenting patient treatment.  The “HIPAA Privacy Compliance Manual” contains Personal Health Information (PHI) requirements and training information.  These manuals are maintained in Student Health Services.

Counseling Services

UNO Counseling Services strictly adheres to all state and federal laws regarding confidentiality (Confidentiality Parents Information, Confidentiality Referral Information) pertaining to mental health records including but not limited to La. R.S. 37: 1101-1122; 2351-2378; 2701-2724 and the Professional and Occupational Standards of the Louisiana Administrative Code Title 46 for professions represented in the department. All counseling services are confidential to the limits provided by law and no information is released to anyone within or outside of the University without a client's written consent unless allowed by law. Per state law, client records must be maintained for a minimum of 6 years. Counseling Services maintains paper records (for clients seen prior to July 1, 2011) for a period of 10 years following the last date seen at Counseling Services. These records are maintained in locked filing cabinets located in internal (windowless) rooms with locking doors. Keys for the filing cabinets are stored in a locked, code-protected key cabinet when not in use. Paper records are destroyed internally after the ten year retention period has expired. Electronic records (for clients seen on and after July 1, 2011) are maintained indefinitely in the Titanium Schedule electronic recordkeeping system. Access to client records is password protected and limited to Counseling Services staff and designated workstations within Counseling Services.  Titanium Schedule is housed on a secure SQL server in University Computing and Communications (UCC). UCC staff access to the system is for technical support only.  Electronic records are archived per UCC Policy---i.e., files are archived nightly to tape and stored in a secure facility. Monthly archives are maintained for 13 months.  Yearly archives are maintained indefinitely.

Police Department

Digital records are maintained on a secure UNO network with access restricted to Police Department personnel with legitimate law enforcement or educational interests.  Access to digital records is controlled by the issuance of individual passwords provided by the University Computing and Communications Department per current University policies and guidelines as codified in the UNO Police Department Procedure Manual.  The release of digital and physical records must be approved by the Chief of Police, Commander of Administration, or the Investigations Section and then only for legitimate law enforcement or educational interests.  The following types of police reports, whether in physical or digital format, are prohibited from being released without the prior approval of the Chief of Police: incidents involving juveniles; reports related to a suicide or death; medical reports; sexual assault incidents; open investigations which could endanger the successful completion of an investigation and/or related investigation; and any incident report deem to be of a sensitive nature.

Other offices with access to student records:

Graduate School

The Graduate School stores records for active students in locked fireproof filing cabinets with access limited to the staff in the Graduate School. The one key for the cabinet array is kept in a locked desk drawer at all times.  

Records include signed forms approving plan of study, committee memberships, thesis and dissertation committees, candidacy, and important correspondence regarding tuition, scholarships, assistantships, and policy waivers for actively enrolled students.  Paper records are maintained for eight years after graduation or last enrollment.  At the time of disposition, student files are shredded either on campus or by a bonded off-site shredding company.

Any confidential student records in an electronic form are kept in a “Graduate School--Private” sub-directory of the university’s shared drive. Only full-time staff in the Graduate School has password access to the sub-directory.

The Graduate School does not own the admission records for graduate applicants. Those are held in the Office of Admissions.

Enrollment Services

All admissions applications are submitted on-line through an application hosted on University servers and maintained by staff in the University Computing and Communication (UCC) division.  Enrollment Services staff retrieve the applications from the server and upload them to PeopleSoft/WebStar.  The applicant is required to establish both a user ID and a password for access to the online application.  This username and password allows the applicant to check the status of their application by logging into the University’s WebSTAR database.  Transcripts are received via mail, in person or electronically.  Paper transcripts are logged into the WebSTAR database and then scanned.  The electronic transcript is then linked to the applicant’s application.  The paper transcripts are stored in a secure bin until shredded by a vendor under contract with the University.  Enrollment Services does not use Social Security numbers in any correspondence and uses the ID number generated by the WebSTAR database. 

Students applying for financial aid submit the Free Application for Federal Student Aid (FAFSA) through the Department of Education’s website.  The staff downloads this information to the WebSTAR database where it is secured by access control maintained by the UCC protocols.   Only OES staff who need access to this information can view student’s FAFSA information.  This access is controlled by the UCC.  Additional documents may be required if the student is selected for a process called verification.  Required documents may be mailed or delivered in person.  All documents are logged into the WebSTAR database then scanned.  The paper original is stored in a secure room until the staff can verify the quality of the scan.  All documents are then shredded by a vendor under contract with the University.   Staff require a picture ID before discussing specific financial aid information and do not relay sensitive information over the phone.  All correspondence with students uses the WebSTAR generated ID number in lieu of the Social Security Number. 

New Student Orientation

All Student Orientation employees sign a confidentiality agreement when they become employed by our office.  During summer training sessions, they are also trained on topics such as FERPA guidelines. 

The Orientation office receives confidential student information including but not limited to Privateer ID numbers, Social Security numbers, addresses, telephone numbers, and access to standardized test scores. Procedures followed to ensure that such information is kept confidential include securing information containing sensitive information and shredding all documents containing social security numbers, ID numbers, etc., once that information is no longer needed.  When a student signs up for orientation, it is through a secure online form.

First Year Experience and First Year Advising

Staff members within First Year Experience and First Year Advising have access to view student’s personal information including addresses, phone numbers, and social security numbers.  They also have access to students’ academic records and class schedules.  To ensure this information is kept confidential, student information is not printed. Rather  online secured forms for both the academic advising process and the UNO cares Early Alert System are utilized.  In the event that confidential information is contained on a paper document, it is either filed appropriately or shredded.  The Early Alert system is completed via WebSTAR.  Faculty have access to class rosters in WebSTAR. 

Student Athlete Academic Success

The Student-Athlete Enrichment Program adheres to policies developed in accordance with student confidentiality.  Both FERPA regulations and the Buckley amendment protecting confidential student issues, grades and course feedback are followed daily.  Any confidential student information is filed in the student’s permanent folder or shredded and disposed of in a proper manner.  Staff are expected to protect/safeguard student information at all times.  Any information with grades, Social Security numbers, student identification numbers or student information protected under the Buckley amendment is filed in binders or in secure file cabinets.  This information is not left out on desks for staff, students or tutors to read under any circumstances. Offices containing student records are locked when the Student-Athlete Enrichment Center is closed. All professional and support staff are trained to comply with FERPA regulations during orientation. 

Reports containing academic information are discussed with students and any relevant feedback shared strictly between student and appropriate university personnel. The academic information that is received from faculty is processed by Student-Athlete Enrichment staff and sent out in a report to coaches.  

The GradesFirst application helps manage course assignments, study hours and tutor appointments. The GradesFirst Policy Manual includes confidentiality procedures. The data in GradesFirst is housed in a state of the art Tier 4 Data Center, the highest level of security available.  Within the GradesFirst application, all data are transferred from the user to the application (and back) using a secure Camellia 256-bit Secure Sockets Layer (SSL) connection.  This system is the same as used in banking websites.  The GradesFirst application and client data are located in multiple data centers inside the United States, providing the necessary data redundancy in the event of a natural, man- made and/or environmental disaster. Physical access is strictly controlled 24/7 both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Furthermore, all physical access to data centers by employees is logged and audited routinely. The progress report information sent to professors is simply their roster. There is no FERPA-protected information sent with the progress report.

Supporting Documents

Document Description
Document IconAcceptable_Use_PolAcceptable Use Policy for Information Technology
Document IconAccountability_Advocacy_WebsiteOffice of Student Accountability and Advocacy
Document IconCareer_Serv_WebCareer Services Website
Document IconCert_DisposalCertificate of Disposal
Document IconCoun_Confid_ParentCounseling Services Confidentiality Parents Information
Document IconCoun_Confid_ReferCounseling Services Confidentiality Referral Information
Document IconCounsel_Serv_WebCounseling Services Website
Document IconDis_Serv_Confid_InfoDisability Services Confidentiality Information
Document IconDisabil_Serv_WebDisability Services Website
Document IconElect_Comm_Priv_ActElectronic Communications Privacy Act
Document IconEnroll_Serv_WebEnrollment Services Website
Document IconFirst_Year_Adv_WebFirst Year Advising Website
Document IconFirst_Year_Experience_WebsiteFirst Year Experience Website
Document IconGraduate_School_WebsiteGraduate School Website
Document IconLa_Off_Info_Tech_Pol_WebLouisiana Office of Information Technology Policies Website
Document IconLa_RS_14_73_1Louisiana Revised Statute 14:73:1 Computer Related Crime
Document IconLa_Title_44Louisiana Title 44: Public Records and Recorders Chapter 1 Public Records Part I Scope Law Defining Public Records
Document IconStud_Athlete_Enrich_Pol_ProStudent Athlete Enrichment Policies and Procedures
Document IconStud_Athlete_Grades_First_ManStudent Athlete GradesFirst Manual
Document IconStudent_Health_Services_WebsiteStudent Health Services Website
Document IconUCC_Password_Reset_WebUniversity Computing and Communications Self-Service Password Reset Website
Document IconUCC_WebsiteUniversity Computing and Communicating Website
Document IconUNO_AP_AA_12_2_FERPA_ComplianceUniversity of New Orleans Administrative Policy AP-AA 12.2 FERPA Compliance
Document IconUNO_Bursar_WebsiteUniversity of New Orleans Bursar’s Website
Document IconUNO_Disability_Record_Retention_ScheduleDisability Services Record Retention Schedule
Document IconUNO_New_Student_Orientation_WebsiteNew Student Orientation Website
Document IconUNO_Orientation_Online_FormOrientation Online Sign-up Form
Document IconUNO_Police_Dept_WebsiteUniversity of New Orleans Police Department Website
Document IconUNO_Police_Man_Student_RecordUniversity of New Orleans Police Department Procedure for Securing and Releasing of Student Records
Document IconUNO_Registrar_WebUniversity of New Orleans Registrar Office Website
Document IconUNO_WebSTAR_Mobile_GuideMain Page for Mobile Access
Document IconUNO_WebSTAR_Student_Doc_WebsiteWEBSTAR Student Center Documentation Website