3.9.2 Security of All Student Records

The institution protects the security, confidentiality, and integrity of all student records and maintains special security measures to protect and back up data.

Judgment of Compliance

PVAMU SACS Accreditation - Judgement Compliance

Narrative of Compliance

Prairie View A&M University follows federal laws, state guidelines, and Texas A&M University system policies in its handling the security, privacy, and integrity of student records in all areas of the institution.

In accordance with the Family Educational Rights and Privacy Act (FERPA) and Gramm-Leach-Bliley Act on Disclosure of Nonpublic Personal Information, students are informed about the possible uses of their information and their rights to review their records. Both the undergraduate and graduate catalogs have identical statements about rights under FERPA [1]. As stated in a Public Notice on the Website of the Office of the Registrar, students can complete a "Request to Prevent Disclosure of Directory Information" form to prevent the sharing of their personal data [2]. Faculty and staff are informed about FERPA standards through departmental meetings and mandated training by the Texas A&M University system in Ethics, Information Security Awareness (assigned once per year), and Reporting Fraud, Waste and Abuse. These training sessions are administered through the online TrainTraq system.

Relevant State of Texas guidelines come from Subchapter L of Chapter 441 of Texas Government Code (Libraries and Archives) [3] and Chapter 552: Public Information [4]. Section 6 of the State of Texas Records Retention Schedule (SLR 105) indicates the appropriate retention term and the official University custodian for records including admissions data, scholarship applications, disciplinary proceedings, health records, and so forth [5].

Texas A&M System Policies also guide Prairie View's handling of student records. In accordance with Policy 61.99.01: Retention of State Records, the University has a records officer who "develop[s] procedures for the retention, disposition and security of state records at that institution, including the identification of state records that are eligible for destruction or other disposition" [6]. This individual maintains relevant information on a Records Management Web portal [7], and when it was launched in April 2008, several training sessions were offered [8]. In accordance with Policy 61.01.02: Public Information, the University has designated an Officer for Public Information (PIO) who collects and directs responses to public information requests from Prairie View A&M [9]. An Open Records page on the University Web site gives procedures and contact information for inquiries about student data [10], and the PIO regularly sends memos to all University personnel to remind them about the process for handling such requests [11].

Electronic student data, including records on admissions, financial aid, and registration, are stored and maintained in the Banner Enterprise Resource Planning system, which has multiple levels of access. Rather than using social security numbers, the system tracks students through a unique 8-digit University ID assigned when they are admitted to Prairie View A&M. A 27-page Data Standards Manual guides personnel through the use of Banner, including standards for personal information. It also identifies five Data Custodians, those persons responsible for evaluating requests for data access, and the process they follow and outlines procedures for dealing with duplicate PIDMs (Person Identification Master), the number that associates all data with a particular student. The Banner system is checked for duplicate PIDMs on a nightly basis in order to maintain accuracy and integrity of records [12].

In keeping with Chapter C of the Texas Administrative Code 202: Information Security Standards, Prairie View maintains multiple Information Security Standards [13] including server hardening, creating a baseline for security and implementing consistent policies regarding patches and malicious code [14]. PVAMU Administrative Procedure 40.15: Password Policy outlines expectations for strong password construction, frequency of password changes, and protection of passwords [15]. The University also uses the Texas A&M System Information Security Awareness, Assessment, and Compliance System (ISAAC) [16] for business continuity / disaster recovery planning, risk assessment, HIPAA compliance, security training, and registration of resources as directed in System Policy 24.99.99.M1: Security of Electronic Information Resources [17]. Installed in 2006, a Network Operations Center (NOC) in the S.R. Collins Engineering Technology Building provides 24/7 network monitoring and control. Servers are backed up regularly, once per week, with data older than 30 days archived to tapes for temporary storage in the campus vault. To further secure and safeguard records, all archival tapes are transported to the College of Nursing for storage in a fire-proof vault that only authorized University personnel can access [18].

Because faculty members need access to student information in order to perform effective academic advising, they can use the Banner Panthertracks Web interface. To gain access, they must complete a five-step process.  Two forms—the Request for New User [19] and the Information Security Agreement, which also requires a witness [20]—and confirmation of three training sessions must be presented before access is granted. Faculty members must enter their University ID and a password to see course rosters and limited student data (transcripts, account holds, contact information, degree audits). The system logs users out after 10 minutes of inactivity to minimize the risk to confidential materials, and passwords must be changed regularly. When faculty or any employees transfer between departments or leave the University, part of the clearance process is to cancel access to all Information Technology services [21].

Student records that are maintained in hard copy format are all secured physically and retained in compliance with state guidelines. Discipline records are retained for five years after graduation or date of last attendance by the Director of Student Services and are kept in a locked file cabinet beyond the desks of two full-time student conduct officers. In Undergraduate Admissions and Financial Aid, fire-proof file cabinets are locked at the close of business, and most are located behind one if not two locked doors. The Office of Undergraduate Admissions places a sign-out sheet in every student folder to track the location and pathway of physical files. In the Office of the Registrar, students must present valid photo identification before initiating any transactions such as a transcript request, and records are kept in locked file cabinets. Records in the Office of Diagnostic Testing and Disabilities Services are kept in a locked file cabinet behind the staffed front desk.

To comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Owens-Franklin Health and Counseling Center posts both a Privacy Statement about the use of data collected by visits to its Web site [22] and a Notice of Privacy Practices that includes uses and disclosures of health information, patient rights, and ways to initiate complaints [23]. A statement about privacy of medical records also is included in both the undergraduate and graduate catalogs [24].

Medical Records are held for ten years past the date of last visit and then destroyed according to schedule. Charts that are less than ten years old are stored in an internal room accessible only to authorized staff. After meeting with the Department of Public Security for recommendations, the center secured x-ray records and the doors to the phlebotomy area as well [25]. In 2005, the center began the implementation of electronic medical records format using Medicat software, a health information system specifically for colleges that includes "HIPAA-compliant secure messaging with patients or among staff" through a secure Web interface [26].

Career Services also keeps student records and therefore has a detailed Privacy Policy available on its Web site. The Director of Career Services holds hard copies of placement and planning records are held for five years after graduation or date of last attendance. Online information is kept in a secure NACELink Account and is retained as long as students have an open account with Career Services; a copy of each resume is kept in a secure archive. Information disclosure to third parties is done only in four cases (with consent, to associated businesses, to comply with legal requests, and in the case that the University changes its online vendor) [27].

Finally, to ensure legal compliance, Prairie View has designed a 7-step procedure for data destruction. A record disposition log [28] and record destruction form [29] must be completed and filed with Records Management, and hard-copy materials must be burned or cross-shredded to protect students. The university president has dedicated several days to the cleanup of paper and electronic records such as e-mails, archives, hard disks and other storage media [30] [31]. Outdated and surplus computer hard drives are removed, magnetized, and dismantled to ensure erasure of any sensitive information.

Supporting Documentation and Links

Comprehensive Standards 3.9.2

© 2009 Prairie View A&M University