3.9.2 Student Records

The institution protects the security, confidentiality, and integrity of its student records and maintains special security measures to protect and back up data.

St. Petersburg College is in compliance with this comprehensive standard because it has established comprehensive procedures for safeguarding student records, including protecting student confidentiality and backing up student data.

St. Petersburg College bases it’s policies and procedures for maintaining the security, confidentiality, and integrity of its student records on Federal requirements specified by the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA), SPC also adheres to guidelines recommended by the American Association of Collegiate Registrars & Admissions (AACRAO), the professional association encouraging best practices in such areas as enrollment management, information technology, instructional management, and student services.

St. Petersburg College’s Central Records office is responsible for maintaining student records and ensuring their security, confidentiality, and integrity Collegewide. The Central Records office operates under the direction of the College Registrar. Records are maintained in three formats (paper, microfiche, and electronic). General security procedures for student records are found in Board of Trustees (BOT) Procedure P6Hx23-4.37 (Procedure: Student Records).

· Current lower division student records are maintained in paper format in fireproof file cabinets located in a locked storage room within a secure area. Access to these records is restricted to Central Records staff only.

· Archived student records are maintained in microfiche and secure electronic formats. Access to microfiche records is restricted to Central Records staff only. Access to electronic records is restricted to Central Records staff, Campus Coordinators of Admissions and Registration, campus Directors of Student Success, Baccalaureate Program Specialists, and counselors at the Health Education Center and SPC Downtown. Microfiche records are located in a secure storage room. Back-up copies of the microfiche are stored in Tallahassee. Electronic records are secured by user access IDs and PINs.

· All upper division student records are maintained in a secure electronic format. Access to these records is limited to Central Records Staff, Campus Coordinators of Admissions and Registration, Campus Directors of Student Success, and Baccalaureate Program Specialists. Upper division records are secured by user access IDs and PINs.

Central Records is located in a restricted access area. Records physically located in the Central Records area are stored in containers within a secure room. Access to Central Records is closely controlled by the College Registrar and the entire area is regularly patrolled by College security personnel.

The College adheres strictly to the requirements of the Family Educational Rights and Privacy Act (FERPA) to prevent release of student information, with the exception of designated directory information, to third parties. Access to protected student information is only provided to school officials with a legitimate educational interest in those records. St. Petersburg College’s FERPA safeguards are specified in BOT Rule 6Hx23-4.37 (Student Records). All Registration and Admissions personnel receive training in their responsibilities regarding FERPA when hired in the position. FERPA training for all new Faculty is provided by the College Registrar and the Vice President of Education and Student Services at the required annual New Faculty Orientation. On a regular basis, FERPA training is provided to counselors and advisors at their quarterly meetings and to Campus Coordinators for registration and admissions at their monthly meetings.

FERPA

The Solomon Amendment has been upheld; recruiters can get information about students. Refer recruiters to [the Vice President of Educational and Student Services]

The College also adheres strictly to Florida Statute 1002.22 and 1006.52 regarding privacy of student records. The purpose of the Florida Statute 1002.22 is to protect the rights of students with respect to student records and reports used by public educational institutions. The Statute dictates that anyone requesting access to student records, except for parents of dependent students, must have permission from the student before the records are provided. The purpose of Florida Statute 1006.52 is to provide an exemption for student records from the Florida Statute that permits public records to be inspected and copied by any person desiring to do so.

To comply with the requirements of Section 504 of the Rehabilitation Act of 1973 and the Americans with Disabilities Act, the College maintains the confidential nature of disability-related information. According to the College policies and procedures, campus Learning Specialists maintain documentation regarding the student's disability in confidential files but are not permitted to give details regarding disabilities unless a student has signed a written consent form. Students do not have to inform Faculty members about their disabilities, only the needed accommodations. Students may disclose their disabilities to a Faculty member, who is then obligated to maintain confidentiality regarding the students’ disabilities Procedures for protecting the confidentiality of students with disabilities are found in the Faculty Manual on Reasonable Accommodations for Students with Disabilities, produced by the Office of Services for Students with Disabilities, and reflected in the Rights and Responsibilities to Assure Equal Education Access to Students with Disabilities and the Student with Disabilities Accommodation Sheet. The Accommodation Sheet begins with the statement:

This information is CONFIDENTIAL. It is important that the instructor not disclose this information in any way to other students, faculty, potential employers, or anyone else without the student’s written permission.

The College’s policy on protecting the privacy of students with AIDS is contained in Board of Trustees Procedure P6Hx23-1.91, Procedure: Human Immunodeficiency Virus/Acquired Immunodeficiency syndrome (HIV/AIDS). If the College or any individual at the College becomes aware of test results of any student, the test and test results are considered confidential. If a student shares that they have an HIV infection with a College Faculty or Administrator, the issue will be kept confidential; however, the College Faculty or Administrator may seek the consent of the student to share the information with College Personnel who may have a reasonable need to know. Should the HIV infected student consent, an appropriate consent form is used to document the consent. The Faculty member or Administrator maintains the consent form in a separate record that is kept confidential. The College does not release HIV test results except with specific written authorization by the student or by Court Order. A general release or subpoena is considered insufficient.

SPC adheres to the State retention policy for records disposal published in the General Records Schedule GS5 for Universities and Community Colleges. For example, the record copy of admission records for students denied admission is retained for at least 3 years after application submitted.

St. Petersburg College is committed to keeping student data from any unauthorized users both internal and external to the College and committed to keeping this data free from any viruses which could corrupt and destroy the integrity of our electronic records. To select the best practices to implement, SPC sought a benchmark institution to model and found that the state of California had some of the highest standards for privacy protection, to the point of establishing a department at the state level for this effort. The University of California at Berkeley was considered one of the top institutions in this area and was used as a benchmark. As a result, SPC is using the industry’s leading software and best practices to maintain the security, confidentiality and integrity of electronic student records.

Passwords and permissions. The College uses network passwords to authenticate valid users and to protect data across its network. Passwords to the network must be changed every 60 days. Written permission is required to gain access to student data within the student information system. Changes to access that include granting permission to use, change or delete data from pages must be approved in writing (normally email) by the user’s manager. Access permission changes are performed by Network or System Administrators. The user IDs and passwords of terminated employees are disabled and their accounts quarantined as soon as the employee has completed his or her last day.

Data security. The College goes to great lengths to ensure that student records are secure from intrusion from unauthorized persons. The College uses multiple firewalls, virtual private networks and secure socket layer (SSL) certificates to keep its data secure.

Firewalls. The institution’s firewall software distinguishes “authorized” versus “unauthorized” Internet protocol addresses and port numbers internal to the College network. Only certain servers can be accessed from outside the College’s network. Firewall rules are designed, documented, implemented and tested by qualified College staff or service providers and approved by qualified leadership positions. Records of firewall changes are maintained for one year and data on emails and Web site access (e.g., origination and termination information) are stored for one year. The firewall architecture diagram further details the precautions taken to secure our student data:

Encryption. The College also uses VPN (Virtual Private Network) software to encrypt sensitive student data that is transferred between the College’s network behind the external firewall and add another layer of security.

Secure socket layer (SSL) certificates. St. Petersburg College uses an SSL protocol (Secure Socket Layer) certificates with a private key to encrypt data transmitted across the Internet. The institution’s Web servers have SSL certificates. Thus, student data (unofficial transcripts, grades, bio-demographic data and credit card information) is encrypted before it is sent out to the students or credit card authorization companies.

Transfer of data. The College sends electronic files to the Florida Department of Education on a frequent basis. These files are transferred using File Transfer Protocol (FTP) between SPC and a server used by the State for all such reports. The data is encrypted on the SPC side and unencrypted when it arrives at the Northwest Regional Data Center (NWRDC) used by the State.

Physical security. Physical security precautions are taken to restrict access to the physical storage devices in SPC’s central computer room to only those employees who need access to perform their duties. Access to two locked doors is required to enter the central computer room. Computer operations personnel staff the computer room from 7AM to 8PM Monday through Friday. Computer users in the central computer room must re-authenticate on their computer after 20 minutes of inactivity. Any employees other than computer operations personnel, such as technical staff working on computer or networking systems, or non-employees such as maintenance personnel or members of tour groups, must log their activities or visit on the log sheet. If the activity included changing programs, the change must be documented according to the prescribed Documentation procedures. The Associate Vice President of Administrative Information Systems, Director of Network Systems and TV Operations, or Director of Instructional Technology will initial each entry as certification that the tour or extra-hour work was legitimate.

Software security. The College uses a software licensing monitoring tool to prevent anyone with malicious intent from running readily available password-cracking software on SPC computers. This software allows users to prevent certain software from running on the computers on the College network.

New users of the Student Records data base are required to sign a Protection of Information and Access agreement indicating that they will treat the student information with confidentiality and not discuss this information with others inside or outside of the College.

Data integrity. The institution uses the latest technology to protect the integrity of SPC’s data by deploying anti-virus software for businesses to each computer on the College network. The College distributes anti-virus software updates to every computer on the network several times per day to ensure that the latest viruses will not infect and ultimately corrupt stored data. The software allows the College to run reports to illustrate how many viruses were detected and deleted using the anti-virus software.

Software integrity. Additionally, the College uses software installed on all computers in student computer labs to preserve the original configuration of the computer by deleting at reboot, any software that was downloaded to the computer during the day, including software that could be potentially pose a threat to the College computer network.

Backup procedures. SPC has a rigorous procedure to backup student data in the event of hardware or software failure or catastrophic incident. All the College’s servers that store student data are backed up fully once a week and incrementally every weekday. The tapes that store these data are sent off-site and rotated every two weeks.

Information regarding privacy of student records is disseminated through the College Catalog, Student Handbook, and the Supplement to the Faculty and Student Handbooks, which are published in paper form as well as on the College Web site.

In addition, instructions to Faculty on the privacy of student records is available in the Faculty Manual, downloaded from the HR Web site, as well as included in the training for all new Faculty, full-time or adjunct.