Student Data Security, Classification and Handling

1
Student Data Security, Classification and Handling

• Student Data at Purdue University

2

Why is Data Security Important?
3
Avoid Risking Safety

• Some students at Purdue University have chosen
  to withhold their information from being
  published in the Purdue directory. They may have
  chosen this for numerous reasons, but their
  privacy needs to be respected. Unfortunately,
  some students may be in a situation where they or
  their families personal safety may be in jeopardy
  if this information fell into the wrong hands.

4
Avoiding Federal Penalties and Fines

• We are bound by federal guidelines such as FERPA,
  GLBA and HIPAA. These guidelines require us to
  handle data in a certain way. If we fail to
  comply with these guidelines, Purdue could
  receive penalties and/or fines.

5
Embarrassment to the University

• When data is compromised, letters are typically
  sent out to those who were potentially affected.
  Articles and reports as well as news releases
  may be seen in local or national newspapers or
  television stations.

6
Financial Resources

• Some areas of the University have access to
  bank account information (such as the Bursar).
  Therefore, we need to protect this information in
  order to avoid its falling into the wrong hands.

7
Why Should I Care?

• Often we become desensitized to the data that
  we handle in our everyday job. However,
  somewhere, someone is handling your information.
  Think about how you would want your own
  information protected and use those same measures
  for protecting the information of individual
  students at Purdue University.

8
Security Policies and Memorandums
9
Data Security and Access Policy C-34

• Applies to administrative computing resources
  regardless of where they may reside. The three
  major guiding principles are
• Access To assure that employees have access to
  relevant data they need to conduct University
  business.
• Data Security To prevent unauthorized access to
  systems, data, facilities, and networks.
• Physical Security To prevent any misuse of or
  damage to computer assets or data.
• This policy specifically states that, No
  University employee will knowingly damage or
  misuse computing resources or data. The
  employees need to access data does not equate to
  casual viewing. It is the employees obligation
  and his/her supervisors responsibility, to
  ensure that access to data is only to complete
  assigned functions.

10
Other Policies You Should Know

• FERPA http//www.purdue.edu/policies/pages/recor
  ds/c_51.html
• GLBA http//www.itap.purdue.edu/security/policies
  /GLBPurdue1.doc
• HIPAA http//www.purdue.edu/policies/pages/recor
  ds/vi_2_1_healthprov.html
• AND
• http//www.purdue.edu/policies/pages/records/vi_2_
  1_fwdental.htm
• Release of Student Information
  http//www.purdue.edu/SSTA/datasteward/policies/fi
  les/Policy20procedures20for20release20of20inf
  o.doc

11
Information Technology Policies

• SSN Policy
• All new systems purchased or developed by Purdue
  will NOT use SSN as identifiers
• All University forms and documents that collect
  SSNs will use the appropriate language to
  indicate whether request is voluntary or
  mandatory.
• Unless the University is legally required to
  collect an SSN, individuals will not be required
  to provide their SSN. The PUID may be provided
  instead.
• http//www.purdue.edu/policies/pages/information_t
  echnology/v_5_1_print.html

12
Information Technology Policies

• Email Policy
• Employees are granted email accounts for the
  purpose of conducting University business.
• Emails sent by users or which reside on
  University email facilities may be considered as
  public records (Indiana Public Records Act)
• Users should exercise caution and any information
  intended to remain confidential should not be
  transmitted via email.
• Refrain from improper use (i.e. commercial or
  private business purposes, organized political
  activity), to harass or threaten other
  individuals or to degrade or demean other
  individuals.
• http//www.purdue.edu/policies/pages/information_t
  echnology/v_3_1.html

13
Information Technology Policies

• IT Resource Acceptable Use Policy
• Only access files or data if they belong to you,
  are publically available, or the owner of the
  data has given you permission to access it.
• Complies with applicable laws and University
  policies, regulations, procedures and rules.
• Prohibits use of IT resources for operating
  business, political activity or personal gain.
• http//www.purdue.edu/policies/pages/information_t
  echnology/v_4_1.html

14
Policies Resulting from State/Federal Guidelines
or Mandates
15
Indiana SSN Disclosure

• Indiana Code 4-1-10 Release of Social
  Security Number - Except where otherwise
  permitted, a state agency may not disclose an
  individuals SSN.
• Disclosure is only permitted when
• The person gives their written or electronic
  consent
• Where required by federal or state law
• Where required by court order
• Various other federal law requirements (Patriot
  Act)
• A state agency discloses the SSN internally or to
  another state, local or federal agency
• A state agency discloses the SSN to a contractor
  who provides goods or services if the SSN is
  required for the provision of the goods or
  services (contractual safeguards are required)
• A state agency discloses the SSN to a contractor
  for the permissible purpose set forth in HIPAA
  and FERPA
• Example SSN is collected when applying for
  Federal Financial Aid. This process is allowed
  under the law and is an acceptable business
  practice.

16
Notice of Security Breach

• Indiana Code 4-1-11 Notice of Security
  Breach Any state agency that owns or licenses
  computerized data that includes personal
  information shall disclose a breach of the
  security of the system following a discovery or
  notification of the breach to any state resident
  whose unencrypted personal information was or is
  reasonably believed to have been acquired by an
  unauthorized person.
• Personal information under the law is defined as
  a persons first AND last name OR first initial
  AND last name in addition to one of the
  following
• SSN
• Drivers license or state ID number
• Account number, credit card number, debit card
  number, security code, access code, password to
  an account
• The notification that must occur to the affected
  individuals must be made without reasonable delay
  and except in certain circumstances must be made
  in writing.

17
FERPA

• Family Education Rights and Privacy Act of 1974
• Outlines what rights the student has to his/her
  education records. It also outlines when
  education records can be disclosed and to whom.
• Examples of FERPA protected data are
• Grade transcripts and degree information
• Class Schedule
• Students information file including demographic
  information.
• More information on FERPA protected data is
  provided at the time you take your yearly FERPA
  certification.
• https//www2.itap.purdue.edu/registrar/training/re
  view.cfm?id1

18
GLBA

• Gramm Leach Bliley Act
• GLBA was set forth by the Federal Trade
  Commission. Its intent is to protect personally
  identifiable information in situations where a
  consumer has provided information with intent to
  receive a service.
• Examples of financial services at Purdue include
• Student loans
• Information on delinquent loans
• Check cashing services
• More information on GLBA protected data
  is provided at the time you take your yearly GLBA
  certification.
• https//www2.itap.purdue.edu/registrar/training/re
  view.cfm?id2

19
HIPAA

• Health Insurance Portability and Accountability
• Act of 1996
• Requires that Purdue must preserve the privacy
  and confidentiality of protected health
  information.
• Examples of protected health information are
• Past, present or future physical or mental health
  condition
• Past, present, or future payment for health care
  that identifies an individual (i.e. name,
  address, SSN, birth date).
• Note that additional training may be required
  according to the area in which you work. You
  will be contacted if training is required.
• https//www2.itap.purdue.edu/registrar/training/re
  view.cfm?id3

20
Summary

• You should only access data that is needed to
  complete your assigned work function.
• Use the PUID instead of an SSN whenever possible.
• Users should exercise caution and any information
  intended to remain confidential should not be
  transmitted via email.
• An employee can be held personally responsible if
  improper disclosure of SSNs is impermissibly
  made.
• FERPA refers to student data that is protected by
  federal law.
• GLBA refers to personally-identifiable
  information in situations where a consumer has
  provided information with intent to receive a
  service.
• HIPAA refers to protected health information.
• FERPA and GLBA require yearly certifications.
• You will be notified if HIPAA training is
  required.

21
Data Classification At Purdue University
22
Data Classification

• For the purposes of handling data appropriately,
  data is classified by the data stewards and
  information owners into one of the following
  three categories
• Public
• Sensitive
• Restricted

23
Public Student Data

• May be or must be open to the public.
• The student has the option to choose whether they
  want their directory information restricted or
  not. In Banner, a student requesting a
  restricted directory will restrict ALL data, not
  just portions of it as is done in the current
  mainframe system.
• Examples of student data included in this
  category are
• Summary reporting data as appearing in the data
  digest.
• The course catalog
• Directory information Name, local and home
  address, local and home telephone listing, email
  address, school and curriculum, classification
  and credit hour load, dates of attendance,
  degrees, awards and honors received,
  participation in officially recognized
  activities, hight, weight and position of members
  on athletic teams.

24
Sensitive Student Data

• Sensitive student data is information that should
  be guarded due to proprietary, ethical or privacy
  considerations. This classification applies even
  though there may not be a civil statue requiring
  this protection.
• Examples of student data in this category
  include
• PUID
• Major Program of Study
• Admissions Applications
• Decision Letters
• Date of Birth
• Ethnicity

25
Special Reminder Regarding PUID

• Please take the time to review the following
  information regarding the PUID. You may want to
  print this document out and keep it as a
  reference.
• http//www.itap.purdue.edu/security/files/PUIDData
  Classif.pdf

26
Restricted Student Data

• Restricted student data is information protected
  by statute, FERPA, HIPAA, GLBA, and represents
  information that isnt by default protected by
  legal statute, but for which the Information
  Owner has exercised their right to restrict
  access.
• Examples of student information in this category
  include
• Student Academic Record
• Social Security Number

27
Personally Identifiable Information (PII)

• PII information includes the following
• Date of birth
• Mothers maiden name
• Drivers license number
• Bank account information
• Credit card information
• When the above information is used in combination
  with PUID, the information becomes HIGHLY
  SENSITIVE and additional steps should be taken
  to protect the information. Refer to the data
  handling guidelines for details on how to handle
  these data.
• PII can also be personal characteristics that
  make a persons identity easily traceable. For
  example, if you did a query against the data
  warehouse and returned information related to
  gender, ethnicity and residency in a small
  department or school, it could be easy to
  determine who an individual is.

28
Student Confidentiality

• A students confidentiality should be paramount,
  and if in doubt as to how to handle the
  information, please contact the Student Services
  data steward.
• http//www.itap.purdue.edu/ea/stewards/

29
What is Confidential?

• The term Confidential is often used
  interchangeably with other security terminology.
• Confidential is not a data classification like
  sensitive or restricted. It describes how
  information should be treated. For example, a
  conversation between an academic advisor and
  student may be confidential and the student
  wishes that the advisor not share the information
  with anyone else.

30
More Detail on Student Data

• More detail on Sensitive Student Data
• http//www.purdue.edu/SSTA/datasteward/security/fi
  les/Data20Classified20Sensitive.pdf
• More detail on Restricted Student Data
• http//www.purdue.edu/SSTA/datasteward/security/fi
  les/Data20Classified20Restricted.pdf

31
Data Handling
32
Data Handling

• As University employees, we have all been granted
  access to a wide variety of information in order
  to perform our duties. Much of this information
  is considered to be public and can be generally
  shared or distributed. However, our focus is on
  sensitive and restricted data that must be held
  in confidence to avoid its misuse, which could
  have a negative impact on fellow staff members,
  faculty, students and the University.
• We all have a role in the safeguarding of this
  information, and should be aware of our
  individual responsibilities. The following three
  roles have been defined and cover the obligations
  of all University employees
• Information Owners
• Data Stewards
• Data Custodians

33
Roles in Data Handling

• Information Owners Provide policies and
  guidelines for the proper use of the information
  and may delegate the interpretation and
  implementation of these policies and guidelines
  to appropriate personnel. The following
  represents the Information Owners in Student
  Services

34
Roles in Data Handling

• Data Stewards Responsible for facilitating the
  interpretation and implementation of the data
  policies and guidelines. Data stewards have been
  designated to monitor access and usage of data
  related to specific areas within the University.
  
• The Student Services Data Stewards are

35
Roles in Data Handling

• Data Custodians Responsible for implementing
  the policies and guidelines established by the
  Information Owners. This includes every staff
  member within the University. Each individual is
  in the best position to monitor daily data usage
  and ensure that information is securely handled
  in the most appropriate manner.

36
Data Handling

• The quantity and variety of information that
  is utilized throughout the University is massive.
  It is not possible to define the appropriate
  methods of handling each individual piece of
  paper. However, we will provide guidelines and
  examples which will enable employees to make
  reasonable decisions regarding the use,
  distribution, storage, and destruction of
  University information.

37
Data Formats

• Handling information relates to when you view,
  update, create, delete or destroy data. It also
  relates to when you transfer the data from one
  location to another. Based upon how data is
  classified (Public, Sensitive or Restricted), it
  may need precautions for handling. For the
  purposes of handling data, Purdue has grouped our
  data into these category formats
• Printed information (paper, microfiche)
• Electronically Stored (computer based)
• Electronically transmitted (email, fax, etc.)

38
Handling Printed Information
39
Handling Printed Information

• Public Information
• There are no special requirements for the
  storage or destruction of documents containing
  only Public information.

40
Handling Printed Information

• Sensitive Information
• Printed sensitive information should be stored
  out of general sight and physically destroyed
  beyond recognition once the information is no
  longer needed.

41
Handling Printed Information

• Restricted Information
• It is required that printed restricted
  information be stored in a secure manner. When
  not in use, these printed materials should be
  placed in a locked cabinet or other secure
  environment. Printed documents with restricted
  information that are no longer needed must also
  be destroyed beyond recognition, with no
  possibility of recovery.

42
Destruction of Printed Information

• For printed information that must be destroyed
  beyond recognition or recovery, the best
  alternative is to shred the document. The
  university also provides other methods, such as
  depositing the items in secure recycle bins which
  are collected and destroyed appropriately by the
  University.
• The use of the University confidential recycling
  program is acceptable for disposal of all
  classifications of documents/data. Information
  regarding this program can be found at
• http//www.purdue.edu/securepurdue/files/Shred_Sin
  glepage.pdf

• For printed information that must be destroyed
  beyond recognition or recovery, the best
  alternative is to shred the document. The
  university also provides other methods, such as
  depositing the items in secure recycle bins which
  are collected and destroyed appropriately by the
  University.
• The use of the University confidential recycling
  program is acceptable for disposal of all
  classifications of documents/data. Information
  regarding this program can be found at
• http//www.purdue.edu/securepurdue/files/Shred_Sin
  glepage.pdf

43
Handling of Restricted Printed Data

• Printed materials with restricted data do not
  need to be labeled in any special manner (such as
  stamping the document as being restricted).
  However, staff need to be cautious when
  duplicating or distributing restricted
  information. Copies should only be made as
  specifically required for distribution and these
  should be marked as Confidential. It is also
  necessary for staff to understand how the
  distributed materials will be used and disposed
  of by the recipient before sending the
  information.

44
Handling of Restricted Printed Data

• When restricted documents are distributed
  internally (within the University), do not mark
  the envelope as Confidential. Instead, put the
  information into a smaller sealed envelope that
  has been marked as Confidential. Then, insert
  the smaller envelope into a larger campus
  envelope and do not mark the larger envelope so
  as to avoid drawing attention to the material
  contained inside. (Note, this may differ
  slightly from the policy defined by HR and
  Finance).
• When restricted documents are distributed
  externally, materials should be sent with a
  confirmation of receipt.

45
Example of Internal Mailing of Restricted Printed
Data

• Preferred option Hand deliver
• Next best option Place in an envelope marked
  Confidential and place the envelope in the
  recipients individual office inbox.
• Another option Place in an envelope marked
  Confidential and place in the recipients
  central office mailbox.

46
Faxing Restricted Data

• In some instances it might be impossible for you
  to hand deliver the information. When faxing
  restricted data, it is necessary to determine if
  the recipients fax machine is secure (uses a
  password for retrieval of information). If it is
  not, then it will be necessary for you to fax the
  document when the recipient is standing by the
  machine so they can pick up the information
  immediately. They should confirm receipt of the
  information via a telephone call back to you.

47
Handling Electronic Student Data
48
Access to Data for Reporting

• University information is stored in several
  databases with secure access. Employees should
  only have the access that is required to perform
  their assigned duties.
• Examples of where student data is stored include
• Data Warehouse
• Page Center
• Mainframe (to be replaced by Banner)

49
Handling Restricted Electronic Data

• Rules to Remember
• Restricted data should NOT be copied to any
  removable devices including floppy disks, CDs or
  flash drives. Fixed hard drives without access
  controls (username and password) on individual
  workstations are also not an appropriate location
  to store restricted data. The most secure place
  to store this type of data is on a secure server
  with access controls.
• Never store restricted data on your computers C
  Drive
• Do not email a spreadsheet as an attachment if it
  contains restricted or personally identifiable
  information unless it is encrypted.
• Do not create a shortcut on the desktop that
  points to a file on the network if the file
  contains sensitive or restricted data.

50
Handling Restricted Electronic Data

• Rules to Remember (continued)
• Laptops used as a workstation must follow the
  same security requirements as a standard work
  station. DONT save restricted data to your
  privately owned laptop that is used for
  non-business purposes.
• If you have stored information to a CD with the
  intention of sharing it with someone who has a
  business need for the information, the recipient
  of the CD must physically destroy the CD beyond
  the ability to recover the information after the
  data has been used.
• Dont transmit restricted data via cellular
  technology.

51
Am I Handling Data Properly?

• If you are using reasonable measures to insure
  that data is secure, then it is being handled
  properly. This can further be clarified by
  answering the following questions
• What type of data are you utilizing? Is it
  sensitive, restricted, confidential, or
  personally identifiable?
• What does the data handling matrix say to do with
  it?
• Who will have access to it?
• What will that person be doing with it?
• If you still arent sure, ask your
  supervisor or Data Steward

52
Data Matrices

• Handling Printed Student Data
• http//www.itap.purdue.edu/security/procedures/dat
  aHandling/printedInfo.cfm
• Handling Electronically Stored (Computer based)
  Student Data
• http//www.itap.purdue.edu/security/procedures/dat
  aHandling/electrStored.cfm
• Handling Electronically Transmitted Student Data
  
• http//www.itap.purdue.edu/security/procedures/dat
  aHandling/electrTrans.cfm

53
Additional Security Steps

• Make certain your web publishers/administrators
  ensure that confidential/restricted data is not
  requested or displayed on an unsecure website.
• Turn off auto-complete as it stores information
  such as usernames and passwords.
• Do not save your passwords to your workstation.
• Do not use your login on someone elses computer.
• Lock your workstation when you are away from it.