Personally Identifiable Information Security Policy

PURPOSE:

Jefferson Community College will adhere to the New York State Chapter 279 of the Laws of 2008 Program Bill which restricts the use of social security numbers by State agencies and other governmental entities, effective January 1, 2010 as well as the Federal Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) requires protection of personally identifiable information (PII).

STATEMENT OF POLICY:

Personally identifiable information (PII) is described as any data that can be used to disclose the identity of an individual. This includes but is not limited to social security number, address, phone number, College ID number, email address or name.
In an effort to maintain data security in all realms of data collection, JCC requires that all online data collection programs conform to the following information security regulations:
1. Personally identifiable information will not be stored on any server accessible by the public. This includes but is not limited to web servers and email servers.
2. Campus-wide network traffic is not secure. No guarantee of security or even arrival of transmission is made. Internet and Electronic Mail should not be used for the transmission of confidential or sensitive data.
3. All personally identifiable information will be stored on securely controlled central database servers that conform to all access control and authentication regulations set forth by IT.
4. All online data collection, data retrieval and application requests involving personally identifiable information will be reviewed to ensure that all security principles, programming standards, data storage, and that all data elements are being collected securely and appropriately.
5. When programs and methods are found that do not conform to information collection and security policies, they will be removed and taken out of production until security violations are corrected.
Phone conversations should not include any personally identifiable information.
Printouts with personally identifiable information should be kept secure and disposed using the appropriate procedures for disposing of secure documents.
Online data collection programs are defined as any web form, application or survey tool that is made available to the public and stores some or all of the personally identifiable information elements. Surveys, while they may or may not collect personally identifiable information, must be reviewed by a designated data/cyber security officer to ensure that the data being collected is securely stored in a manner consistent with all designed security standards established for personally identifiable information (PII).
Disclosure of personally identifiable information to parties outside the university
1. JCC does not sell, rent, give away or loan any personally identifiable information about students, faculty or staff to any third party other than agencies directly connected to the university. Agencies who have access to personally identifiable information are required to protect this information in a manner that is consistent with this privacy policy and those set forth by the State of New York and the Federal government. Violators of these privacy acts will be prosecuted by every extent of the law
Consent
1. By using the College technology infrastructure, you consent to the collection and use of your personally identifiable information by JCC. The policies that govern the usage of JCC’s technological infrastructure and your personally identifiable information will be made available.
Failure to uphold the general standards of usage constitutes a violation of this policy and may be subject to disciplinary action. The general standards of usage require:
1. Compliance with all applicable laws, regulations, and College policies;
2. Truthfulness and honesty in personal and computer identification;
3. Respect for the rights and property of others, including intellectual property rights;
Chapter 279, Public Officers Law 96-a, prohibits the State from any of the following, unless required by law:
- Intentionally communicating or making available to the general public an individual’s social security number;
- Printing an individual’s social security number on any card or tag required for the individual to access products, services or benefits provided by the State and its political subdivisions;
- Requiring an individual to transmit his or her social security number over the Internet, unless the connection is secure or the number is encrypted;
- Requiring an individual to use his or her social security number to access a website, unless a password or unique personal identification number or other authentication device is also required for access;
- Including an individual’s social security number, except the last four digits, on any materials that are mailed to the individual or sent to him or her in an email that is copied to third parties, except that social security numbers may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of a social security number;
- Printing a social security number, under any circumstances, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on an envelope or without the envelope having been opened; and
- Encoding or embedding a social security number in or on a card or document, including by bar code, chip, magnetic strip, or other technology, where printing a social security number thereon is prohibited under this law.
  
  Student Support Services, Social Security Number (SSN) Initiative, nysed.gov, http://www.p12.nysed.gov/sss/lawsregs/POL96-a.html, January 12, 2010
The Board of Trustees hereby authorizes the President, or his/her designee, to develop and establish appropriate standards and procedures to implement and enforce this policy.

Personal Information

Resolution 128-12