Protection of Personally Identifiable Information Policy and Procedures
Table of Contents
- Philosophy and Scope
- Definitions for the Purpose of this Policy and Procedures
- Responsible Senior Leader and Responsible Office
- Entities Affected by this Policy and Procedures
- Required Strategies for the Protection of Personally Identifiable Information
- Related College Policies and Procedures
- Procedures and Guidelines for the Protection of Personally Identifiable Information
I. Philosophy and Scope
Frederick Community College (“FCC” or the “College”) is committed to protecting the
personally identifiable information (PII) of all students, employees, and any other
individual whose PII is collected by the College in carrying out its mission.
This Protection of PII Policy and Procedures is comprehensive in that it establishes
overarching standards that affect a wide range of student and personnel records, information
technology, and financial processes. This Policy and Procedures identifies related
College policies and procedures that are related to the overarching protection of
PII.
The purpose of this Protection of PII Policy and Procedures is to provide a structure
for and guidance about the protection of and access to sensitive data, information,
and records in the possession of the College. The Chief Information Officer and the
Vice President for Finance are charged with overall PII management and enforcement.
II. Definitions for the Purpose of this Policy and Procedures
- “College community” refers to trustees, students, and all employees of the College as well as any independent
contractors or other third parties to the extent articulated under contractual agreements.
- “Family Educational Rights and Privacy Act (FERPA)” refers to a federal law protecting the privacy of student education records. The law
applies to all schools receiving funds under any applicable program of the U.S. Department
of Education.
- “Gramm Leach Bliley Act (GLBA)” refers to a Federal law (primarily the Privacy Rule [16 CFR 313] and the Safeguards
Rule [16 CFR 314]) requiring all financial institutions to develop, implement, and
maintain safeguards to protect customer information. Because the College is in compliance
with FERPA to protect the privacy of student records, FCC is deemed to be in compliance
with GLBA.
- “Individual” refers to a person for whom the College collects PII.
- “Need to Know” refers to the need for information in a record for the purpose of performing the
required task(s) and responsibilities during the course of an employee’s job.
- “Periodic compliance checks” refers to unscheduled inspections conducted by the appropriate Senior Leader to examine
whether safeguards are adequately protecting PII.
- “Personally Identifiable Information” is a category of information linked to a specific individual that would allow a person,
who does not have personal knowledge or the relevant circumstance, to identify the
individual with reasonable certainty. Data elements that are considered PII include:
an individual’s name; the name of the individual’s other family members; the address
of the individual or individual’s family; a personal identifier, such as the individual’s
social security number, identification number, or biometric record; financial data
including student loans, banking information, credit card or credit information; other
indirect identifiers, such as the individual’s date of birth, place of birth, and
mother’s maiden name.
Some information that is considered PII is available in public sources such as telephone books, public web sites, and College directories. Examples are: first and last name; address; work telephone number; email address; home telephone number; and general educational credentials.
In contrast, other information like social security number, biometric data, financial data, date of birth are consider sensitive PII and have more stringent protection requirements. - “Record” refers to any educational information or data recorded in any medium.
- “Red Flags Rule” refers to a federal regulation issued by the Federal Trade Commission (FTC) as part
of the implementation of the Fair and Accurate Credit Transaction (FACT) Act of 2003.
The Red Flags Rule requires financial institutions and creditors to implement a written
Identity Theft Prevention Program and to provide for the continued administration
of this Identity Theft Prevention Program. The College is subject to this rule because
it holds student accounts that do not require full payment at the time of enrollment,
and because it administers student loans.
- “Senior Leadership Team (SLT)” refers to the President’s Senior Leadership Team, comprised of the President; the
Provost/Executive Vice President for Academic Affairs, Continuing Education, and Workforce
Development; the Vice President (VP) for Finance; the VP for Human Resources; the
VP for Learning Support; the Chief of Operations; the Chief Information Officer; and
the Special Assistant to the President for Institutional Effectiveness.
III. Responsible Senior Leader and Responsible Office
Chief Information Officer
Vice President for Finance
Information Technology
IV. Entities Affected by this Policy and Procedures
The College community
V. Required Strategies for the Protection of Personally Identifiable Information
- Minimizing PII Use
Employees should minimize the use, collection, and retention of PII to what is strictly necessary to accomplish a specific business purpose and mission. The likelihood of harm caused by a breach involving PII is greatly reduced if the College minimizes the amount of PII it uses, collects, and stores. PII should only be collected if the use of that information is absolutely necessary and has been approved by the Chief Information Officer or Vice President for Finance. - Categorizing PII
Other policies, procedures, and guidelines are linked within this document that provide guidance with regards to the use of PII. PII has the potential to subject individuals and/or the College to risk if inappropriately accessed, used, or disclosed. When use of PII is requested, the Chief Information Officer or the Vice President for Finance will evaluate the context of use and determine if the purpose for which the PII is collected, stored, used, processed, disclosed, or disseminated is appropriate and aligns with this policy and other policies and procedures linked within this document.
All employees should reference and follow College Data Classification Guidelines. They establish a framework to classify institutional data based on its level of sensitivity, value, and criticality to the College as required by College policies. They also help employees understand the difference between public, private, and restricted data and how to protect sensitive information. - Collection and Storage of PII
Prior approval is required from the Chief Information Officer or Vice President for Finance to collect and/or store PII data on any device or system. - Evaluation of PII Use
When evaluating a request to use PII, the following factors must be considered:
- The purpose of the data collection and how it is categorized (see Data Classification Guidelines);
- Whether there is another source of pre-existing data (deals with reduction of duplicative information);
- Whether all information requested is required (minimizing collection to only what is required);
- How the data are being stored, for how long, and in what state (deals with physical location, type of device, encryption, and retention);
- How the data are being transmitted (if applicable) and in what state (deals with encryption);
- Whether agreements bind the College with third parties (deals with software, services, web applications or forms); and
- Whether the use of the PII has been vetted and approved by either the Chief Information
Officer or Vice President for Finance.
- Administrative Safeguards
Administrative safeguards include pertinent policies to safeguard PII, training to increase awareness of and compliance with policies and procedures, and guidelines related to safeguarding PII, and communication of philosophy, policies, and procedures related to PII to both internal and external stakeholders.
Administrative safeguards are created to ensure the College complies with the protection of PII in general, FERPA, and by extension the GLBA, and the FTC Red Flags Rule. - Technical Safeguards
Technical safeguards include the development of information technology policies and procedures, guidelines, and implementation of tools to monitor and control access to PII, and strategies to retain and back up critical PII.
Technical safeguards, wherever possible, are treated as confidential to limit exploits that might lead to unintended or malicious exposure of PII. - Physical Safeguards
Physical safeguards include the development of standard operating procedures to provide physical control and destruction of PII, including but not limited to access control, secure storage facilities, shred bins, and surveillance in support of physical security for PII.
Physical safeguards, wherever possible, are treated as confidential to limit exploits that might lead to unintended or malicious exposure of PII. - Employee Training
Annual Cybersecurity training (which includes PII training) is required of all employees. In addition, existing and new policies and procedures will be reviewed to incorporate training elements specific to that policy.
VI. Related College Policies and Procedures
- Policies and Procedures Related to Academic Affairs, Continuing Education, and Workforce
Development
The following College policies and procedures are related to Academic Affairs, Continuing Education, and Workforce Development records that contain PII:
- Academic Placement Policy and the Academic Placement Procedure (covers test scores and student disability status)
- Academic Standards Policy and the Academic Placement Procedure (covers awarding of grades, credits, and degrees)
- Code of Student Conduct Policy and Procedures (covers academic integrity)
- College Travel and Transportation Services Policy and Procedures (covers rosters, waivers, medical information)
- Complaint Policy and Procedures for Students (policy linked with FERPA)
- International Travel Policy and Procedures (covers rosters, waivers, medical information)
- Academic Placement Policy and the Academic Placement Procedure (covers test scores and student disability status)
- Policies and Procedures Related to Learning Support
The following College policies and procedures are related to Learning Support records that contain PII:
- Admissions Policy and Procedures (covers student PII)
- Alcohol, Tobacco, Opioid, and Other Drug Use and Awareness Policy and Procedures (covers reporting for students for ATODA concerns)
- Behavioral Evaluation and Response Team Policy and Procedures (covers student health status)
- College Travel and Transportation Services Policy and Procedures (covers rosters, waivers, medical information)
- Determination of Residency for Tuition Purposes Policy and Procedures (covers collection and storage of PII)
- Name for Student Records Policy and Procedures (covers collection and use of PII)
- Non-Discrimination Policy and Procedures (covers complaints and investigations for students)
- Posthumous Awards for Students Policy and Procedures (covers student academic progress records)
- Privacy and Access to Education Records Policy and Procedures (covers FERPA)
- Student Athlete Concerns about Athletics Programs and Activities Policy and Procedures (covers student athlete records)
- Student Withdrawal Policy and Procedures (linked to BERT and FERPA-protected student PII)
- Title IX Sexual Harassment Policy and Procedures (covers confidentiality and investigations of students)
- Video Monitoring of College Premises Policy and Procedures (covers controlled access to video monitoring and use of collected information)
Since the policies and procedures are related to this overarching Protection of PII Policy and Procedures, they will be reviewed by the Vice President for Learning Support annually as part of the periodic scheduled review. The Vice President for Learning Support will also conduct periodic compliance checks related to PII. - Admissions Policy and Procedures (covers student PII)
- Policies and Procedures Related to Finance
The following College policies and procedures are related to Finance records that contain PII:
- Records Retention Policy and Procedures (covers PII related to retention)
- Travel and Expense Reimbursement Policy and Procedures (covers collection of PII for reimbursement)
- Tuition and Fees Policy and Procedures (linked to financial records and tied to Red Flags Rule and GLBA)
Since the policies and procedures are related to this overarching Protection of PII Policy and Procedures, they will be reviewed by the Vice President for Finance annually as part of the periodic scheduled review. The Vice President for Finance will also conduct periodic compliance checks related to PII. - Records Retention Policy and Procedures (covers PII related to retention)
- Policies and Procedures Related to Human Resources
The following College policies and procedures are related to Human Resources records that contain PII:
- Complaint Policy and Procedures for Employees (covers investigations)
- Employee Code of Ethics (covers control of confidential information)
- Employee Misconduct Policy and Procedures (covers employee records)
- Leave Benefits Policy and Procedures (covers health and employee records)
- Non-Discrimination Policy and Procedures (covers complaints and investigations for employees)
- Separation from Employment Policy and Appeal Procedure for Involuntary Separation
from Employment (in relation to appeal procedure)
- Sick Leave Bank Policy and Procedures (covers collection and storage of employee health records)
- Title IX Sexual Harassment Policy and Procedures (covers confidentiality and the investigation of an employee)
Since the policies and procedures are related to this overarching Protection of PII Policy and Procedures, they will be reviewed by the Vice President for Human Resources annually as part of the periodic scheduled review. The Vice President for Human Resources will also conduct periodic compliance checks related to PII. - Complaint Policy and Procedures for Employees (covers investigations)
- Policies and Procedures Related to Information Technology:
The following College policies and procedures are related to Information Technology records that contain PII:
- Technology Use Policy and Procedures (covers College data storage, access, and use)
Since the policies and procedures are related to this overarching Protection of PII
Policy and Procedures, they will be reviewed by the Chief Information Officer annually as part of the periodic scheduled review. The Chief Information Officer will also conduct periodic compliance checks related to PII. - Policies and Procedures Related to Institutional Effectiveness:
The following College policies and procedures are related to Institutional Effectiveness records that contain PII:
- Advertising by External Parties Policies and Procedures (covers collection of PII from external sources)
- Institutional Review Board Policy and Procedures (covers use of PII of individuals involved in research projects at the College)
- Public Information Requests Policy and Procedures (covers Public Information Requests)
Since the policies and procedures are related to with this overarching Protection of PII Policy and Procedures, they will be reviewed by the Special Assistant to the President for Institutional Effectiveness annually as part of the periodic scheduled review. The Special Assistant to the President for Institutional Effectiveness will also conduct periodic compliance checks related to PII. - Advertising by External Parties Policies and Procedures (covers collection of PII from external sources)
VII. Procedures and Guidelines for the Protection of Personally Identifiable Information
- Periodic Scheduled Reviews
This Policy and Procedures in its entirety, including related policies and procedures, will be reviewed annually by the Senior Leadership Team. This annual effort will include a compliance review to improve training, communication, and performance related to safeguarding the PII of all individuals. - Periodic Compliance Checks
Senior Leaders will ensure that compliance checks related to this policy and procedures and related policies and procedures are conducted annually. These compliance checks will be conducted using the PII Periodic Compliance Check form approved by the Senior Leadership Team. The results of the compliance checks will be used to continuously improve processes, procedures, training, communication, and infrastructure related to the protection of PII.
The documentation from the compliance checks will be retained according to the IT retention schedule by the Chief Information Officer and used to identify trends and PII compliance target training and in the annual scheduled policy review conducted by the Senior Leadership Team. - Data Classification Guidelines
All employees should reference and follow College Data Classification Guidelines. They establish a framework to classify institutional data based on its level of sensitivity, value, and criticality to the College as required by College policies. They also help employees understand the difference between public, private, and restricted data and how to protect sensitive information. - Incident Response Procedures
For concerns related to unauthorized access or disclosure of PII, contact the IT HelpDesk, Executive Director of Network Infrastructure and IT Security Officer, or Chief Information Officer. Specific steps on how the IT responds to incidents concerning PII are found within the Information Security Incident Response Procedures, a standard operating procedure document maintained by the Chief Information Officer and Executive Director of Network Infrastructure and IT Security Officer. - Consequence for Failure to Comply with this Policy
Any individual who becomes aware of non-compliance with this policy and procedures has a responsibility to report it to the Chief Information Officer and/or the Vice President for Finance.
Employee or student violators of this Policy and Procedures are subject to College disciplinary actions.
BOT Approved: 11/15/2017
Revised: 8/7/2018
Revised: 7/1/2019
Revised: 7/1/2020
Revised: 7/1/2021
BOT Approved: 11/15/2017
Revised: 8/7/2018
Revised: 7/1/2019
Revised: 7/1/2020
Revised: 7/1/2021