Protecting Confidential Data - Guidelines & Practice Directive P202 April 2003 (Rev. 12/05)


PROGRAM

202.1 It is the practice of the California State University (CSU) and San Francisco State University to comply with the Information Practices Act (IPA), the Family Education Rights and Privacy Act (FERPA) and Title 5 regulations that govern the protection of confidential, sensitive, personal employee, applicant and student information/data. The CSU and SFSU are required to collect, use, maintain and disseminate information relating to individuals in accordance with the above regulations and take the necessary safety measures to protect and maintain this information/data. These Guidelines are designed to provide definitions, list responsibilities, and address the ramifications of breaches to confidentiality as outlined in the Information Practices Act and Title 5.

SCOPE

202.2 These Guidelines apply to all employees with access to confidential employee, student, applicant information/data who have a legitimate need to have such access as part of their required job responsibilities. Information obtained orally, in writing, by electronic or any other means is subject to strict limitations.

202.3 Where the provisions of these Guidelines are in conflict with the Collective Bargaining Agreements reached pursuant to Chapter 12, (commencing with Section 3560) of Division I of the Government Code (HEERA), the Collective Bargaining Agreements shall take precedence; except that HEERA and negotiated Agreements do not supersede the provisions of the Information Practices Act.

DEFINITIONS

202.4 Personal information, as defined by the IPA and Title 5, means any information that is maintained by SFSU that identifies or describes an individual, including, but not limited to, name, social security number, ethnicity, gender, home address, telephone number, physical description, education, medical/employment history, and/or financial matters. It includes statements made by, or attributed to, the individual.

202.5 Employees, for this purpose, are defined as executives, managers, faculty, staff, students, consultants, or volunteers employed by the University and include any other person having access to CSU/SFSU personal, confidential, sensitive information/data.

202.6 Disclosure means to disclose, release, transfer, disseminate or otherwise communicate all or any part of confidential, sensitive, personal information/records/data orally, in writing, electronically or by any other means to any person or entity.

202.7 Student Information for this purpose means all student information. Any requests for disclosure of student information should be referred to the Registrar's Office.

RESPONSIBILITIES

In accordance with the IPA and Title 5:

202.8 SFSU shall maintain in its records personal information relating to employees or students that is relevant and necessary to accomplish a purpose of SFSU required or authorized by the California Constitution, statute or mandated by the federal government.

202.9 Chief Administrator - This individual is the Vice President for Administration and Finance, delegated by the President with responsibility for the overall administration of the SFSU Confidentiality and Information Security Plan.

202.10 Custodians of Records - These individuals are responsible for maintaining compliance with all provisions of the statutes governing employee, student and financial data under their purview, i.e., the Human Resources Officer for employee data, the Fiscal Affairs Officer for financial data, and the University Registrar for student data. The Custodians of Records ensure that all employees receive employee/student confidentiality training.

202.11 Management Personnel Plan Administrators Department Chairs shall be responsible for oversight of their employees authorized to handle confidential information and provide their employees with resources and methods for the security of information.

202.12 Employees who have job-related responsibilities which require access to personal confidential information on other employees, applicants and/or students shall not disclose personal confidential information to unauthorized individuals; shall not modify or delete personal confidential information unless authorized to do so and shall complete the University Employee and Student Information Protection (ESIP) training as part of their working conditions.

PROVISIONS

202.13 The President has designated a University Confidentiality and Information Security Committee to prepare, implement and maintain a Plan for the Campus.

202.14 The SFSU Confidentiality and Information Security Plan establishes appropriate and reasonable administrative, technical, and physical safeguards designed to ensure the security and protection of confidential information in the University’s custody. The purpose of the Plan is to enhance the management of personal information to prevent loss of privacy and/or financial damage. For access to the Plan, click here.

 

202.15 The Employee and Student Information Protection (ESIP) training program is a 20-minute on-line program consisting of a tutorial and quiz that all faculty, staff and student assistants must complete before they can access employee and student data. The program is designed to familiarize all employees with privacy issues and guidelines for the use of employee and student data maintained on Campus. All employees will be prompted to take the ESIP training when they access web sites that contain confidential employee or student data. The training is mandatory and must be completed before the web site can be accessed. To access ESIP, click here. For answers to frequently asked questions and additional information on privacy rights, click here.

 

202.16 Human Resources shall provide all new staff employees and all new tenure-track faculty with information concerning protecting confidential data. On a monthly basis, Human Resources shall provide a list of all employees who have completed the Employee and Student Information Protection (ESIP) training to the Chief Administrator for review and final authorization.

PENALTIES

202.17 Careless, accidental or intentional disclosure of information to unauthorized individuals, unauthorized modification or deletion of information, or violation of any provisions of these statutes or guidelines may result in disciplinary action and/or civil action.

REFERENCE: Information Practices Act of 1977
Title 5, California Code of Regulations, Sections 42396-42396.5
California Civil Code, Sections 1798-1798.78
HR/PR 93-01 and Supplement #1
HR 2003-05 dated March 13, 2003
Family Education Rights and Privacy Act of 1974 (FERPA)
Procedures on Management of Student Records
SFSU Confidentiality and Information Security Plan, February 2004