Understanding Carleton College Student Directory Information and FERPA
Carleton College, like all educational institutions in the United States, operates under the guidelines of the Family Educational Rights and Privacy Act (FERPA) of 1974. This federal law grants students specific rights concerning their academic records, ensuring the privacy of their educational information. Understanding these rights is crucial for students to control who has access to their data.
What is an Education Record?
Your education record encompasses any file, document, or material related to you as a student that Carleton College maintains, or anyone acting on its behalf. These records can exist in various formats, both on paper and electronically.
FERPA and Student Rights
FERPA mandates that Carleton College obtain written consent from a student before releasing protected information from their education record to most third parties. This ensures students have control over their personal data.
Exceptions to Consent
While prior written consent is generally required, there are specific circumstances where Carleton College may release information from a student's record without their consent. These situations typically involve college officials, defined as Carleton employees or contracted third parties, whose roles are connected to a student's education, services, benefits, or residence at the College, or other tasks related to the College's functions.
Directory Information: What It Is and How to Control It
Carleton College maintains "directory information," which is considered information that would not be generally harmful or an invasion of privacy if disclosed. This information can be released without a student's written approval, though the College releases it rarely and only with appropriate justification. The specifics of what constitutes directory information are detailed in the College’s Student Handbook within the Student Records policy.
Read also: Carleton College Affordability
Suppressing Directory Information
Although the College may release directory information without explicit consent, students have the right to prevent its release. If a student wishes to prevent the release of all directory information, including for enrollment or athletic verification, they can suppress their directory information through Workday or by contacting the Dean of Students Office.
Data Governance at Carleton College
Data captured and maintained by various administrative offices at Carleton College is viewed as a College-wide resource. While this data may reside in different applications, spreadsheets, and databases, it is treated as a single logical resource with an integrated set of guidelines. The purpose of these guidelines is to promote optimal use of the College's data.
Principles of Data Management
The value of Carleton's data lies in its usability. Data that is unused due to factors such as poor documentation, errors, inadequate technical support, or unnecessary access restrictions has limited value. To maximize its value, Carleton aims to ensure that its data is well-documented, supported, accurate, accessible, and as lightly encumbered as legally, reasonably, and ethically possible. Where appropriate and feasible, data should also be centrally accessible to employees using standard software tools and methods.
Access to Data
The task of granting access to enter and maintain data in administrative systems typically falls to the office responsible for the relevant business process. For example, the Business Office manages invoices and is therefore responsible for deciding who can enter and maintain this data in the system of record. ITS or other system support personnel may set up security at the system level, but their role is to implement the decisions of the responsible office. Similarly, the task of granting access to extract data from a system typically falls to the office responsible for the business process in question.
Classifying Data: Public, Sensitive, and Protected
Carleton College classifies data into three categories: public, sensitive, and protected.
Read also: Navigating Carleton's Library
Public Data
Public data is information that the College is comfortable distributing to the general public. The department responsible for the data determines this classification. If multiple departments are involved, they must jointly classify the data. If they cannot reach a consensus, the data must be classified as sensitive data.
Sensitive Data
Sensitive data is information that is not classified as protected data but should not be distributed to the general public according to College practice. It is often acceptable to share sensitive data within the College when there is a legitimate educational purpose or specific business need.
Protected Data
Protected data consists of paper and/or electronic data that contains personally identifiable information concerning any individual and is typically regulated by local, state, or federal privacy regulations and/or voluntary College standards. Access to student records, a subset of protected data, is governed by privacy laws such as FERPA.
Handling Data: Security and Storage
Specific guidelines govern how data is handled to ensure its security and confidentiality.
Data Transmission
Any electronic transmission of protected or sensitive data must be encrypted. Public data does not require encryption during transmission or while at rest on a storage device.
Read also: Exploring Carleton College
Data Storage
Protected data may only be stored and shared by designated servers and applications. Generally, it may not be stored on workstation hard drives or unprotected external storage devices. Google Drive and Dropbox are sanctioned for storing protected data, provided that it is shared cautiously and that no public links are created. Sensitive data may be stored on general-purpose file and Web servers with appropriate access controls. Sensitive data stored on portable media must be encrypted, even if it is never intended to leave campus.
Employee Responsibilities
Employees at Carleton are required to sign a system request form to gain access to administrative systems. Printed matter containing protected or sensitive data must be shredded. CDs and DVDs must be physically destroyed.
Device Security
Electronic devices, including computer hard drives, USB flash drives, and mobile phones, can be difficult to wipe securely. Simply emptying a computer’s recycle bin does not actually delete file data.
Data Retention and Disposal
Proper retention and back-up of records is essential for conducting the business of the College, protecting its legal interests, preserving its history, and complying with applicable laws and regulations. The College is also obligated to preserve records in certain cases, such as when litigation is threatened or pending. To ensure efficiency and effective management of physical and digital storage resources, unneeded records should be disposed of in a timely manner. Each department is responsible for destroying the data that it originates or receives when the data is no longer needed.
Security Breaches
In the event of a suspected security breach involving sensitive or protected data, employees should immediately stop using the computer, avoid closing any open files or logging out, and disconnect from the network.
Mobile Device Security
All laptops, USB flash drives, or other portable devices that contain or are used to access sensitive or protected data must be encrypted. Before an employee plans to leave campus with sensitive or protected data, they should ensure that devices that contain or will likely contain such data are encrypted and have VPN access to any required on-campus servers. Employees must not transfer such data to their home computers or storage devices, except under special circumstances determined by ITS.
Software Purchases
Departments considering purchasing new software systems that store or access data should always contact ITS to discuss the purchase and decide whether or not the new system has potential data security issues. If the data is to be stored off-campus, information will need to be gathered from the vendor regarding its security standards and practices.
tags: #Carleton #College #student #directory #information
