Policy Number: I-13
Last Reviewed: January 17, 2013
Responsible Dept.: Dean of Student Services/Registrar
Virginia Western Community College (VWCC) protects the security, confidentiality and integrity of student records and maintains security measures to protect and back-up data. VWCC ensures the confidentiality, accuracy and protection of student educational records by following the requirements of Family Education Rights and Privacy Act of 1974 and the Virginia Community College System Policy (Section 6.2.7 http://myfuture.vccs.edu/0/ContentAreas/PolicyManual/Sec6.pdf) In addition, VWCC adheres to the Commonwealth of Virginia Information Technology Standard ISO27000 (ISO 27000) which ensures the security and confidentiality of all information.
VWCC has access to electronic student records and stores physical student information records. Electronic records are maintained within the Virginia Community College System's (VCCS) centrally housed PeopleSoft Student Information System (SIS). The information is protected in accordance with the requirements outlined in ISO27000. The VCCS maintains a "mirrored snap shot" of all SIS data at the Greenfield Center in Botetourt County. All student records are encrypted and sent daily to the Greenfield Center VCCS disaster site.
Physical student records are maintained in fire proof cabinets in a secured/gated room inside the Records Office located in Chapman Hall, which is also locked when the Records Office is not open for business. During hours of operation, the Records Office is always staffed to insure records security. The student records contain such items as: application for admission, grade change forms, experiential credit forms, transcripts, transcript requests, plan changes, change of personal information, advanced standing credit, administrative withdrawals, etc. The college follows the Commonwealth of Virginia Records Retention and Disposition Schedule for the retention and disposal of public records. Student records are maintained and disposed of in accordance with General Schedule 111 for College and Universities. Requests for disposal must be documented on an RM3 disposal form, as required by the Library of Virginia Public Records Management Manual, approved by the supervisor/manager of the college department and the Vice President of Finance, who serves as the Records Manager for the college. To assist the college in the proper disposal of college records and disposition of "sensitive data" the college utilizes the services of CINTAS.
All college new hires are notified that FERPA training is required during their new hire orientation. An e-mail is sent to the college community every semester by the Registrar outlining FERPA requirements and how to identify blocks on release of information. Directory information may be released upon request at the discretion of the college. See information regarding FERPA in College Catalog at http://www.virginiawestern.edu/catalog/08-Admissions.pdf. Directory information includes: student name, address, e-mail address, telephone number, dates of attendance, number of credit hours enrolled, grade level, major field of study, degrees received, awards and honors, most recent educational institution, participation in clubs and activities, and weight/height of members of athletic teams. Although these items have been deemed directory information, faculty and staff will avoid releasing a student's address or telephone number without written authorization.
Administrators, academic advisors, faculty and classified staff who need to see student records to assist in the student's academic pursuits may have access to the records after the completion of a Security Access Request Form which requires the approval of the employee's supervisor and the VWCC student records data owner. If job responsibilities change or employment is terminated, either a change in access is completed or all access is deleted. All access is reviewed annually in compliance with ISO27000 to ensure access is required and necessary for each employee.
If a security breach occurred, VWCC would follow the VWCC Threat Management Information Security Incident Handling guideline which is part of ISO27000. The nature and severity of the information security incident would be accessed and the Incident Response Team would be informed of the potential breach of student information. An Incident Reporting Form would be completed and all procedures within the Threat Management guideline would be followed.
To reiterate the need to maintain the integrity, confidentially and security of student records, sections of the College Catalog, Student Handbook and Faculty Handbook address this and faculty and staff are expected to adhere to these standards and guidelines. Links to the various locations of this information in these publications are provided below.
We use VW Alert to immediately contact you during a major crisis or emergency.