Policy Number: I-13
Last Reviewed: November 12, 2020
Responsible Dept.: Dean of Student Affairs/Registrar
A signed copy of this policy is available in the President’s Office.
Virginia Western Community College (VWCC) protects the security, confidentiality and integrity of student records and maintains security measures to protect and back-up data. VWCC ensures the confidentiality, accuracy and protection of student educational records by following the requirements of Family Education Rights and Privacy Act of 1974 and the Virginia Community College System Policy (Section 6.2). In addition, VWCC adheres to the Commonwealth of Virginia Information Technology Standard ISO27000 (ISO 27000) which ensures the security and confidentiality of all information.
VWCC has access to electronic student records and stores physical student information records. Electronic records are maintained within the Virginia Community College System’s (VCCS) centrally housed PeopleSoft Student Information System (SIS). The information is protected in accordance with the requirements outlined in ISO27000. The VCCS maintains a “mirrored snap shot” of all SIS data at the Greenfield Center in Botetourt County. All student records are encrypted and sent daily to the Greenfield Center VCCS disaster site.
Physical student records are maintained in fire proof cabinets in a secured/gated room inside the Records Office located in Chapman Hall, which is also locked when the Records Office is not open for business. During hours of operation, the Records Office is always staffed to insure records security. The student records contain such items as: application for admission, grade change forms, experiential credit forms, transcripts, transcript requests, plan changes, change of personal information, advanced standing credit, administrative withdrawals, etc. In accordance with the Commonwealth of Virginia Records Retention and Disposition Schedule in the Virginia Public Records Management Manual, hard copy data is maintained for three years after the student’s last date of attendance; electronic data is not purged. Disposal of student records is handled through CINTA security services.
All college new hires are notified that FERPA training is required during their new hire orientation. An e-mail is sent to the college community every semester by the Registrar outlining FERPA requirements and how to identify blocks on release of information. Directory information may be released upon request at the discretion of the college. See information regarding FERPA on the college website at: https://www.virginiawestern.edu/get-started/student-records/right-to-privacy/. Directory information includes: student name, address, e-mail address, telephone number, dates of attendance, number of credit hours enrolled, grade level, major field of study, degrees received, awards and honors, photos, most recent educational institution, participation in clubs and activities, and weight/height of members of athletic teams. Although these items have been deemed directory information, faculty and staff will avoid releasing a student’s address or telephone number without written authorization.
Administrators, academic advisors, faculty and classified staff who need to see student records to assist in the student’s academic pursuits may have access to the records after the completion of a Security Access Request Form which requires the approval of the employee’s supervisor and the VWCC student records data owner. If job responsibilities change or employment is terminated, either a change in access is completed or all access is deleted. All access is reviewed annually in compliance with ISO27000 to ensure access is required and necessary for each employee.
If a security breach occurred, VWCC would follow the VWCC Threat Management Information Security Incident Handling guideline which is part of ISO27000. The nature and severity of the information security incident would be accessed and the Incident Response Team would be informed of the potential breach of student information. An Incident Reporting Form would be completed and all procedures within the Threat Management guideline would be followed.
To reiterate the need to maintain the integrity, confidentially and security of student records, the college website, Student Handbook and Faculty Handbook address these issues and faculty and staff are expected to adhere to these standards and guidelines. Links to the various locations of this information in these publications are provided below.