Roane State Community College

1. Sensitive Information is defined as any information that provides PII on a Roane State Community College (RSCC) student, faculty, or staff member. PII is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. This includes, but is not limited to, information such as social security number, date and place of birth, and mother’s maiden name. Directory information is determined by each intuition and is not considered PII.
2. Portable Mass Storage Device is defined as any device which can transport digital files outside the internal storage device of a Roane State computer or network. They include such devices as floppy disks, CD/DVD’s, flash drives, zip drives, or external hard drives.
3. Encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as cipher text). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g., “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e., to make it unencrypted).
4. Data Custodians are the people who are responsible for oversight of PII in their respective areas of college operations.
5. The Data Custodian (also called a Data Steward or Data Owner) is the person who has administrative control and has been officially designated as accountable for a specific information asset or dataset. This person would determine who has access to what data and IT implements the controls to match.Data Custodians are the people who are responsible for oversight of PII in their respective areas of college operations.
6. Minimum Necessary is the standard that defines that the least information and fewest people should be involved to satisfactorily perform a particular function.
7. Personally Identifiable Information (PII) – Information that has not been lawfully made publicly available and which can be used to distinguish or trace an individual’s identity, such as their social security number (SSN), driver’s license, or biometric records, alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Certain privacy laws, and policies based on those laws, may use a different definition of PII.
8. Directory Information, as defined by Federal and State law and institutional policy, will be published following the guidelines defined by the specific law.

1. Members of the TBR community shall employ reasonable and appropriate administrative, technical, and physical safeguards to protect the integrity, confidentiality, and security of all personally identifiable information, irrespective of its source or ownership or the medium used to store it.
2. All individuals who dispense, receive, and store PII have responsibilities to safeguard it.

3. Objectives

   1. To enhance individual privacy for members of RSCC community through the secure handling of PII.
   2. To ensure that all members of the RSCC community understand their obligations and individual responsibilities under this policy by providing appropriate training that shall permit the RSCC community to comply with both the letter and the spirit of all applicable privacy legislation.

   3. To increase security and management of social security numbers (SSNs) by:

      1. Instilling broad awareness of the confidential nature of the SSNs;
      2. Establishing a consistent policy about the use of SSNs; and
      3. Ensuring that access to SSNs for the purpose of conducting RSCC business is granted only to the extent necessary to accomplish a given task or purpose.
      4. To reduce reliance on the SSN for identification purposes as much as possible.
   4. To comply with all payment card industry (PCI) standards.
   5. To comply with any other applicable and required standards, regulations and/or laws.
   6. To comply with Family Educational Rights and Privacy Act of 1974 (FERPA).
4. Data custodians are responsible for oversight of PII in their respective areas of college operations. Activities of these officials are aligned and integrated through appropriate coordination among these cognizant college officials.

Scope
This policy applies to all members of the RSCC community, including all full and part time employees, faculty, students and other individuals such as volunteers, contractors, consultants, other agents of the college whose work gives them custodial responsibilities for PII.

Policy Requirements
Data Custodians are college officials responsible for each of the following areas:

1. Student records
2. Financial aid records
3. Alumni and donor records
4. Employee records
5. Purchasing and contracts
6. Public safety or campus police

Personally Identifiable Information

1. PII may be released only on a minimum necessary basis and only to those individuals who are authorized to use such information as part of the official college duties, subject to the requirements:

   1. That the PII released is narrowly tailored to a specific operational or business requirement;
   2. That the information is kept secure and used only for the specific operational purposes for which authorization was obtained; and
   3. That the PII is not further disclosed or provided to others without proper authorization.
2. PII may be provided to and handled by third parties, including cloud service providers, with the strict requirement that the information be kept secure and used only for a specific purpose set out in the contract authorizing use of the information.

3. Exceptions to this policy may be made only upon specific requests approved by the cognizant college official responsible for such information as specified in this policy and only to the degree necessary to achieve the mission and operational needs of RSCC.

   1. Exceptions made must be documented, retained securely, and reviewed periodically by the appropriate college official or designee.
   2. Exceptions may be modified or eliminated based on this review and shall be documented and retained for auditing purposes.
4. Directory information, as defined by Federal and State law and college policy, will be published following the guidelines defined by the specific law.
5. RSCC may share information coverer by FERPA only as permitted by FERPA and applicable policy. The college must notify students annually of their rights under FERPA.
6. Information that has been collected that conforms to the HIPAA standards of identification on anonymization is not PII.

Government-Issued Personal Identifiers (Provision of Information)

1. TBR institutions collect SSNs:

   1. When required to do so by law;
   2. When no other identifier serves the business purpose; and
   3. When an individual volunteers the SSN as a means of locating or confirming personal records.
   4. In other circumstances, individuals are not required to provide their SSN verbally or in writing at any point of service, nor are they to be denied access to those services should they refuse to provide a SSN.

2. Release of SSNs - SSNs will be released to persons or entities outside the college only:

   1. As required by law;
   2. When permission is granted by the individual;
   3. When the external entity is acting as the college’s authorized contractor or agent and attests that no other methods of identification are available, and reasonable security measures are in place to prevent unauthorized dissemination of SSNs to third parties; or
   4. When the TBR Office of General Counsel has approved the release.

3. Use, Display, Storage, Retention, and Disposal

   1. SSNs or any portion thereof will not be used to identify individuals except as required by law or with approval by an RSCC official for a college operation purpose.
   2. The release or posting of personal information, such as grades or occupational listings, keyed by the SSN or any portion thereof, is prohibited, as is placement of the SSN in files with unrestricted access.
   3. SSNs will be transmitted electronically only for operational purposes approved by RSCC officials responsible for SSN oversight and only through secure mechanisms.
   4. The data custodians who are responsible for SSNs will oversee the establishment of procedures for the use, display, storage, retention, and disposal of any document, item, file, or database which contains SSNs in print or electronic form.

4. Non-SSN Government Issued Identifiers

   1. In the course of its business operations, the college has access to collect and use non-SSN government issued identifiers such as driver’s licenses, passports, HIPAA National Provider Identifiers, Employee Identification Numbers (EIN), and military identification cards, among others.
   2. The college shall follow the minimum necessary standard and strive to safeguard these identifiers.

RSCC ID Number

1. Assignment Eligibility and Issuance

   1. The RSCC ID is a unique identifier assigned by the college to any entity that requires an identifying number in a college system or record.
   2. A college ID is assigned at the earliest possible point of contact between the entity and the college.
   3. The college ID is associated permanently and uniquely with the entity to which it is assigned.

2. Use, Display, Storage, Retention, and Disposal

   1. The RSCC ID is considered PII by the college, to be used only for appropriate operational purposes.
   2. The RSCC ID is used to identify, track, and serve individuals across all college electronic and paper data systems, applications, and business processes throughout the span of an individual’s association with the college and presence in RSCC’s systems or records.
   3. The RSCC ID is not to be disclosed or displayed publicly by the college, not to be posted on the college’s electronic information or data systems unless the college ID is protected by access controls that limit access to properly authorized individuals.
   4. The release or posting of personal information keyed by the college ID, such as grades, is prohibited.
   5. Any document, item, file, or database that contains college IDs in print or electronic form is to be protected and disposed of in a secure manner in compliance with data retention rules.

Other Externally Assigned Identifiers and Other PII Information
The college shall follow the minimum necessary standard and strive to safeguard any externally assigned identifiers which may be collected.

Responsibility for Maintenance and Access Control

1. College IDs are maintained and administered by the appropriate college office in accordance with this policy. Other college offices may maintain and administer electronic and physical repositories containing personal identification numbers for uses in accordance with this policy.
2. Access to electronic and physical repositories containing PII shall be controlled based upon reasonable and appropriate administrative, physical, technical, and organizational safeguards.
3. Individuals who inadvertently gain access to a file or database containing PII should report it to the appropriate authority.
4. All paper documents with PII must be under lock and key or otherwise securely stored.
5. Document retention policies dictate schedules for PII deletion and/or destruction. Proper disposal of PII shall involve cross-cut shredders (for paper), securely wiping/deleting data (for digital information) and other information security approved methods of eliminating this data.

Enforcement
Violations of the policy resulting in misuse of, unauthorized access to, or unauthorized disclosure or distribution of personal identification numbers may subject individuals to legal and/or disciplinary action, up to and including the termination of employment or contract with the college or, in the case of students, suspension or expulsion from RSCC.

Responsible Party
The CIO of Information Technology shall be responsible for development and maintenance of this policy for issuance by the VP of Business and Finance.