Information Privacy and Security

What information is protected?

In general, protected data is non-public information about an individual, either student or employee. Examples include, but are not limited to, Social Security number, employee/student ID, private employee/student health information, passwords and PINs, student attendance and grade information, financial information, and financial aid information.

To request further training on information privacy and security, contact Staff and Organizational Development, 913-469-8500, ext. 4437.

Click here for the board policy:

424.01 Privacy Protection

FERPA | GLB Act | HIPAA | Privacy | Computer Security | Passwords | Generated IDs

FERPA
top

Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) of 1974, as amended, affords students certain rights with respect to their educational records. These rights include:

1. The right to inspect and review the student’s education records within 45 days of the day the college receives a written request for access.

A student should submit to the registrar a written request that identifies the record(s) the student wishes to inspect. The registrar will make arrangements for access and notify the student of the time and place where the records may be inspected. If the records are not maintained by the registrar, the student shall be advised of the correct official to whom the request should be addressed.

2. The right to request the amendment of the student’s education records that the student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.

A student who wishes to ask the college to amend a record should write the college official responsible for the record, clearly identify the part of the record the student wants changed, and specify why it should be changed.

If the college decides not to amend the record as requested, the college will notify the student in writing of the decision and the student’s right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures will be provided to the student when notified of the right to a hearing.

3. The right to provide written consent before the college discloses personally identifiable information from the student’s education records, except to the extent that FERPA authorizes disclosure without consent.

The college discloses education records without a student’s prior written consent under the FERPA exception for disclosure to school officials with legitimate educational interests. A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibilities for the college. A school official is:

  • a person employed by the college in an administrative, supervisory, academic or research, or support staff position (including law enforcement unit personnel and health staff)
  • a person or company with whom the college has contracted as its agent to provide a service instead of using college employees or officials (such as an attorney, auditor, collection agent, verification agency such as the National Student Clearinghouse, course instructors not paid by the college, and the National Academy of Railroad Sciences personnel)
  • a person serving on the Board of Trustees
  • a student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks

Upon request, the college may also disclose education records without consent or notification to officials of another school in which a student seeks or intends to enroll.

Items defined by the college as “directory information” may be released without a student’s written consent unless the student has provided written notification to the college that such information should not be released. The college designates the following to be directory information:

  • Student’s name
  • Address
  • Telephone number
  • E-mail address
  • Date and place of birth
  • Major fields of study and classification
  • Full or part-time status
  • Participation in officially recognized activities
  • Weight and height of an athletic team member
  • Dates of attendance
  • Degrees, awards, and honors received
  • Previous educational institutions attended

Students who wish to prevent disclosure of directory information must submit a Confidentiality Form to the Add/Drop desk in the Success Center (2nd floor Student Center).

4. The right to file a complaint with the U.S. Department of Education concerning alleged failures by the college to comply with the requirements of FERPA. The name and address of the office that administers FERPA is:

Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202-5901

Family Educational Rights and Privacy Act (FERPA) of 1974

GLB Act

Gramm-Leach-Bliley Act

The regulations under 16 CFR Part 314, published in May 2002 (May 23 Federal Register, p. 346484), stem from the Gramm-Leach-Bliley Act (the GLB Act or the Act) which was enacted in 2000 to repeal Depression-era restrictions prohibiting banks from engaging in “risky” financial practices under the Glass-Steagall Act.

The law mandates extensive new privacy protections for consumers. The GLB Act requires financial institutions to take steps to ensure the security and confidentiality of customer records, such as names, addresses, phone numbers, bank and credit card account numbers, income and credit card account numbers, income and credit histories, and Social Security numbers.

Colleges and universities are deemed to be in compliance with the privacy provisions of the GLB Act if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the Act related to the administrative, technical and physical safeguarding of customer information.*

How does GLB differ from FERPA? Both the GLB Act and FERPA have specific requirements regarding privacy of customer financial information. The difference however, is that the GLB Act has requirements pertaining to the actual administrative, technical and physical safeguarding of the customer financial information.

*Colleges and Universities Subject to New FTC Rules Safeguarding Customer Information. NACUBO Advisory Report 2003-01, January 13, 2003.

If you have questions about GLB, contact Susan Rider, manager, Business Office Services/Bursar, 913-469-8500, ext. 2439, srider@jccc.edu.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to improve the efficiency and effectiveness of the health care system. HIPAA protects individually identifiable health information (IIHI). All members of the JCCC workforce, including regular employees, temporary employees, volunteers, contractors or agents of JCCC who have access to IIHI are covered by HIPAA.

IIHI encompasses virtually all health information that JCCC acquires in its capacity as an employer, if the information can somehow be linked to an individual. This includes information related to health benefits, such as benefit enrollment data, claims and attachments, explanations of benefits, medical records, treatment summaries, return to work releases and any medical notes. It also includes health information related to FMLA, ADA, workers’ compensation, disability claims and sick leave requests.

Generally, IIHI is information, including demographic information collected from an individual, that:

  •  is created or received by a health care provider, health plan or employer.
  • relates to the physical or mental health or condition of, or the provision of health care to, an individual, or the payment for the provision of health care to an individual.
  • identifies the individual or provides a reasonable basis to believe the information can be used to identify the individual.

Any employee medical information (such as return to work releases, physician restrictions and detailed sick leave reports that identify specific illnesses/injuries) that a department may have in its files should have been sent to the office of Human Resources for protection. This includes copies of original information a department may have already sent to Human Resources. That office will be solely responsible for the security and storage of this medical information (IIHI).

Report of absence (ROA) forms for sick leave that only provide the number of hours sick can still be maintained within the department. However, if an employee had provided detailed reasons as to why he or she was sick (i.e., back surgery, diabetes, acute or chronic illness, etc.), the information should be sent directly to Human Resources as it may be considered PHI. Timecards or ROA forms submitted by an employee should not contain any specific medical information.

Employees should now deliver any relevant medical information directly to the office of Human Resources. Employees will need to sign specific release forms in order for medical information to be disclosed. These forms are maintained in the office of Human Resources.

Any IHII maintained within the department must be accompanied by a signed “Authorization for Release of Protected Health Information” form that has been approved by a designated HIPAA privacy official. A list of JCCC’s HIPAA privacy officials is maintained by Human Resources.

If you have questions about HIPAA, contact Becky Centlivre-Meinke, Human Resource Director, 913-469-8500, ext. 3267, bcentliv@jccc.edu.

Privacy

Private information should be shared only with individuals who are required to have the information in order to fulfill their job responsibilities, i.e., on a need-to-know basis. Beyond that, you also have an obligation to protect the data.

General tips for protecting data:

  • Always be aware of your surroundings, i.e., don’t discuss protected information in the cafeteria, hallway, open offices, on speakerphone, etc.
  • Use e-mail wisely. Be aware that e-mail, by nature, is not secure and always think before you hit send (i.e., is this going to the correct person? Should this information be password protected? Does the person need to know this information in order to fulfill his or her job responsibilities? etc.)
  • Private information is not just what is on your computer. Printouts, reports, any piece of paper with private student or employee information must be carefully stored and disposed of (shredded). Protect the data by properly securing file cabinets and drawers, not leaving documents out on your desk while you are away and securing your office when it is not staffed.
  • Refer calls or other requests for any private information to designated individuals who have had safeguards training. Recognize any fraudulent attempt to obtain customer information and report it to your department head or the appropriate college contact. A list of contacts for each of the Acts is included at the end of this brochure.

If you suspect private information is compromised, immediately contact your supervisor to determine the appropriate parties to notify. The following contacts may be helpful:

  • Security Concerns: Public Safety, ext. 4112
  • Campus Emergencies: ext. 4111
  • Janelle Vogler, internal auditor, 913-469-8500, ext. 4574, jvogler@jccc.edu

Today’s desktop workstations must be configured and used in a secure manner for two reasons. First, it is likely that some information housed on that computer is of a sensitive, confidential or proprietary nature. Therefore, only authorized individuals should have access to it. Liability may be incurred if information is not protected using generally accepted protection methods (“due diligence”) and that information is improperly disclosed. Second, the integrity of the system (operating system, application programs and data files) is critical. Applications must operate as expected, when expected, and the data they use must be complete and correct. The following guidelines will maximize the security of your workstation:

  • Your workstation should have a screensaver activated that is password-protected. The interval for activation should be between 3 and 5 minutes. This will provide adequate insurance against the walk-by use of workstations that are “up” (operating). Anyone with system administrator authority (i.e., a high security clearance) is strongly urged to comply with the lower end of this interval range. Most general users are comfortable with a 5-minute screensaver interval.
  • Do not allow file sharing (“shares”) on machines without securing them to authorized users only. Make certain object, device and file access controls are appropriate.
  • Ensure virus protection software is installed on your workstation and install updates on a regular basis. Updates for new viruses are generally made available every week. (Your software can be configured to be automatically updated.) Configure your virus software properly so that it actively scans all incoming objects for virus infections.
  • Do not allow anonymous access of any kind (e.g., FTP, dial-up) to your workstation. Public read-only data should be shared from a server location. FTP and dial-up access to a workstation should be protected with user authentication.
  • Ensure that you have adequate backups of files. Copy them to a secure server location or make floppy disk or zip drive backups and store them in a secure location.
  • Keep your operating system and application software up-to-date. Updates are available from vendors on a regular basis.
  • Always turn off workstations when not in use (e.g., overnight).
  • Routinely change your application passwords. The recommended interval for password changes is 60-90 days. Depending on your environment and the sensitivity of the data to which you have access, more frequent changes, such as every 30 days, may be warranted.
  • If you believe office keys have been lost, misplaced or stolen, recommend to your supervisor, department head or adviser that doors be re-keyed by Campus Services.
  • Never execute a program (“.exe” file) if you do not know what it is/does or if you do not trust the source. This is particularly the case for files that are sent to you via e-mail or are downloaded from a Web site you do not trust.
  • Investigate your workstation/drives on a regular basis to look for suspicious files. Use a naming convention for your files and a directory structure naming convention. Be sure to look for hidden files and directories.

For more information on protecting against SPAM, pop-up ads, viruses, worms, browser highjacking, adware, spyware and phishing, please click on the link below. You will need Adobe Reader to open the file.

Protecting Yourself and Your Computer

Passwords
top

Individuals are responsible for all activity occurring as a result of the use of their username and password on any system. A user account that becomes compromised could affect the user’s privacy and the privacy of other users.

The use of a single username and password by multiple individuals is prohibited. Passwords should be treated as confidential information. Individuals should not give their password to another person, including IT staff, administrators, superiors, co-workers, friends or family members, under any circumstances. Do not use the “Remember my password” feature on Web sites or applications.

Passwords should not be transmitted electronically over an unencrypted network or via e-mail. Passwords should not be kept in an unsecured written format, either on paper or electronically. If passwords must be kept in written format, they should be stored in a controlled access location. Hardcopy lists of passwords should be stored in a combination safe or other controlled access location. Electronic lists of passwords should be stored in an encrypted file.

The following is a list of common password problems. You should avoid these types of passwords:

  • Proper names, especially your name, your pet’s name or any family member’s name.
  • Numbers based on personal information. Your address, birth date, Social Security number, VISA credit card number, license plate number or your phone number are examples of bad passwords.
  • Passwords that are the same as your login ID or username.
  • Words that exist in any dictionary or are publicly known slang or jargon.
  • Passwords based on publicly known fictional characters from books or films.
  • Information about you that can be easily obtained. Don’t use your make of car, the street you live on or where you graduated.
  • Common keyboard patterns like qwerty.
  • A password that contains all or part of the previous password.
  • A password that is a simple reversal of characters using any of the above examples.
  • A password that is too difficult for you to remember and forces you to write it down.

Here are a few guidelines for creating a secure password. Be creative! Try to choose a pattern that has meaning for you, but that no one else can guess.

  • Password length should be at least six characters; eight is recommended.
  • Mix upper and lower case alphabetic characters and use at least one digit and at least one punctuation character.
  • Create an acronym from a phrase. Example: mdhf$34 (My dog has fleas)
  • Combine two or more words and substitute numbers for letters. Example: Blu3c@rt (blue cart)
  • Use a long word and only use the first six characters. Example Unbrea!89 (Unbreakable)

Following are specific directions for changing passwords:

MyJCCC, Banner and Imaging (faculty and staff):

  • MyJCCC, Banner and Imaging (faculty and staff)
  • Log into MyJCCC
  • At the main MyJCCC page, select My Account
  • Enter your current password in the Current Password field
  • Enter your new password in the New Password field.
  • Enter your new password again in the Confirm Password field.
  • Click Save Changes button
  • The new password is now in effect for Banner, imaging and MyJCCC

Network Domain:

  • Log into Campus Pipeline.
  • Select the JCCC Applications tab.
  • Open the General menu item.
  • Select the Network Password Utility option.
  • Select the Change My Password option on the right-hand side of your screen.
  • Enter your current password in the Current Password field.
  • Enter your new password in the New Password field.
  • New passwords must be eight or more characters long and contain at least one number (0-9) and one non-alpha-numeric symbol (#,&,*, etc).
  • Enter your new password again in the Re-enter New Password field.
  • Click the <Save> button to complete.
  • Wait 5 minutes.
  • The new password will take effect the next time you log in to the network.

Pin Number Change for Viewing Direct Deposit (faculty and staff):

  • Log into MyJCCC
  • Select the EASI links option under the EASI menu or click on the EASI tab.
  • Select Employee.
  • Select Change PIN.
  • Enter your current PIN in the Enter Old PIN field.
  • Enter your new PIN in the Enter New PIN field.
  • Enter your new PIN again in the Re-enter New PIN field.
  • Click Change PIN button.
  • Log out. The new PIN will take effect the next time you are prompted to enter your PIN

Generated IDs
top

Each college employee has a JCCC-generated ID for his or her own protection. Read this excerpt from the Federal Trade Commission on identity theft: http://www.consumer.gov/idtheft/.

By using the JCCC ID on forms instead of your Social Security number (SSN), you minimize the chance of your SSN being compromised. Examples of forms where the JCCC ID is appropriate are:

  • Travel authorizations
  • Report of absence forms
  • Expense reimbursement forms
  • Key request forms

Many of these forms have been edited to reflect the change to the JCCC ID number. However, many departments are using up old stock. In these cases, you can substitute your JCCC ID in the space marked SSN. Some situations still do require a SSN, such as certain payroll or human resources forms. When in doubt, consult the recipient of the form for direction.

A word of caution: If copies of any forms containing SSNs are still being stored in your department, they must be stored responsibly. In some cases they don’t need to be kept at all; always consult your departmental records retention policy. In those cases where the documents are to be discarded, even if the form itself isn’t of a confidential nature, the SSN is. Any documents containing SSNs should be securely shredded.

Finally, if you don’t remember your JCCC ID, click on the "What’s my User Name or JCCC ID?" link in the upper right-hand corner of the college home page, then click the "Look up JCCC ID" link located in the pop-up window.

"How can someone steal your identity? Identity theft occurs when someone uses your personal information such as your name, Social Security number, credit card number or other identifying information, without your permission to commit fraud or other crimes.

"Identity theft is a serious crime. People whose identities have been stolen can spend months or years - and their hard-earned money - cleaning up the mess thieves have made of their good name and credit record. In the meantime, victims may lose job opportunities, be refused loans, education, housing or cars, or even get arrested for crimes they didn't commit."

Changing Passwords

Choosing a Secure Password

Password Protection

Sharing of User Names and Passwords

General Computer Security
top

Privacy
top

HIPAA
top

The GLB Act
top