The institution protects the security, confidentiality, and integrity of student records and maintains special security measures to protect and back up data.


Compliance Judgment:  In compliance

Narrative

East Carolina University (hereafter, ECU or the institution) protects the security, confidentiality, and integrity of its student records by adhering to the federally-mandated Family Educational Rights and Privacy Act (FERPA).   ECU stores a variety of student information which includes data from sources such as admissions (including demographics, test scores, prior education and application information), academic history (including student curriculum, ECU and transfer courses, grades, and advisors), and financial aid information. 

Complying with FERPA, East Carolina University and the ECU Office of the Registrar do not provide confidential information pertaining to students without one of the following: (1) Written consent from student. This is done electronically through ECU OneStop. Students log in with their ECU Pirate ID and passphrase and click on BUCKLEY FORM to give authorization for third parties (including parents) to access their student record; or (2) Visual confirmation, (by way of a copy of an income tax form) that the parent(s) claim the student on the most recent tax return. All financial information may be suppressed, but the student's name and social security number must be listed under the dependents section of the most recent Federal Income Tax Form 1040 or 1040A.

In addition to complying with FERPA, ECU also follows appropriate policies regarding the handling and purging of student records. The university’s business manual details a comprehensive records retention and disposition schedule that adheres to the University of North Carolina (UNC) records retention and disposition schedule.

Faculty and staff are trained regarding policies on the confidentiality, integrity, and security of student records.  Prior to obtaining access to the student information system, faculty and staff are required to take, and pass with 100% accuracy, a FERPA tutorial available on the ECU portal. 

East Carolina University recognizes the importance of student record security in an environment where digital records form the bulk of student records and therefore require diligence to protect the security, confidentiality, integrity and availability of student records. The institution employs strict security measures, policies, standards and guidelines in our ongoing effort to protect information resources, including student records.

The Academic Computer Use Policy and University’s Student and Staff Computer Use Policy govern users of ECU computer systems, including hardware, data, software, and communication networks.  The Information Security website is the source for users of the institution’s computer systems on required standards, information security policies, and guidelines designed to protect information resources. The ECU information security website also contains information about sensitive data protection, password management, encryption, identity theft, and security awareness as well as responses to frequently asked questions.

The Privacy of Student Educational Records Policy ensures that the institution administers student educational records in accordance with the provisions of FERPA. The policy also protects the confidentiality of personally identifiable information in student records. The policy is published in the Faculty Manual, Part VI. Section IV.IB The undergraduate and graduate course catalogs describe the academic regulations that address the use of student records (including both grades and transcripts)

East Carolina University has a written procedure for protecting the privacy of students enrolled in distance and correspondence courses or programs.  The institution’s FERPA Regulation includes the following: 

    5.4              Procedures for Protecting the Privacy of Students Enrolled in Distance or Correspondence Courses or Programs

 

5.4.1           East Carolina University recognizes the importance maintaining the privacy and security of student identity and student records in an environment of computer networked, digital records storage. ECU is diligent in protecting the security, confidentiality, integrity and availability of all student records including student identity. The University employs strict, standard security measures, policies, standards and guidelines in our ongoing effort to protect information resources, including student records. Student personal information is protected through a variety of measures, including the administration of policy and security practices that govern the PirateID and passphrase associated with accessing ECU’s OneStop Portal, the online system that houses student grades, Blackboard, Centra, and other services that support the educational process at ECU. Students are required to have a strong passphrase that is resistant to “hacking.” Students must reset their passphrase every 90 days and not reuse the account’s previous six passphrases. When students use their PirateID and passphrase to access information through OneStop and the university’s learning management systems, including Blackboard and Centra, their login credentials are encrypted for additional security. All mission-critical University systems, including student records, are maintained on network servers in the University’s enterprise data center. The enterprise data center employs state of the art layered security controls and physical access controls. Users of information systems are prohibited from accessing data or programs for which they are not authorized. 

 

The relevant federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), and the Gramm-Leach-Bliley Act are available online on the IT Compliance and Regulations web page. The management of Personally Identifiable Information (PII) contained in student records is governed by the University Policy on Social Security Numbers (SSN) and Personally Identifiable InformationECU’s Information Security Officer chairs the University Identity Theft Protection Committee (ITPC), which oversees ECU's compliance with this policy in regard to the collection, segregation, disclosure, and security of SSNs and PII and the development of related policies. The ITPC is comprised of representatives from each division (academic affairs, health sciences, research and graduate studies), as well as members from the Office of the University Attorney, the Chief Information Officer (CIO), the Office of Internal Audit, and the Office of Enterprise Risk Management.  It is the policy of ECU to protect the confidential nature of social security numbers, and toward that end, ECU discontinued the use of the SSN as an individual’s primary identification number and replaced it with a unique identifier.


Paper records stored within the Office of the Registrar are in a secure locked area.  The building where the Office of the Registrar resides is secured using electronically locked doors to the outside of the building. Historical student information, collected prior to the creation of an electronic student information system, is maintained in a secure room with limited access.  Only Registrar staff are
allowed access to this area; any other access requires prior approval, and all access is logged.  Microfilm containing student records is secured in a locked fireproof safe in the secure location, also with limited access.

 

All of ECU’s critical systems, including student records, are maintained on network servers in the institution’s enterprise data center. The enterprise data center employs state-of-the-art layered security controls and physical access controls.  Critical systems are backed up nightly to ensure availability of student records for data recovery and business continuity. A comprehensive Disaster Recovery Plan containing policy, organization, tasks, responsibilities, and the necessary instructions required in order to respond should an emergency or disaster occur is in place. This plan is tested and updated annually. Annual IT Risk Assessments are performed to identify threats to information resources and additional controls created in order to mitigate those threats.   

 

Individuals requiring access to student information (stored in ECU’s Banner Application Administrative Student system) must log in through a secure login process requiring a unique user ID and password. These individuals must also complete FERPA training and be approved for access through the Banner Security Request ApplicationTerminated employees access is removed upon termination, and access reviews are conducted semi-annually.  Banner policies can be found on the IT Policy at ECU web page. The passphrase must conform to industry and institution standards established in regard to length, type, and number of symbols and characters. Dependent upon job responsibility, the user is authenticated and granted appropriate level of access to the data.  Access by students to these services is controlled via the secure login profile established by each eligible user.  The profiles and unique identifiers are maintained in a secured Banner Application database that employs industry standard security controls. Users of information systems are strictly prohibited from accessing data or programs for which they are not authorized. 

 

Additional information requiring log-in (and available upon request) is listed in the table below:

 

Account Termination Policy

Banner User Account Review Procedure

Change Management Procedure (4.800)

Cotanche Data Center Physical Security Procedure (7.800)

Data backup procedures Enterprise Storage Backup Procedure 500.34

ECU Disaster Recovery Plan 2011

Information Technology Policy and Procedure Manual

Migration of Production Data (6300)

Migration of Production Data (6400)

Sensitive Data Guidelines

Security Incident response

Tape Backup Procedure (8.300)                                

University IT Risk Assessment Plan

 

 

In summary, East Carolina University protects the security, confidentiality, and integrity of student records and maintains special measures to protect and back up data.

 

 

Documentation

 

Reference Title

Location

Academic Computer Use Policy

Academic Computer Use Policy

Banner Application Administrative Student System

ECU Banner

        Banner Security Request Form

        Security Form

 

Faculty Manual, Part VI

Faculty Manual part6

Faculty Manual, Part VI, Section IV.IB

3.9.2 Student Privacy Policy - Privacy of Student Educational Records

FERPA Regulation

2012_05_22__FERPA-PRR_2

Graduate Catalog: Student Records

grad - student records

Information Security Website

Information and Security Website

IT Compliance and Regulations web page

IT Compliance and Regulations web page

IT Policy at ECU web page

IT Policy at ECU web page

Passphrase

Password

Privacy of Student Educational Records Policy

3.9.2 Student Privacy Policy - Privacy of Student Educational Records

Undergraduate Catalog: Student Records

ugrad - student records

University of North Carolina (UNC) Records Retention and Disposition Schedule

UNC records retention and disposition schedule

University Policy on Social Security Numbers (SSN) and Personally Identifiable Information

Social Security Numbers

University’s Business Manual

University Business Manual

University’s Student and Staff Computer Use Policy

Student and Staff Computer Use Policy