SACS Accreditation

3.9.2 Student Records

Comprehensive Standard: The institution protects the security, confidentiality, and integrity of its student records.

X  Compliance
     Partial Compliance
     Non-Compliance

Georgia State University is in compliance with the Federal Trade Commission (FTC) Safeguard Rule requiring institutions to implement an Information Security Program. [1] Multiple IT policies protect the security, confidentiality, and integrity of student records at GSU. [2] [3] [4]

Individuals requiring access to information must login through a single secure login process.  The user is authenticated and then granted access to the data using industry-standard security protocols (unique identifiers and passwords).  Access by students to these services is controlled via the secure login profile established by each eligible user.  The profiles and unique identifiers are maintained in a secured database or server that follows the industry standard with regard to the creation of a username and password. [5] The password must conform to the industry and university standards established in regard to length, type, and number of symbols and characters.  When appropriate or necessary, data passed over the internet through the web applications for faculty, staff, or students are encrypted.

Georgia State University follows the official archive and security measures published by the American Association of Collegiate Registrars and Admissions Officers.  All student data subject to the Family Educational Rights and Privacy act (FERPA) reside on electronically and physically secured databases, servers, or secure, fireproof filing cabinets.  Designated data custodians oversee the security and authorization process. [6] As part of the process, individuals are granted one of several levels of access authority that may be generally grouped from limited to broad access, as view only, update, or a combination of both — depending on job/role function.  As part of the approval process, the data custodian determines level of access and the appropriate data sets for which the individual will be authorized, relative to the position and function of the individual as indicated in the request form. [7]

Student academic records are maintained in the University’s computer-based Banner Student Information System, provided and maintained by the University Information Systems and Technology department.  The student system as installed at GSU includes integrated modules for student admissions, student records, registration, financial aid, student billing, student accounts receivable, and degree audit.  The student system provides extensive edits to ensure completeness and accuracy of data entered both online and through batch transactions.

The university network drives are automatically backed up each night. University policy encourages all staff to save their university information/files to the network drive which provides the security of having university data saved to tape — and recoverable — in the event of lost files. [8]

Student system access for administrative users is granted based on a formal approval from management and based on the user’s position responsibilities. Banner administrative user access is controlled by standard system access profiles prescribed by the GoSOLAR management personnel for various user categories. [9] Administrative users of the Banner system are informed of the Family Educational Rights and Privacy Act (FERPA) requirements on the form requiring electronic access.

The University Registrar is the designated data steward for student’s records and Banner Systems. Designees (banner systems management personnel) restrict access to sensitive system functions and capabilities to the smallest practical number of administrative users. [6] College and enrollment services administrators must approve all requests for student data for use by an internal or external party.  Administrative users are required to sign a data confidentiality statement [pdf] as part of their job acceptance and request of student data. 

Web-based access by students to their records requires a secured socket layer connection across the intern (128 bit encryption).  This access by students to their records requires authentication using a personal identification number selected by the student. [10] Students can also request that certain information be repressed. [11] Student electronic access to academic and student financial information displays the student’s name but does not show the student’s personal identification number.

Access to student academic information is restricted to those permitted by University policy to gain access.  Access to student electronic records is granted only for the purposes of employment, verifying status or grades for special student organizations provisions and student organization discipline procedures.  All staff with access to electronic records are trained on proper procedures for access. [12] 

International Student & Scholar Services (ISSS) maintains confidential immigration files on each F or J status international student, per federal immigration regulations. Student files are accessible only to office staff in their role as the University's Designated School Officials (DSO) or Responsible Officers (RO), in reporting to the Department of Homeland Security (DHS). Physical files are locked up at the end of each day, and access to students' online immigration records is restricted by DHS to the designated DSOs and ROs mentioned previously.

Student conduct records and hardship withdrawal student records are maintained by the Office of the Dean of Students in compliance with the Family Educational Rights and Family Act (FERPA). These hard copy student records are maintained in locked file cabinets with access restricted to faculty and staff who have a legitimate educational interest. Students who request to have their records released to others are required to sign an Authorization for Release of Records and Information form. The Office of the Dean of Students’ confidentiality training, a requirement for handling student records, emphasizes staff responsibility and consequences for violation of confidentiality requirements. 

University Housing maintains student housing records in a locked file room with access restricted to staff who have a legitimate educational interest. University Housing also conducts confidentiality training as requirement for staff handling student records.   

Student medical records are maintained by the University Health Clinic in accordance with FERPA and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Inactive records are scanned into a secure software program, and the hard copies are destroyed by a HIPAA compliant shredding company. Access to active records is restricted to clinic staff who have a medically necessary interest.  The medical records are kept in a secure area, away from the flow of patient activity. Students requesting a copy of their medical records must complete a medical information release form or a sensitive medical information release form prior to the release of the records.

The Counseling Center maintains client files (paper student records) in locked file cabinets in the front office area, a centralized location with a locking door. When the Counseling Center is closed, the front office area is locked and covered by a locked metal gate. No client files are kept in individual offices. Additionally, the Counseling Center maintains student records on computerized client records system, Titanium Schedule which are stored on a secure, dedicated MS SQL Server that is accessible only to designated Counseling Center staff and is maintained by the university’s computer file server department, who must follow university confidentiality policies regarding maintenance and backup of data. This allows the application to access data without the users having direct access to the data files.  Data flows on a fixed, dedicated network drive that is only accessible to Counseling Center personnel who have been granted access by the Counseling Center’s Titanium Administrator. Titanium Schedule has HIPAA compliant features such as required user names, passwords, internal security levels, login audit trails, inactivity timeouts, etc.  

Medical documentation, intake information, scholarship applications, letters of accommodation and request for individualized testing accommodations for students with disabilities are deemed confidential under the Americans with Disabilities Act and Section 504 of the Rehabilitation Act and maintained by the Office of Disability Services (ODS). Electronic records are kept on a secure server to which access is only granted to ODS staff. Confidentiality of student records and information is a high priority, therefore in an effort to maintain appropriate confidentiality, ODS requires all employees to sign confidentially agreements and to undergo confidentiality training.  In addition, all student records are maintained in locked file cabinets with limited staff key access.  The ODS Director advises all staff members on a regular basis of consequences of a violation of a student’s confidentiality contained in student records.

The student records maintained by University Career Services (UCS) include student profile information and resumes within the Panther Career Net online system, Activation Request and Release of Information forms and career counseling notes. UCS implements strict procedures and storage to comply with FERPA’s confidentiality requirements; access to student records is restricted to staff and faculty who have a legitimate career services interest and access to the online files, including career counseling notes, is password protected. Career counseling paper files are maintained in locked file cabinets and Activation Request and Release of Information forms are stored in file cabinets in locked offices. University Career Services emphasizes staff responsibility for the maintenance of student information confidentiality.

Physical records are managed in accordance with the University System of Georgia Records Management, Records Retention Guidelines that are in compliance with federal and state law, including the Georgia Records Act (O.C.G.A. 50-18-90 et seq.) We are also responsible for following The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99). [13]

Supporting Documentation:

1. Georgia State University Security Plan (in compliance with Gramm-Leach-Bliley Act) 
2. University Sensitive Information Protection Policy
3. University Security Review Policy
4. University Incident Response Policy
5. User ID Eligibility Policy
6. University Data Stewardship and Access Policy
7. Request to access Student Records Policy and Procedures 
8. File/Server Backup 
9. GoSOLAR Account Request Forms
10. Records access requests
11. Student Information suppression
12. Staff and Faculty Student Record Access
13. Family Educational Rights and Privacy Act (FERPA)