Personally Identifiable Information Security Policy
PURPOSE:
Jefferson Community College will adhere to the New York State Chapter 279 of the Laws of 2008 Program Bill which restricts the use of social security numbers by State agencies and other governmental entities, effective January 1, 2010 as well as the Federal Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) requires protection of personally identifiable information (PII).
STATEMENT OF POLICY:
- Personally identifiable information (PII) is described as any data that can be used
to disclose the identity of an individual. This includes but is not limited to social
security number, address, phone number, College ID number, email address or name.
- In an effort to maintain data security in all realms of data collection, JCC requires
that all online data collection programs conform to the following information security
regulations:
- Personally identifiable information will not be stored on any server accessible by
the public. This includes but is not limited to web servers and email servers.
- Campus-wide network traffic is not secure. No guarantee of security or even arrival
of transmission is made. Internet and Electronic Mail should not be used for the
transmission of confidential or sensitive data.
- All personally identifiable information will be stored on securely controlled central
database servers that conform to all access control and authentication regulations
set forth by IT.
- All online data collection, data retrieval and application requests involving personally
identifiable information will be reviewed to ensure that all security principles,
programming standards, data storage, and that all data elements are being collected
securely and appropriately.
- When programs and methods are found that do not conform to information collection
and security policies, they will be removed and taken out of production until security
violations are corrected.
- Personally identifiable information will not be stored on any server accessible by
the public. This includes but is not limited to web servers and email servers.
- Phone conversations should not include any personally identifiable information.
- Printouts with personally identifiable information should be kept secure and disposed
using the appropriate procedures for disposing of secure documents.
- Online data collection programs are defined as any web form, application or survey
tool that is made available to the public and stores some or all of the personally
identifiable information elements. Surveys, while they may or may not collect personally
identifiable information, must be reviewed by a designated data/cyber security officer
to ensure that the data being collected is securely stored in a manner consistent
with all designed security standards established for personally identifiable information
(PII).
- Disclosure of personally identifiable information to parties outside the university
- JCC does not sell, rent, give away or loan any personally identifiable information
about students, faculty or staff to any third party other than agencies directly connected
to the university. Agencies who have access to personally identifiable information
are required to protect this information in a manner that is consistent with this
privacy policy and those set forth by the State of New York and the Federal government.
Violators of these privacy acts will be prosecuted by every extent of the law
- JCC does not sell, rent, give away or loan any personally identifiable information
about students, faculty or staff to any third party other than agencies directly connected
to the university. Agencies who have access to personally identifiable information
are required to protect this information in a manner that is consistent with this
privacy policy and those set forth by the State of New York and the Federal government.
Violators of these privacy acts will be prosecuted by every extent of the law
- Consent
- By using the College technology infrastructure, you consent to the collection and
use of your personally identifiable information by JCC. The policies that govern
the usage of JCC’s technological infrastructure and your personally identifiable information
will be made available.
- By using the College technology infrastructure, you consent to the collection and
use of your personally identifiable information by JCC. The policies that govern
the usage of JCC’s technological infrastructure and your personally identifiable information
will be made available.
- Failure to uphold the general standards of usage constitutes a violation of this policy
and may be subject to disciplinary action. The general standards of usage require:
- Compliance with all applicable laws, regulations, and College policies;
- Truthfulness and honesty in personal and computer identification;
- Respect for the rights and property of others, including intellectual property rights;
- Compliance with all applicable laws, regulations, and College policies;
- Chapter 279, Public Officers Law 96-a, prohibits the State from any of the following,
unless required by law:
- Intentionally communicating or making available to the general public an individual’s
social security number;
- Printing an individual’s social security number on any card or tag required for the
individual to access products, services or benefits provided by the State and its
political subdivisions;
- Requiring an individual to transmit his or her social security number over the Internet,
unless the connection is secure or the number is encrypted;
- Requiring an individual to use his or her social security number to access a website,
unless a password or unique personal identification number or other authentication
device is also required for access;
- Including an individual’s social security number, except the last four digits, on
any materials that are mailed to the individual or sent to him or her in an email
that is copied to third parties, except that social security numbers may be included
in applications and forms sent by mail, including documents sent as part of an application
or enrollment process, or to establish, amend or terminate an account, contract or
policy, or to confirm the accuracy of a social security number;
- Printing a social security number, under any circumstances, in whole or in part, on
a postcard or other mailer not requiring an envelope, or visible on an envelope or
without the envelope having been opened; and
- Encoding or embedding a social security number in or on a card or document, including
by bar code, chip, magnetic strip, or other technology, where printing a social security
number thereon is prohibited under this law.
Student Support Services, Social Security Number (SSN) Initiative, nysed.gov, https://opengovernment.ny.gov/system/files/documents/2020/09/pppl.pdf, January 12, 2010
- Intentionally communicating or making available to the general public an individual’s
social security number;
- The Board of Trustees hereby authorizes the President, or his/her designee, to develop and establish appropriate standards and procedures to implement and enforce this policy.
Adopted:
June 2012, Res. 128-12