1. General. Information is one of Howard Community College’s most valuable resources and as such, requires responsible management by all members of the college community. This document establishes specific guidelines for the proper protection of these valuable resources and promotes maintenance of strict confidentiality in compliance with applicable policies as well as state and federal regulations.
2. Scope. This procedure addresses the handling of information, whether communicated orally, in hard copy, or electronic format, by all employees. This includes information stored on paper, computers, portable media, cell phones, or other mobile devices.
3. Information Classification. For the purpose of these guidelines, Howard Community College classifies its information in three categories: regulated, confidential, and public.
- Regulated. This information is not only confidential but also subject to regulatory compliance such as the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA). This information includes, but is not limited to, students’ and employees’ social security numbers, student identification numbers, counseling records, birth dates, student education records, medical information, credit card information, bank information, and financial aid data. For additional information on the protection of student information, refer to college policy, 50.05, Confidentiality of Student Records.
- Confidential. This information includes, but is not limited to, donor information, employee evaluations, personnel information, passwords, intellectual research findings, marketing plans, business projections, and college financial data.
- Public. Information that can be released to the general public, such as college reports, newsletters, and board of trustees’ materials.
4. Protection of College Information:
- Regulated. Employees must exercise extreme care and caution when accessing regulated information to ensure proper safeguards and avoid disclosure. This category of information must be stored only on college-owned computer equipment and not personal computers or storage devices. If electronic transmission is required for government reporting purposes, regulated information must be encrypted for secure transmission. Regulated information stored on college workstations or devices must be encrypted and password protected. This process includes using strong passwords to access computers and applications and using encryption with mobile storage devices. Strong passwords are a combination of at least seven characters, numbers, and punctuation marks, and include a combination of upper and lower case characters. Employees can contact the information technology help desk for assistance.
- Confidential. Employees must also exercise care and caution when accessing and transmitting confidential information. Confidential information stored on college-owned, personal computers, or mobile storage devices must be encrypted and password protected. This process includes using strong passwords to access computers and applications and using encryption with mobile storage devices.
- Public. Employees must also exercise care and caution to protect against the loss or alteration of public information. It is not necessary to encrypt public information.
5. Release of Regulated, Confidential, and Public Information.
- In order to assure legal and regulatory compliance, employees should direct all external and internal requests for the release of information to the president’s office. The college follows the Maryland Public Information Act, which governs the release of information to third parties.
- Student information that is regulated and confidential is managed and released by the records and registration office. Refer to college policy, 50.05, Confidentiality of Student Records.
- Employee information that is regulated and confidential is managed and released by the human resources office.
- Requests from the media are to be forwarded to the office of public relations and marketing.
- Public information is released by offices designated with the responsibility for its content. This information must be released in its original form and format.
Policy Manual Review/Revision: 11/13/09