Information is one of Howard Community College’s (HCC) most valuable resources and as such, requires responsible management by all members of the college community. This document establishes specific guidelines for the proper protection of these valuable resources and promotes maintenance of strict confidentiality in compliance with applicable policies as well as state and federal regulations.
This procedure addresses the handling of information, whether communicated orally, in hard copy, or electronic format, by all employees. This includes information stored on paper, computers, portable media, cell phones, or other mobile devices.
For the purpose of these guidelines, HCC classifies its information in three categories: regulated, confidential, and public as defined below.
- Regulated information is not only confidential but also subject to regulatory compliance such as the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) payment card industry data security standards and the Maryland Personal Information Protection Act This information includes, but is not limited to, student and employee social security numbers, student identification numbers, counseling records, birth dates, student education records, medical information, credit card information, bank information, and financial aid data. For additional information on the protection of student information, refer to college policy, 50.05, Confidentiality of Student Records.
Most information stored in the Colleague database is classified as regulated information and requires protection, as described above. Therefore, Colleague data is stored in a protected format. Access to Colleague must be password protected and transmission of data is secured using secure socket layer (SSL) encryption. Colleague reports containing regulated information that are saved to a college-owned mobile devices must be encrypted and password protected. Supervisors are responsible to define and approve access for employees to Colleague.
- Confidential information includes, but is not limited to, donor information, employee evaluations, personnel information, passwords, intellectual research findings, marketing plans, business projections, and college financial data.
- Public information is information that can be released to the general public, such as college reports, newsletters, and board of trustees’ materials.
Protection of College Information
Employees must exercise extreme care and caution when accessing regulated information to ensure proper safeguards and avoid disclosure. This category of information must be stored only on college-owned computer equipment and not personal computers or storage devices. If electronic transmission is required for government reporting purposes, regulated information must be encrypted for secure transmission. Regulated information stored on college-owned mobile devices must be encrypted and password protected. This process includes using strong passwords to access mobile devices. Strong passwords are a combination of at least seven characters, numbers, and punctuation marks, and include a combination of upper and lower case characters. Employees can contact the information technology help desk for assistance.
Employees must also exercise care and caution when accessing and transmitting confidential information. Confidential information stored on college-owned mobile storage devices must be encrypted and password protected. This process includes using strong passwords to access mobile devices.
Employees must also exercise care and caution to protect against the loss or alteration of public information. It is not necessary to encrypt public information.
Release of Regulated, Confidential, and Public Information
- In order to assure legal and regulatory compliance, employees should direct all external and internal requests for the release of information to the president’s office. The college is subject to the Maryland Public Information Act, which governs the release of information to third parties.
- Student information that is regulated and confidential is managed and released by the office of records, registration, and veterans’ affairs. Refer to college policies 50.05, Confidentiality of Student Records and 61.19 Identify Theft Prevention/Red Flags Program, and procedure 61.19.01 Red Flags Procedures.
- Employee information that is regulated and confidential is managed and released by the human resources office.
- Requests from the media are to be forwarded to the office of public relations and marketing.
- Public information is prepared by offices designated with the responsibility for its content, and released by the president’s office. This information must be released in its original form and format.
Security and Storage of College Information in the Cloud
Faculty and staff can only use a third party cloud-hosting provider when contractual provisions are in place with the college to protect the security and privacy of college and student information. To date, only Google Apps for Education is an authorized contracted service provider for cloud storage of college and student information. While Google Apps for Education may be used to store confidential and public information, it is not authorized for the storage of regulated information.
Policy Manual Review/Revision: 09/12/14