McNeese State University

Section 2:
Core Requirements
2.1	2.2	2.3
2.4	2.5	2.6
2.7.1	2.7.2	2.7.3
2.7.4	2.8	2.9
2.10	2.11	2.12
Section 3:
Comprehensive Standards
3.1.1	3.2.1
3.2.2.1	3.2.2.2	3.2.2.3
3.2.2.4	3.2.3	3.2.4
3.2.5	3.2.6	3.2.7
3.2.8	3.2.9	3.2.10
3.2.11	3.2.12	3.2.13
3.2.14	3.3.1	3.4.1
3.4.2	3.4.3	3.4.4
3.4.5	3.4.6	3.4.7
3.4.8	3.4.9	3.4.10
3.4.11	3.4.12	3.4.13
3.4.14	3.5.1	3.5.2
3.6.1	3.6.2	3.6.3
3.7.1	3.7.2	3.7.3
3.7.4	3.7.5	3.8.1
3.8.2	3.8.3	3.9.1
3.9.2	3.9.3	3.10.1
3.10.2	3.10.3	3.10.4
3.10.5	3.10.6	3.10.7
Section 4:
Federal Requirements
4.1	4.2	4.3
4.4	4.5	4.6
4.7	4.8

McNeese State University
Compliance Plan for Reaffirmation

Section 3.4.11: Educational Programs: All Educational Programs

(includes all on-campus, off-campus, and distance learning programs and course work) ( See Commission policy "Distance Education")

Judgment of Compliance

Compliance

Partial Compliance

Non-compliance

Requirement

The institution protects the security, confidentiality, and integrity of its student academic records and maintains special security measures to protect and back up data.

Narrative

McNeese State University is in compliance with Comprehensive Standard 3.4.11.

The University’s commitment to safeguarding the security, confidentiality, and integrity of student records is evidenced in the policies and procedures the University has implemented. Federal and state regulations and standards regarding the protection of student academic records drive institutional policies and procedures. The University complies with the rules and regulations determined by the Family Educational Rights Privacy Act (FERPA) and with the recommendations of the American Association of Collegiate Registrars and Admission Officers.

All student records, including those of students enrolled in off-campus or distance learning courses, are subject to the policies and procedures of the University regarding privacy, security, and integrity.

University policies ensure the following:

• Student academic records are safe from unauthorized access or use;

• Individuals who have access to student records respect the students’ rights to confidentiality;

• Individuals who have access to student records use them in a professional manner, appropriate to their job responsibility;

• Individuals who record data have the appropriate authority to do so;

• Changes to data are monitored;

• Security measures to protect and back up data are in place.

Confidentiality of Student Records

The University catalog addresses confidentiality of student records and the University’s obligation to follow regulations stipulated in the FERPA act:

Family Educational Rights and Privacy Act The University [complies] with the Family Educational Rights and Privacy Act (FERPA). The [A]ct gives students and the parents of dependent students, as defined in Section 152 of the Internal Revenue Code, the right to inspect and review their educational records, to request correction of inaccurate or misleading information, to authorize disclosure of educational records and to file complaints with the U.S. Department of Education concerning alleged failure to comply with the Act. Questions regarding FERPA may be referred to the Office of the Registrar.
Confidentiality of Student Records Under the FERPA only directory information may be released without a student’s permission. Directory information is defined as: a student’s name, address, telephone number, and email address; major field of study and classification; class schedule; date and place of birth; faculty advisor; high school attended and date of graduation; photograph; veteran’s status; participation in officially recognized activities and sports; weight and height of members of athletic teams; dates of attendance, degrees, awards, and honors received; and previous educational institution most recently attended.
Students may complete a Request to Prevent Disclosure of Directory Information form in the Office of the Registrar. Requests to withhold information are in effect until the student provides written notification to rescind the request to the Office of the Registrar. [ . . . ]
Each year a campus telephone directory is published. Students, faculty, and staff can withhold directory information from this publication. The telephone directory is a public document, and it is the only document that the University makes public containing the name, address, telephone number, and email of students. (Catalog, 17)

Student educational records are only released with written consent from the student, except in those situations covered by this acts and University policies. FERPA regulations are published in the University catalog, the class schedules, and on the University home page.

Security of Student Records

University Employee Access to Student Records

University policy clearly states regulations regarding access to student records. Only employees who have a “legitimate educational or safety interest as determined by the University” are granted access to student records. New employees are instructed in federal and state laws regarding confidentiality issues and University policies during new employee orientations offered by both the Office of Human Resources and individual departments and units. Policies regarding appropriate access are published in the University Catalog and in the Faculty/Staff Handbook:

McNeese employees who have a legitimate educational or safety interest as determined by the University have access to student’s educational records. Additionally persons under contract, or having a contractual agreement, with the University to provide a service or benefit to the student or their family may have access to certain records as prescribed by law. The University reserves the right to deny access to students’ education records to persons not affiliated with the University unless the student has submitted a written signed waiver requesting access and specifying the records to be released. (Catalog, 17)

Before employees, including faculty members and academic advisors, are given access to student records, a written request approved by the employee’s unit head or department head and division head or dean must be approved by the Registrar, who is considered custodian of student records. A two-step process must be completed before users are granted access to the server:

• Read the University Policy on Information Technology Resources (link http://www.mcneese.edu/policy/infotech.php) and agree to abide by the regulations stipulated in the policy;

• Apply for a Banner Account on the appropriate Banner Account Request Form with supervisor’s approval.

Once individuals have applied and been approved, they may be granted access to student records by the Registrar, who authorizes the level of access.

The excerpt below from the University Policy on Information Technology Resources reflects the University’s commitment to securing access to student records:

Computer accounts, passwords, access codes, and other authorizations are assigned to individual users. It is a violation of this policy to use another's account, password, access code, or to misrepresent one's identity in accessing or using any IT resource at the University. If someone else learns your password, you must change it. Users may not share computer accounts. Users are responsible for ALL activity on their computer accounts. Should abuse occur by an unauthorized user, the owner of accounts may be held responsible. (Policy on IT Resources, III.4, User Responsibilities)

University policy regarding employee access specifies conditions under which faculty members are granted limited access to confidential student records. Daily audit trails reflect activities such as courses enrolled, added, or dropped and identify individuals who make these changes by operator number. Any grade change activity in students’ records is also shown in the daily audit trails. Policies regarding these safeguards are on file in the Registrar’s Office.

Other policies regarding faculty access to confidential student records are published in the Faculty/Staff Handbook and on the University home page. The Personal Identification Number policy, for example, illustrates the University’s commitment to confidentiality of student records:

Personal Identification Numbers (PINS)
PINs are issued to faculty by the Registrar’s Office for the purpose of using Web for Faculty for viewing class rosters and submitting final grades. The PIN is a unique number and serves as a digital signature. Faculty are expected to maintain strict security for PIN numbers by following [specified] guidelines. (Sections 305 and 305.1)

Student Access to Academic Records

To ensure that students have access only to their own electronic records, the University password protects access through Web for Students. On this site, students have access to transcripts, grades, financial aid and personal information, schedules, and account information. From Web for Students they can register for classes and make credit card payments. Information about individual grades and work is available to students enrolled in courses using Blackboard. As with Web for Students, access to Blackboard is password protected.

Academic and financial records may be requested in paper copies as well as electronic. Students request transcripts in writing from the Office of the Registrar. These documents are either mailed to the address listed on the request or picked up in person. Individuals picking up transcripts, either the student or designeé, must provide picture identification before records are released. Financial aid information and information provided by the Cashier’s office regarding payment of tuition and fees will be released to individuals presenting picture identification.

Security and Retention of Student Records

In order to safeguard student academic records, the University secures student records in a vault and in fire-proof filing cabinets located in the Office of the Registrar. Access to these records is restricted to personnel with a legitimate, employment-related need. Records are maintained and digitally imaged in accordance with the McNeese State University Records Retention Schedule. Confidential records that are no longer needed are shredded by staff in the Registrar’s office and disposed of by the custodial staff. The University Records Retention Schedule meets the obligation established by Louisiana Revised Statute 44:402, which defines records management as follows:

The systematic application of management techniques to the creation, utilization, maintenance, retention, preservation, and disposal of records for the purpose of reducing costs and improving of records keeping. Records Management includes management of filing and microfilming equipment and supplies, filing and information retrieval systems files, correspondence, reports, and forms management; historical documentation; micrographics, retention programming, and vital records protection.

Student academic records are permanent. Records are imaged annually and the originals are shredded after inspection. The electronic records are then stored permanently.

Electronic Student Records

Electronic student records are maintained on computer servers housed in the University Computing Services Office in Room 305 of Kaufman Hall. These servers are in an environmentally-controlled room accessible only through a secure keypad. The servers are connected to uninterruptible power supplies (UPS), and they are accessed via Internet Protocol (IP) services.

In order to safeguard student records, data are backed up on a daily basis. These backups are preserved for two weeks, with the oldest set of backups kept in the computer room in Kaufman Hall. When the operator completes the backup each night, it is placed in a fireproof safe in the computer room. The next day it is transferred to another location in Smith Hall. Each Thursday, a set of backups is removed to a secure offsite location.

During the Fall 2006 semester, immediately after landfall of Hurricane Rita, the McNeese State University Emergency Preparedness Plan was put into action with great success. Although the campus was without power for more than a week, no records were lost. Because of exigent conditions experienced in the aftermath of the hurricane, the University has revised its plan for dealing with the potential harmful effects of such natural disasters. The Disaster Recovery Plan more specifically addresses issues related to information technology needs.

As a component of the Disaster Recovery Plan, the Office of Information Technology has compiled a list of emergency procedures which includes such sensitive information as lists of passwords and the location of the remote site where electronic records are sent in the event of a disaster. The Chief Information Technology Officer and select members of the Executive Staff have access to the IT component of the Disaster Recovery Plan. This document is not available for public review.

Integrity of Electronic Systems

To ensure the integrity of student records stored on electronic systems, the Policy on Information Technology Resources clearly identifies violations to normal and appropriate use and cites the consequences of such violations. The excerpt from the policy below illustrates this commitment to the integrity and confidentiality of student records:

V. User Confidentiality and System Integrity
If a system administrator is an eyewitness to a computing abuse; notices an unusual degradation of service or other aberrant behavior on the system, network, or server for which he or she is responsible; or receives a complaint of computing abuse or degradation of service, he or she should investigate and take steps to maintain the integrity of the system(s). If a system administrator has evidence that leads to a user's computing activity as the probable source of a problem or abuse under investigation, he or she must weigh the potential danger to the system and its users against the confidentiality of that user's information.
A system administrator may find it necessary to suspend or restrict a user's computing privileges during the investigation of a problem. A user may appeal such a suspension or restriction and petition for reinstatement of computing privileges through the University's judicial system or by petition to the Chief Technology Officer.
If system administrators have a preponderance of evidence that intentional or malicious misuse of computing resources has occurred, and if that evidence points to the computing activities or the computer files of an individual, they have the obligation to pursue any or all of the following steps to protect the user community:

• Take action to protect the system(s), user jobs, and user files from damage.
• Notify the alleged abuser's project director, instructor, academic advisor, or dean.
• Refer the matter for process through the appropriate University judicial system.
• Suspend or restrict the alleged abuser's computing privileges during the investigation and judicial processing.
• Inspect the alleged abuser's files, diskettes, and/or tapes.

VI. Disciplinary Action for Abuse of Computing Privileges
Abuse of computing privileges is subject to disciplinary action. Disciplinary action may include the loss of computing privileges and other disciplinary sanctions. An abuser of the University's computing resources may also be liable for civil or criminal prosecution.