Auburn University
Submitted August 2, 2023
_X_ Compliance___ Partial Compliance___ Non-Compliance
Narrative

Definition of Student Records and Directory Information

At Auburn University, in keeping with common usage, the term, student records, denotes all educational records that come within the scope of the Family Educational Rights and Privacy Act (FERPA). Thus student records are all records, files, documents, or other materials a) maintained by any person acting on behalf of Auburn University and b) containing information directly related to an identifiable student.

 

Auburn University may release directory information without the student's written consent. At Auburn University, directory information includes the following enumerated data elements:

 

  • Student's complete name
  • Addresses and associated telephone number
  • University email address
  • Most recent classification and curriculum
  • Terms/dates of attendance (not to include specific daily attendance records)
  • Photographs, video, or other electronic image (released only in connection with official university publications)
  • Participation in recognized activities and sports
  • Degrees and awards received

 

Student contact information may be released only for non-commercial use by individuals or organizations outside of Auburn University, provided the requests for such information are determined, after appropriate review by the Senior Vice President of Student Affairs (or their designee), to be consistent with the university’s educational mission and in the interests of the institution and/or students.

 

A student may deny the release of directory information by completing a Privacy Setting Change Form available in the Office of the Registrar.

 

Compliance with Applicable Laws Concerning Student Records

To comply with all applicable laws and regulations, both federal and those of the state of Alabama, Auburn University has established comprehensive policies and procedures to protect personally identifiable information. Information protected goes beyond student records in most cases. The discussion below will focus, in particular, on university policies and procedures governing the handling of student records.

 

Federal and state laws and regulations addressed by Auburn University policies and procedures include the following:

 

  • Family Educational Rights and Privacy Act (FERPA) 
    • Protects the privacy of student educational records and ensures they cannot be released without the student’s consent
    • Health Insurance Portability and Accountability Act (HIPAA)
      • Protects the privacy of a person’s medical records and ensures they cannot be released without the patient’s consent
      • Gramm-Leach-Bliley Act
        • Requires institutions that provide financial advice or services like loans to disclose their record-sharing practices to customers and to protect customers’ personal data

 

Auburn University Policies and Procedures

Auburn University recognizes that the maintenance of student information and educational records is necessary and vital to assist the student’s education and development and to provide opportunities for university research and policy formulation. The university recognizes its obligation to exercise discretion in recording and disseminating information about students to ensure that their rights of privacy are maintained. The university also applies best practices recommended by the American Association of Collegiate Registrars and Admission Officers with regard to the security, confidentiality, and integrity of all student records. Accordingly, the institution maintains comprehensive policies, at both the institutional level and the unit level, each designed in one way or another to protect the security, confidentiality, and integrity of electronic data, including student records. Where possible, examples of policy enforcement have been included as documentation.

 

Policy on the Confidentiality of Student Records 

This policy outlines Auburn University’s fundamental commitment to ensuring the confidentiality of student records, pursuant to FERPA. It also outlines provisions for students to access to their own educational records and to request the amendment of those records, as well as for the release of directory information and the permissible release of educational records.

 

Data Classification Policy

 

This policy establishes that all Auburn University data are classified into categories according to sensitivity and criticality, and that each category of data shall be handled according to the protection standards promulgated by the office of the Chief Information Officer. The Auburn University Cybersecurity Office maintains and publishes these standards, .

 

Data Access Policy

The Data Access Policy is Auburn University's most general policy on the security, confidentiality, and appropriate use of all stored electronic data—including student records—that is processed, stored, maintained, or transmitted on the university's computer systems and networks. Appropriate use includes protection from unauthorized modification, destruction, or disclosure, whether intentional or accidental. The policy outlines procedures for data administration, data security, and data access, including access to student records.

 

Information Security Policy

 

The Information Security Policy establishes local departmental responsibility for security of information within their control and enumerates safeguards that are to be in place, .

 

Electronic Data Disposal Policy 

This policy requires that all computer systems, electronic devices, and electronic media must be properly cleaned of data and software before being transferred outside of Auburn University, either as surplus property or as trash, or repurposed or reused within Auburn University. When electronic media storage devices cannot be sanitized, the media is to be destroyed using approved vendors and processes.

 

Electronic Privacy Policy

 

This policy describes the level of privacy and confidentiality that users of Auburn University information technology resources can expect, and to indicate the types of situations in which the university may review the contents of such resources. This policy covers all Auburn University-issued accounts (students, employees, guests, retirees, alumni) as well as IT resources.

 

Information Disclosure and Confidentiality Policy

 

This policy establishes the level of care individuals with access to confidential information or data must adhere to.

 

Employee and Student Email Policy 

This policy establishes email as an approved medium of communication among Auburn University students, employees, and external parties. The Employee Email Policy also references the archival requirements in keeping with the General Records Schedule for Alabama Universities.

 

Enterprise Resource Plan (ERP) Sensitive Personally Identifying Information Protection Policy

 

This policy establishes procedures to protect Auburn University sensitive data from unauthorized disclosure and inappropriate use. For the purposes of this policy, the term sensitive data denotes any information that could cause an individual personal financial harm if disclosed and used improperly. Examples of sensitive data include, but are not limited to, social security numbers, credit card numbers, computer passwords, and any personal information flagged for non-disclosure.

 

Appropriate Use of Information Technology Policy

 

This policy informs users that the use of university information technology resources must be consistent with the mission of the university, and in compliance with federal, state, and local statutes and Auburn University policies.

 

Data Encryption Policy

 

 

This policy requires that all mobile computing devices as well as non-mobile computing devices containing confidential data must use appropriate encryption technologies to secure at-rest data from unauthorized access.

 

Information Technology (IT) Professionals Code of Conduct

 

This policy requires designated IT professionals to acknowledge their responsibilities with respect to their heightened level of access that they may have due to their role at the university. In 2021, 273 of the 275 (99%) affected employees completed their annual Code of Conduct acknowledgement via the training delivery platform, KnowB4.

 

 

Cybersecurity Awareness Training Policy

 

 

All employees (full-time, part-time and student) who utilize Auburn University IT resources are required to participate in the Auburn Cybersecurity Awareness and Training Program.

 

2021-22 Annual Cybersecurity Awareness Training

  • Total: 9,810 out of 11,234 completed (87%)
  • Full- or part-time employees: 6190/6490 complete (95%)
  • Student employees: 3620/4744 complete (76%) 

 

Wireless Networking Policy

This policy establishes appropriate security measures governing access to wireless networking within Auburn University's comprehensive data network, .

 

Software and Information Technology Services Approval Policy

 

This policy makes it a requirement that all software and information technology services must be approved prior to purchase. The Cybersecurity Office, the Division of Institutional Compliance and Privacy, the Office of Accessibility, and others as needed review every purchase prior to approval. Depending on the sensitivity of the data use and/or the location of data storage, the Cybersecurity Office may request that the vendor complete the Higher Education Community Vendor Assessment Toolkit (HECVAT); the Office of Audit, Compliance & Privacy may require that the vendor execute a Data Security and Privacy Appendix, which outlines the vendor’s role in data security.

 

Policy on the Release of a Deceased Student’s Record

 

This policy establishes to whom a student’s educational records can be released in the event of a student’s death. There are no recent cases of this policy being enacted, and therefore, documentation cannot be provided at this time.

 

Information Security Incident Reporting Policy

 

This policy establishes the requirement for all persons with access to university information resources to report any information security incident to the Information Security Incident Response Team (ISIRT).

 

Employee Training and Access to Student Educational Records

All new university employees must complete the Auburn University cybersecurity and FERPA training,  prior to granting access to any student data. Depending on the function of the employee’s role, for specific systems, the Office of the Registrar provides training on the content of the material being requested and provides FERPA training prior to granting access. A monthly review training on various issues related to the student information system is also provided as requested by individual units.

 

Public Dissemination of Information about Student Records

Information about student rights concerning their education records is widely disseminated to students. Sources include: 

  • The Auburn University Bulletin
  • Auburn University Student Policy e-Handbook
  • Office of the Registrar
  • Auburn University Consumer Information
  • Auburn University Graduate School General Policies

 

In addition to these university-wide sources, individual units provide information about security, confidentiality, and integrity of student records. Representative examples include:  

  • Office of Audit, Compliance & Privacy
  • Auburn Cares (Student Affairs)
  • Auburn University Medical Clinic
  • Parent and Family Programs (Student Affairs)

 

Security and Confidentiality of Student Records in Units with Substantial Data Access

The variety of functions served by Auburn University's academic, educational support, student support, and administrative offices means that many units must develop their own procedures and practices, consistent with Auburn University policy, to protect student records.

 

Office of the Registrar

 

At Auburn University, the Office of the Registrar is responsible for maintaining the security, confidentiality, and integrity of student academic records and for establishing and maintaining appropriate procedures to protect and back up those records. The retention and disposition of the records are in accordance with the record retention guidelines provided by the American Association of Collegiate Registrars and Admissions Officers, with the standards set forth through FERPA1, and with General Records Schedule for Alabama Universities.6 This commitment is fulfilled through policies and procedures governing the handling of student academic records:

 

  • Academic records beginning with Fall 2001 semester are maintained electronically utilizing the Banner Student Information System (SIS) and accessed through Extender electronically.
  • Paper records generated prior to 2001 have been converted to electronic images and have been uploaded to a secure server accessible by senior employees who report to the Registrar. The server is accessed through a secure vendor login, separate from the Extender Imaging System software.
  • The original paper and historic documents prior to 2001 are retained and housed in the Special Collections and Archives section of the Ralph Brown Draughon Library.
  • Both regular and student employees of the Office of the Registrar must be FERPA trained and sign a confidentiality agreement before handling student records.
  • Students wishing to authorize the release of their educational records must sign an authorization form. This form allows students to indicate to whom their student information can be released. No student information except directory information is released without the student’s written consent.
  • Students wishing to inspect their educational records must show photo identification.

 

Office of Student Financial Services

 

The Office of Student Financial Services is responsible for financial aid, billing/receivables, cashiering, collections/delinquent accounts, and student loans. The office thus handles student records of various sorts. Records are received and stored electronically within Auburn University's Banner Enterprise Resource Planning system and Campus Logic Student Forms Portal.

 

Consistent with FERPA requirements, student financial information is not released without the student's written consent, as outlined in the Financial Information Release Policy and Procedure included in the references. A sample of the Student Financial Information Release Form is also included.

 

Physical security procedures for the Office of Student Financial Services include the following:

  • Swipe card access limitations to Mary Martin Hall, the building in which the office is located
  • Additional swipe card access limitation to working areas of the building where financial records are processed (so that employees of other offices housed in the building cannot access these areas)
  • Security cameras to monitor activity in working areas
  • Automatic door locks in working areas in case of a power outage

Additionally, Student Financial Services and the Office of Institutional Technology have been engaged in comprehensive risk assessment and mitigation efforts in continued compliance with the Gramm-Leach-Bliley Act.

 

Division of Enrollment Management

 

The Division of Enrollment Management includes the Office of Undergraduate Admissions, University Scholarships, enrollment management technology, enrollment marketing, and the centralized Enrollment Management staff. Student records are therefore part of the information processed and analyzed by this office. Generally, electronic workflow processes are used, requiring authenticated login, to protect sensitive information.

 

Employee Access to Student Educational Records and Training. All new university employees must complete the Auburn University cybersecurity and FERPA training prior to granting access to any student data. Additionally, all employees, including professional and student staff, within the Division of Enrollment Management employees sign a confidentiality and use of university information agreement. The Office of Undergraduate Admissions staff participate in the National Association for College Admission Counseling (NACAC) College Admission Ethics in Action online training.

 

Office of Institutional Research

 

Because this office must frequently handle student-level data in order to compile institutional summaries, a privacy policy has been developed, and employees must agree to the Policy on Confidentiality of Data by signing a digital form using Qualtrics before gaining access to student records. Both the Office of Institutional Research and the employee are sent a confirmation e-mail upon completion of the confidentiality agreement. Responses to the confidentiality agreement are routinely audited against user lists for institutional research platforms such as Qlik to ensure compliance.

 

Units Housed in Student Affairs

 

Auburn Cares

 

Auburn Cares uses the software Maxient to manage all student files, in compliance with FERPA guidelines. Maxient is a third-party database management company that specializes in higher education behavioral record management and storage. Maxient provides software for over 1100 college campuses behavioral record database management needs and is one of the largest service providers in the United States. Auburn Cares student files are all maintained electronically, with the exception of student death records, which are all stored in hard files. The hard copies are maintained in file cabinets in the offices of staff that are locked after hours. The only people who access those files are members of the Auburn Cares staff. Additional access restrictions are placed on student medical withdrawal files so only Auburn Cares staff can access and view these files in Maxient. Auburn Cares determines who can gain access to those records; Auburn Cares is also responsible for managing the database.

 

Greek Life

 

Greek Life collects and maintains the academic records of students. This information is kept electronically on password protected university computers. All staff with access to electronic records are trained on proper procedures for access and compliance with FERPA. Students sign an electronic form to grant access to their student records. All student leaders and adult advisors with permission to receive academic records sign a confidentiality agreement.

 

Health Promotion and Wellness Services

 

The Office of Health Promotion and Wellness Services (HPWS) manages three confidential services: Safe Harbor, nutrition services, and substance abuse services (TESI/SUIT). In each of the three service areas, information is not released to anyone (e.g., parents, professors, employers, authorities, etc.) without the client’s written permission. Nutrition services and the substance use services programs are provided under the direction of appropriately licensed providers. Safe Harbor and nutrition services each use Titanium Enterprise Risk Management (ERM) software for data collection and to store confidential notes. Additionally, Day Smart (formerly Appointment Plus) software is used to schedule substance use services and nutrition appointments. Please note, the only information kept through Day Smart is appointment attendance. These two software programs have been thoroughly vetted through the Office of Information and Technology.

All HPWS staff with access to electronic records are trained on proper procedures for access and maintenance of confidentiality. Confidential records created through substance use services are kept on secure internal electronic drives through the office. Access to these records is limited to the trained staff working with the program. Hard copy records are not created frequently. HPWS has made a concerted effort over the past five years to transition to a paperless record keeping process. Any hard copy client information collected through the three service areas is stored in locked file cabinets in a central storage area also under lock and key at the office. Confidential files are accessible only by authorized HPWS personnel.

 

Medical Clinic

 

The Auburn University Medical Clinic (AUMC) is required under HIPAA to protect the privacy of health information, which includes information about student health history, symptoms, test results, diagnoses, treatment, and claims and payment history (collectively, "Health Information"). AUMC is also required to provide first time patients with a Privacy Notice regarding our legal duties, policies, and procedures to protect and maintain the privacy of students' Health Information. Access to active records is restricted to clinic staff who have a medically necessary interest. The medical records are kept on secured servers protected by the IT department of East Alabama Health and Allscripts.

 

Students requesting a copy of their medical records must complete a medical information release form or a sensitive medical information release form prior to the release of the records. Electronic student records at the Student Health Center are stored within Allscripts Database. Access to the Allscripts Database is obtained via a username and password created by the network administrator at AUMC, and each user is required to change passwords at least quarterly. Each student is identified by a unique Allscripts ID number. New patient information is no longer entered into paper records. The old paper records are stored in locked file cabinets, which are only accessible with authorized access until they are scanned onto discs for secure storage. AUMC adheres to HIPAA and FERPA guidelines for record keeping.

 

Student Conduct

 

Student Conduct manages all student conduct records, both paper and digital copies, in compliance with FERPA guidelines. Paper copies are maintained in file cabinets in an area that is locked after hours. Access to paper files is limited to Student Conduct employees. Digital files are maintained and secured electronically via Maxient, a third-party database management company that specializes in higher education behavioral record management and storage. Maxient provides software for over 1100 college campuses behavioral record database management needs and is one of the largest service providers in the United States. The Director of Student Conduct is the system administrator for the Maxient system at Auburn University. Access is restricted by the Director of Student Conduct to only those individuals who are responsible for overseeing a portion of a conduct system or are involved in student safety and security (AU Camps Safety-Threat Assessment, and Clery Compliance). Access to the system by individual users is protected by a dual authentication protocols system (DUO) provided by Auburn University Office of Information Technology.

 

Student Counseling and Psychological Services

 

Student Counseling and Psychological Services (SCPS) carefully adheres to legal and professional standards of ethics and confidentiality as prescribed by the International Accreditation of Counseling Services (IACS). Per HIPAA, all client contact with SCPS is strictly confidential. This means that all communication between psychologists, counselors, social workers, and psychiatrists and their clients are privileged and safeguarded. SCPS clinical staff members either follow the Ethical Principles of Psychologists and Code of Conduct, the American Counseling Association (ACA) Code of Ethics and Professional Standards, or the National Association of Social Workers Code of Ethics specific to confidentiality. Alabama law pertaining to psychologists, counselors, and social workers is also followed. These Alabama laws are found under "Title 34: Professions and Businesses" and include "Chapter 26 - Psychologists," "Chapter 8-A - Counselors," and "Chapter 30 - Social Workers."

 

Information is not released to anyone (e.g., parents, professors, employers, authorities, etc.) without the client’s written permission. In the state of Alabama, the confidential relations and communications between licensed mental health professionals and their clients are equivalent to those provided by law between attorney and client.

SCPS utilizes Titanium Scheduling EMR software for scheduling and data collection. Titanium Scheduling is housed electronically on a file server that is in a physically secure campus facility. All SCPS staff with access to electronic records are trained on proper procedures for access and maintenance of confidentiality. Hard copy client records data is stored in locked file cabinets in a central storage area also under lock and key. Paper and electronic files are accessible only by authorized Counseling Center personnel.

 

Student Involvement

 

The Student Involvement office contains the following functional areas: student governance, leadership programs, community service programs, the student programming board, student organizations, and student media outlets. Within this office, information that is accumulated and catalogued can include: academic records of student officers and members, biographical and demographic information about organization members and program participants, and other documentation required by Auburn University Human Resources for student workers. This information, which is connected to a student’s Banner file, can be accessed through the university’s student organization digital engagement platform, AUinvolve, by select staff with administrative access. Select staff members also use the university’s Box platform to securely store digital eligibility and demographic data files as needed. In the rare case that hard copy data is produced and stored, it is stored in select staff members’ locked file cabinets in their locked offices. All staff with access to such records are trained on proper procedures for access.

 

As programs within Student Involvement, Student Media groups, including The Auburn Plainsman, The Glomerata, Eagle Eye TV, WEGL 91.1 FM, and The Auburn Circle, follow the same procedures as outlined above for Student Involvement. Additionally, the media outlets use university servers to securely store their large digital files and to broadcast their content, all while following all federal regulations for media outlets, such as FCC requirements.

 

University Housing—Residence Life

 

Residence Life maintains all student conduct files online through the Office of Student Conduct. The system is secure and only staff who have a legitimate educational interest have access to these files via a secure username and password. Residence Life staff members are trained regarding requirements for confidentiality for student records. University Housing also conducts confidentiality training as requirement for staff handling student records.

 

Units Housed in the Office of the Provost

 

Academic Advising

 

All Auburn University students are assigned a professional academic advisor at the undergraduate level or faculty advisor at the graduate level. Advisors are all required to undergo FERPA training and are evaluated annually on three core job functions, one being records management, including confidentiality of records. Advisors are responsible for maintaining accurate student records in the degree audit software, filing advising reports following advising meetings in the EAB Navigate software, and ensuring critical documents are backed up in the appropriate systems.

 

Office of Academic Insight

 

The Office of Academic Insight is responsible for collecting data from incoming students, graduating seniors, and recent alumni of Auburn University. This data includes, but is not limited to, student achievement and learning assessment data, survey data, and other career outcome data. As such, staff are responsible for meeting university and federal data access and security policies. All staff (including temporary employees, undergraduate employees, and graduate student employees) are required to complete FERPA training with the Registrar’s Office and then must sign an in-house data security and confidentiality agreement that is filed by the Director. This is completed prior to being granted access to any federally protected student data. Further, though all staff receive training and sign the confidentiality agreement, not all staff are granted access to all student data. Student data is only released to those staff who need access to complete their assigned job duties.

 

A primary element of the mission of the Office of Academic Insight is to conduct educational research supporting student success initiatives across the institution. The results of the research are internally applied to units on the AU campus. All staff responsible for research have completed the appropriate modules in “The Collaborative Institutional Training Initiative” (CITI Program) and are personnel on an approved Institutional Review Board Protocol.

 

Data is collected in various ways but primarily through Qualtrics or approved third party test vendors. All are password protected applications and specifically, Qualtrics is accessed through a secure university portal. Once data is exported out of Qualtrics, data is stored in various ways. First, we do not maintain printed copies of raw student data. Data are always reported in the aggregate, and printed static reports do not include information about students that allow for identification. Any student data that the Office of Academic Insight is analyzing is stored in university-sanctioned virtual file locations, specifically Box Drive and Shared Drives. Both locations either require an individual username/password to access files or require the user to be on the university network and also have set permissions within the folder. In addition, when possible, student data is deidentified.

 

Academic Support

 

Academic Support staff maintain program file storage in secure ways that meet the standards of Auburn University policy, confidentiality, and FERPA. In addition, the staff cite both the Council for the Advancement of Standards in Higher Education (CAS Standards, Part 6) and the National College Learning Center Association Center for Excellence Standards (NCLCA, III Part 1) in their work to audit and refine efforts related to student records privacy and confidentiality.

 

Office staff maintain very few student records in hardcopy as the result of an audit and shift to digital workflows and file storage. Of those few student records in hardcopy, the two file cabinets have locks on them and are placed behind a locked office door as well (two-levels of key entry required to access). Most student records and program files are stored in university-sanctioned virtual file locations, specifically Box Drive and Shared Drives. Both locations require either an individual username/password to access files or are part of a permissions groups with pre-set file permissions based on the job role. Access permission level requests are initiated by professional staff in the office (supervisor of the user) via a Security Request Form, affirmed by the director (unit leader); they are ultimately dictated by the individual’s job duties and level of training. For example, all staff must complete a FERPA training with Registrar’s Office, and then they must also complete in-house training on both FERPA and confidentiality to be granted access to program and student files. Related, a request can be denied if the position job duties do not require that level of access.

 

Office of Accessibility

 

The Office of Accessibility manages all student medical records, both hard and digital copies, in compliance with FERPA guidelines. The hard copies are maintained in file cabinets in an area that is locked after hours. The digital copies are maintained and secured electronically on Auburn University servers. The only people who access those files (both hard and digital) are members of the Office of Accessibility staff. The Office of Accessibility will never share a student’s medical information without explicit permission from the student.

 

Career Discovery and Success

 

Career Discovery and Success serves as hub for the establishment of best practices, training, and support for offices distributed and dispersed across a campus-wide career service network. Auburn University students access direct career services support within their college or at the university level through a Career Service Management System (CSM). CSM management and oversight is the responsibility of Career Discovery and Success, which vets and ensures the CSM is FERPA compliant and meets the university data security policies. A partnership with the Office of Information Technology is also imperative to ensuring compliance and best practices related to data protection and the security of FERPA-protected information.

 

Prior to gaining access to the CSM, career services providers across the Auburn University network must request access and gain support for access from their supervisor. The request approval process occurs within Qualtrics and requires that university faculty and/or staff declare or validate the completion of FERPA training prior to gaining access to the CSM. Career Services personnel (career coaches, career counselors, career specialists, career champions, and career strategists) work directly with students, utilize the CSM for appointment scheduling and notes, and may also use the system for experiential learning requirement tracking. These trained personnel are responsible for maintaining and securing accurate student records within the CSM.

 

Providers of direct-to-student career services may also use various career-oriented assessments that are part of the student record. These may be either electronic or digital. All digital files are kept within the CSM, the assessment portal, or the computer assisted career guidance (CACG) system, which has end-to-end HIPAA and/or FERPA compliance, or within a secure Box file. Paper records are kept confidential; they are stored in a locked file within the service provider's office and behind a locked door to their personal office and the primary office location entrance when not in use. All paper records are stored or backed-up securely with the CSM, assessment portal, or CACG to allow for paper copies of records to be destroyed annually.

 

Honors College

 

The Honors College manages all student academic records, both electronic and hard copy, in compliance with FERPA guidelines. The Honors College academic advising unit has fully transitioned to electronic copies of student records that are maintained and secured on Auburn University servers. Honors College professional staff determine who can gain access to those records and are responsible for managing the database. All Honors College professional staff with access to electronic student records are trained on proper procedures for access and maintenance of confidentiality. Any remaining hard copies of student academic records from cohorts prior to 2016 are maintained in file cabinets in an area that is locked after hours. The only people that access those files are members of the Honors College professional staff.

 

Office of Inclusion and Diversity

 

The Office of Inclusion & Diversity (OID) provides programs, services, and support to faculty, staff, and students. The following information is used within the appropriate scope of work within OID: academic and conduct records of student employees and student leaders; EEO/Title IX case files as assigned for education; and files containing faculty, staff, and student demographics through Banner and other university systems. This information is mostly kept electronically through secure Box folders, with some files being in hard copy. All staff who have access to records are trained and have a purpose to access that information as a necessity in their job duties.

 

Office of International Programs

In its daily work, the Office of International Programs (OIP) works with many offices across campus to promote student success, and this often requires the sharing of confidential and sensitive identifying information. This transfer of information is kept to a minimum, and where required and desirable, (OIP) follows the policies and practices for transmitting sensitive information outlined by Auburn University and its offices, such as the Office of the Registrar and the Office of Information Technology. Data collection and storage is through university-approved portals and university-approved software products that communicate among databases. These data are stored on central Auburn University servers or in government databases to which staff have protected access. OIP has been audited for its information practices and works in an environment of continuous improvement for its own practices and for assisting those of other offices with whom they interface.

 

University Writing

 

The Office of University Writing collects student information via WCONLINE, a web-based appointment application that has been vetted by Auburn University’s Office of Information Technology. Through this platform, the office collects students’ names, email addresses, programs of study, and ID numbers. Only full-time staff and front desk representatives have access to this information for record keeping purposes. Full-time staff also use this information for assessment purposes to better understand clients and quality of services. Archived versions of student information are housed in a secured Box folder with access granted only to full-time University Writing staff and graduate assistants who work closely with the program.

 

Veteran’s Resource Center

 

The Auburn University Veterans Resource Center (VRC) assists veterans, guardsmen, reservists, active duty, survivors, and military dependents receiving federal and state VA education benefits. The VRC maintains various student records to document state and federal Veterans Affairs requirements, eligibility, and academic progress. The VRC is committed to protecting the privacy and security of both student and employee personal information. All data with personal information about an individual is processed and stored securely and confidentially. All electronic workflow processes require authenticated login. Record storage rooms and staff offices are locked and secured daily. All staff with access to electronic and paper records are trained on proper procedures and FERPA regulations.

 

Services Housed in Executive-Level Offices

 

Campus Safety and Security

 

Campus Safety and Security manages a variety of records that may include student information, such as police accident, incident, arrest, and citation reports; security incident reports; and concerns shared via email. Paper copies of these records are maintained in file cabinets in offices that are locked after hours. Digital copies are maintained on a secure network drive that is protected by dual-factor authentication and accessible only to select Campus Safety and Security staff with responsibilities that require access (the leadership team and Clery compliance specialists). Records are shared with others in accordance with an established report-sharing protocol, via a secure network drive, only when there is a business need for access (for example, sharing conduct-related issues with Student Conduct). Any publicly required disclosures, including the daily crime log, timely warning notices, and annual crime statistics, do not contain personally identifiable information.

 

Office of Affirmative Action/Equal Opportunity (AA/EEO) and Title IX

 

The Office of AA/EEO and Title IX serves the campus community in several ways that involve student and/or employee records. As the office responsible for accepting and investigating reports of discrimination and/or harassment based on protected class, the office builds paper and electronic files that include complaint documents, interview notes, evidence gathered (which may include personnel records of employees and/or confidential information provided by students or via Banner), and reports prepared internally, following all university data security policies. The Office of AA/EEO and Title IX also has responsibility for university employee ADA (disability accommodation) records, which must be kept separate from Auburn University Human Resource’s personnel files. These records may include sensitive medical information about employee health conditions. All staff who have access to records have been properly trained on data security and confidentiality.

 

All AA/EEO and Title IX records are managed primarily on our shared drive and via Box or on Maxient, which require Auburn University Duo Authentication. Paper copies of records are maintained in locked file cabinets in our office, and the keys to the file cabinets are maintained in a separately locked key box in a locked closet in the office. Only departmental employees have access to the key box. Paper files under review by authorized employees are maintained in locked offices. All paper records are scanned, processed, and destroyed based on a schedule in accordance with university records policies.

 

Parking Services

 

Parking Services adheres to Auburn University policies, confidentiality, and FERPA guidelines and takes reasonable steps to ensure that student information is secure. Student information is collected using Banner. Corrected, updated, or removed personal data is only received from Banner. Personal information entered on the Parking Services website, such as phone numbers or addresses, is not saved or stored. The Parking Services website is hosted in a data center that makes use of multiple levels of redundant firewalls and database encryption to protect information. Internally, Parking Services limits access to secure information to those employees or other campus departments who have reasonable need to use the information to provide services or to perform their jobs.

 

University Ombudsperson

 

Pursuant to the International Ombudsman Association Code of Ethics and Standards of Practice as well as the Auburn University Charter of the Office of the Ombudsperson, the Ombudsperson is a confidential resource. The Ombuds does not receive records on behalf of the university and does not retain any records voluntarily given by office visitors. All such records, as well as Ombudsperson notes, are destroyed when the Ombuds no longer has use for them in any particular matter. Notes from open files are kept under lock and key in a file cabinet, which is located in an inner office for which the Ombuds possesses the only key. Generic and anonymous office visitor data is kept through an external database for which the university has no access. Moreover, the Ombuds does not have access to university-maintained FERPA records.

 

The Ombudsperson offers and maintains confidentiality for all office visitors, subject to the following exceptions:  1) when permission to speak is given by the office visitor; 2) when expressly required by law; 3) when a threat of imminent and extraordinarily serious danger is made; and 4) to defend against a formal claim of malpractice. The Charter of the Ombudsperson mandates that the Ombuds seek protective relief from a court when served with a subpoena to testify or a subpoena duces tecum to produce documents.

 

Graduate School

 

The Graduate School is responsible for graduate admissions operations and includes receipt and electronic storage of transcripts, test scores, financial statements, and recommendations. The Graduate School follows all Auburn University data security policies and responds promptly to address any concerns that are identified by university compliance reviews. All staff have received required training regarding data security and confidentiality.

 

Student records are part of the information processed and analyzed by the Graduate School. Paper records are kept confidential and securely stored in locked offices. Paper records are ultimately scanned, processed, and then destroyed on a regular schedule. Electronic storage and workflow processes are used for admissions operations, requiring authenticated login, to protect sensitive information. The Graduate School works closely with the Office of Information Technology to maintain current best practices in regard to data protection and security.

 

Auburn Global

 

Auburn Global maintains student records in compliance with FERPA. Auburn Global does not share any student education records (as defined under FERPA) with any third party without obtaining a written FERPA waiver from the student. Generally, transfer of information is kept to a minimum, and when necessary, Auburn Global follows the policies and practices for transmitting sensitive information outlined by offices such as the Office of the Registrar and the Office of Information Technology. Only selected Auburn Global staff have access to student information in Banner and AdviseAssist (Auburn’s academic advising platform); Auburn Global instructors use Canvas, Auburn University’s learning management system, to manage their courses and grades. All Auburn Global staff participate in regular FERPA training.

 

Off-Campus Instructional Sites

 

The Mobile Instructional Site for the Harrison College of Pharmacy

 

The Harrison College of Pharmacy utilizes centralized student record keeping. The Associate Dean for Academic Programs (ADAP) and two staff members in Auburn who are responsible for admissions and academic success are the three people with access to the information. If a student or faculty mentor on the Mobile Instructional Site requires access to this information, that request is handled by the office of ADAP. All information is maintained on Auburn University Servers and all faculty/staff on both campuses complete FERPA training.

 

Rural Studio

 

Rural Studio manages student records using an approach that mirrors the main Auburn University campus. The same digital access to students’ records is available for employees consistent with the approach used by the university’s main campus. Any other records, such as emergency contact information for students, are kept locked in a filing cabinet in the Morrisette House in the office of the Rural Studio Operations Manager or in password-protected computers.

 

Alabama Prison Arts and Education Project (APAEP)

 

The Alabama Prison Arts + Education Project (APAEP)/Auburn University manages all student records, both hard and soft copy in compliance with FERPA guidelines. The hard copies are maintained in locked file cabinets in an area that is also locked after hours and only accessed by members of the APAEP/Auburn University administrative staff and housekeeping staff. The soft copies are maintained and secured electronically on university servers. APAEP/Auburn University staff determine who can gain access to those records and is responsible for managing the database. Select information in these files are temporarily and securely shared with the Office of Admissions, Office of the Registrar, Office of Information Technology, University Library Systems, and Student Financial Services, and other on-campus units as determined necessary. APAEP/Auburn University administrative staff request that all student banner and directory files be made confidential or unavailable through external searches in compliance with Alabama Department of Corrections (ADOC) privacy requirements. All APAEP/Auburn University faculty, instructors, staff, tutors, study hall monitors, and student employees are training in FERPA and ADOC confidentiality prior to working at the Staton Correctional Facility site.

 

Data Security and Instructional Technologies

Auburn University uses Canvas as its Learning Management System (LMS). Canvas has access to Name, Email, Banner ID, and Course Enrollments data through Banner. It may contain FERPA-protected submissions and grades, depending on the course. The middleware between Banner and Canvas uses Ellucian’s Intelligent Learning Platform (ILP). This vetted product is supported by the Office of Information Technology. Canvas also has third-party integrations which are vetted before installation. These third-party integrations are vetted as separate programs. Student enrollment and faculty assignments are synced from Banner via ILP. Any additional access requires chair/head approval or above. Staff responsible for the administration of Canvas adhere to Office of Information Technology’s vetting processes and have an additional document for Canvas-specific vetting information. Access to Canvas and other campus-supported instructional technologies, such as Panopto, Zoom, and Qualtrics, are all behind Single-Sign-On through Auburn’s AUthenticate. Seeking continuous improvement in data security, Auburn University continues to promote Single-Sign-On with all instructional technologies and implement Multi-Factor when appropriate. Administrators actively encourage faculty to use only these supported technologies to better protect student data.

 

Maintenance of Security Measures

Employees are educated on their role in compliance and protecting student records. Auburn University’s Office of Information Technology has implemented annual, mandatory cybersecurity awareness training required of all employees.21 Employees are required to complete an online training module once per year. The Auburn University Security Operations Center (SOC) has developed a detailed “playbook” for responding to cybersecurity incidents and has established operational actions to respond to potential threats.

 

Auburn University maintains a Data Governance structure to ensure that the storage and use of institutional data are compliant with university policies and other applicable policies.9 The institution has developed roles to assist in carrying out data-related policies: 

 

  • Data Owner is a role held by executive-level positions with overall responsibility for data within their respective units.
  • Data Stewards are responsible for approving access to sensitive or restricted data within their data domain.
  • Data Custodians are authorized by Data Owners to grant access to data within the Steward’s data domain.

 

Likewise, the institution has established committees to develop and guide implementation of data governance measures.

 

  • The Data Governance Committee is a decision-making body that develops, implements, maintains, and supports policies and procedures related to governance of Auburn University data. It is charged with recommending policies, procedures, and best practices to university leadership that will support the management of Auburn University data as a protected and valuable asset. The committee is comprised of members from each of the main functional areas (Student Records, Finance, Human Resources, Development, and Research).
  • The Banner Oversight Committee provides review and direction for the entire Banner system and interacts as needed with the modular steering teams. Banner Oversight reviews requests for major system changes; plans for and coordinates significant changes to all instances of Banner (including upgrades); manages high-level operations requests; and generally keeps each of the Banner system areas aware of significant issues. Membership includes representatives from each of the Banner areas (Student Records, Admission, Financial Aid, Human Resources, and Finance) and technical areas (i.e., Database Administration, BDMS, Meta-directory, Xtender).

 

These committees play complementary roles in creating, managing, and promoting a common understanding of the institution’s administrative data. They work in conjunction with the university’s Office of Information Technology and Chief Information Officer to establish and maintain strong data governance processes, manage data as an important asset, and increase data literacy in the consumption of data for decision making.

 

Data Backup, Continuity, and Recovery

Tivoli Storage Manager (TSM) or Veeam Backups are scheduled to run nightly on all production systems and are encrypted. Additional file replications, file copies, snapshots, and the like are performed according to the defined backup schedule and application-specific needs as defined by the service owner. Frequency of additional application specific snapshots and replications is determined by the service or application owner. Manual snapshots are taken before system upgrades to provide instant roll back capabilities, which can be part of a backout plan; this process is a requirement of Auburn University’s change control process. Infrastructure-critical systems are implemented in a failover, redundant manner. This is also the case with business-critical systems when it is possible. This allows for greater fault tolerance, live failover, and in many cases, non-disruptive patching and maintenance.

 

All recovery methods are tested quarterly. Random selections are made from business-critical systems for restore verification. The results of recovery tests are documented and stored with backup system Standard Operating Procedures. System- and application-specific failover and recovery tests are performed and coordinated with the system, service, or application owner. TSM users are notified by email on a failed backup. TSM endpoint recovery must be verified by the user or local endpoint manager.

 

Responding to Security Breaches

Information Security Incident Response Team (ISIRT). Two groups comprise the ISIRT. The Incident Response Planning Group is responsible for advising on planning, process, and preparation. This group assures all team members understand their responsibilities and incident response processes. The Incident Response Operations Team executes incident response processes as required. The team conducts initial assessments of the issue, investigates and mitigates the issue, and prepares the “After Action Report” to include process changes and lessons learned.

The ISIRT core membership is composed of leaders from a variety of fields across the organization including

  • Chief Information Security Officer
  • Chief Information Officer
  • Director, Institutional Compliance & Privacy
  • Representative of the Office of the General Counsel
  • Representative of the Office of Communications and Marketing
  • Associate Vice President, Human Resources (if staff or faculty issues)
  • Senior Vice President for Student Affairs (if student issues)
  • Unit Head (if unit-specific issues)

Subject matter experts and others are added as necessary.

 

Conclusion

 

As illustrated above, Auburn University has adopted and enforces a number of policies and procedures to guarantee the security, confidentiality, and integrity of student records in compliance with all applicable state and federal laws and regulations, as well as its own institutional policies and procedures. This effort is coordinated by several key offices, including the Office of the Registrar, the Office of Information Technology, and the Office of Audit, Compliance & Privacy. Compliance is maintained through proactive training efforts, audits, and evaluation of existing policies, procedures, and systems to ensure continued efficacy and compliance with new and changing laws and regulations.