Life University bases its policies and procedures for maintaining the security, confidentiality, and integrity of its student records on Federal requirements specified by the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). Further, the University adheres to guidelines recommended by the American Association of Collegiate Registrars & Admissions (AACRAO), the professional association encouraging best practices in such areas as enrollment management, information technology, instructional management, and student services. Student records are retained and maintained based on AACRAO’s guidelines (published in 2000) Retention of Records. Student records are maintained in both paper and electronic form (older records are available on microfiche). The institution maintains electronic student records via Datatel’s “Colleague”. Access to the electronic records is restricted and password protected including a forced, “login timeout” feature for any inactive users. Security class setup for screen access restricts employees to their specialized areas within the system including general access to date of birth and social security numbers which has been restricted to active personnel with “need-to-know” designated by job description. The user / security level list is generated by the Registrar’s Office for access to student information and is maintained by the Information Technology department personnel. In order to ensure confidentiality of both student and administrative information, the institution maintains separate server access and security for both student and administrative servers. The University controls access to student academic records in order to protect students’ information. Limited access to these records is maintained by controlled access to student data. Access to such data is permitted by security classifications. These classifications are implemented to govern which employee is designated to input data and modify data in each student’s academic record. Student social security numbers are masked (hidden) by the software system. Restricting access to these social security numbers is one of the University’s highest priorities. Access to such numbers is only given to employees with a demonstrated “need to know”. Social Security numbers are used for Admissions and Human Resources in order to enroll in the University and/or become and employee. Financial Aid and Finance department personnel have limited access to these numbers in order to comply with federal government regulations regarding taxes and other reporting guidelines. All information contained in each student’s academic record is considered confidential. Only designated employees are granted access to such record in regards to grades, course schedules, and personal information. Each student’s record is monitored in order to protect the integrity of such record. Security of Data Special security measures are taken to protect and back up the University’s data. The University’s data is secured on servers that are protected by the campus firewall. Colleague generates student’s user names and passwords in order to maintain controlled access to the University’s servers. The user names and passwords are used for Web Advisor, Blackboard, and student email access. The system administrator controls all other access to the University’s servers. Each employee is given a security class in order to limit their access to only the information that applies to their job function. Department managers in accordance with recommendations from Datatel develop all of the security classes designated to employees and work-study students. Each department manager requests new user access for new employees from the Colleague Administrator. The application Server, Database Server, and SQL Server authenticate logins and passwords. User names and passwords are disabled upon termination from employment. The Guest account access is disabled on all servers in order to maintain secure access to permitted users only. Data Backup Electronic data backups are performed daily and kept on server storage both on-site as well as off-site. The University utilizes an off-site backup operation where the backups are done and stored at a certified data center. The Back Up server is a designated server that backs up all databases and servers related and affiliated to the University’s Colleague system. The data is backed up nightly with an incremental copy. The secondary back-up for Colleague is software takes snapshots of all Colleague data nightly. Blackboard and the email server are backed up nightly with a full copy of all data. All other databases and servers are backed up nightly with full copies of all data. All paper records are maintained in locked facilities. The oldest Registrar’s records are kept off-site in a facility named Iron Mountain. Records kept at Iron Mountain are retrievable following the records retrieval process maintained in the Registrar’s Office. Recent archives are on campus in a locked facility with limited key access. The active records are kept in fireproof file cabinets on-site either within the Admission or Registrar’s Offices for secure access. The Registrar’s office is in the process of digitizing the student records beginning with the current students. Lexmark International, Perceptive Software’s ImageNow product. When the existing data is scanned and entered in the system, the paper copies are destroyed. The same security rules for Colleague system applies to ImageNow system as well. The data is stored in the cloud and hosted and secured by the vendor. All Registrar personnel, including work-studies, undergo FERPA in-service training as well as instruction concerning the importance of student record confidentiality. Each Registrar employee upon hiring also signs a confidentiality form. Upon termination or resignation, keys are collected and computer access is inactivated. FERPA policies are available in the Life University Catalog (p. 110), Student Handbook (p. 132), and Academic Quarterly (p.28).