ࡱ>  VbjbjVV <<=l DCCCLC@(4!:N!b! ???????CE?& |!&&??+++&?+&?+++:J?ZwCJ'hC>??0@W>\F)\F(?\F?pn!r"+#$n!n!n!??l+jn!n!n!@&&&&\Fn!n!n!n!n!n!n!n!n! :   The University and its officials have a responsibility to protect confidential information about students and employees. Faculty, who have access to legally protected information about students, share in this responsibility. This outline will list and briefly describe the laws and policies established to define protected information and suggest some practices for faculty to carry out their responsibilities in this area. The discussion of laws and policies in this outline is by no means complete, but is intended as a summary of provisions useful to faculty at . It is based upon the best understanding of the laws and policies by University staff; the laws and policies supersede any incorrect information in this outline. Why is this important? Releasing protected information can result in embarrassment, identity theft, and potentially legal liability for faculty and the University. On March 27, 2003, Chancellor Charles Reed issued a memorandum that: Expresses concern over the privacy of confidential student and employee data. Requires the certification and approval of persons requiring access. Requires the signing of a Confidential Information System Access Agreement. Requires periodic audits. Announces that PeopleSoft and will be identifying and implementing solutions. Faculty and staff who violate the laws, regulations, or policies concerning the privacy of information are subject to sanctions or to disciplinary action, up to and including termination. What laws and policies cover this subject? The list below is not exhaustive, but addresses the laws and policies most critical to faculty: "The Identity Theft and Assumption Deterrence Act of 1998 (18 U.S.C. 1028) makes identity theft a federal crime. Wayne Shredding Bill (State Civil Code 1798.80-82) requires that sensitive information be unreadable before disposing of either electronic or paper documents. Family Educational Rights and Privacy Act (FERPA) State Information Practices Act of 1977 Title 5, California Code of Regulations Information Security Policy CENIC/DCP Acceptable Use Policy State Administrative Manual Family Educational Rights and Privacy Act (FERPA) The law defines several types of information: Directory information is public unless student has requested that it not be disclosed. Education records may be disclosed only to certain individuals and agencies without the students permission. Sole possession notes are made by one person as an individual observation or recollection, are kept in the possession of the maker, and are shared with no one but a temporary substitute. Instructional and supervisory notes are an excellent example of sole possession notes. Directory information is defined by the university within the laws limits. Typical information includes (the following is NOT comprehensive): Name Class level (freshman, graduate student) Degree type and date Dates of attendance Honors E-mail address Directory information may NOT include: Social Security Number or student identification number Race or gender Grades or GPA Country of citizenship Religion Admissions and Records keeps records of student requests for non-disclosure, and faculty have no easy way to know whether a request not to disclose directory information has been made. Education records are those records directly related to a student and maintained by the university or by a party acting for it. Education records are NOT sole possession records, law enforcement unit records, employment records, medical records, or post-attendance records. Students of federally funded universities have the right to inspect, review, and seek correction of their education records. Students reviewing their records do not have access to parts of records containing information about other students. Except as provided in the law, education records may not be released without the students explicit, written permission. Student permission to release education records generally applies to the specific recipient, purpose, and release period. Most of the exceptions in the law allowing release of records without student permission apply to common actions of administrative offices (Admissions and Records, Financial Aid, etc.) only. School officials may obtain education record information, provided that they have a legitimate educational interest. Faculty are school officials. Note that both tests are important: Status as a school official, and Legitimate educational interest in the specific record. Information Practices Act Each Campus and the Chancellors Office have the legal responsibility to administer and comply with provisions of the State Information Practices Act of 1977. The law imposes specific requirements on state agencies relating to the collection, use, maintenance, and dissemination of information relating to individuals. Careless, accidental, or intentional disclosure of information to unauthorized persons may result in disciplinary action against the responsible individual and civil action against . 1798.1 The Legislature declares that the right to privacy is a personal and fundamental right protected by Section 1 of Article I of the California Constitution and by the United States Constitution.the maintenance and dissemination of personal information (must) be subject to strict limits. Personal Information is information that identifies or describes an individual, including name, social security number, physical description, home address and telephone number, education, financial matters, medical or employment history, and statements made by or attributed to the individual. 1798.20. Rules of conduct shall be established for people involved in the design, development, operation, disclosure, or maintenance of records containing personal information. People involved in the design, development, operation, disclosure, and maintenance of records containing personal information shall be instructed about the rules of conduct governing these activities, as well as the remedies and penalties for non-compliance. Except as authorized by statute, no agency (or individual associated with the agency) may disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains. Title 5, California Code of Regulations Personal Information should not be collected unless the need for it has been clearly established in advance. Personal information should be appropriate and relevant to the purpose for which it has been collected. Personal Information should not be transferred outside unless such transfer is compatible with the disclosed purpose for which it was collected. Personal Information should be used as a basis for a decision only when it is accurate and relevant. Precautions should be taken to prevent the unauthorized access to or use of personal information retained by . Information Security Policy It is the policy of the that all campuses and the Office of the Chancellor comply with applicable State and Federal laws regarding data security and privacy. The unauthorized modification, deletion, or disclosure of information included in data files and data bases violates privacy rights and possibly constitutes criminal acts and is expressly forbidden. This applies to all students, faculty, and staff with access to this data. This policy applies to all data systems and equipment containing private, confidential, or mission critical data. Each campus must develop and maintain a written set of security policies and procedures that implement information security, confidentiality practices, and end user responsibilities. The policies and procedures of each campus must provide for: Use of resources for authorized, sanctioned, and approved activities only and sanctions for policy violations. Individual unique user ID/passwords. Access privileges controlled on a need to know basis. Password security requirements. Appropriate protections for remote-access systems and applications. Granting, reviewing, and removing access, as necessary and appropriate. CENIC/DCP Acceptable Use Policy The Corporation for Education Network Initiatives in California (CENIC) administers the Internet service used by the University. Any computer traffic that leaves the campus web traffic, e-mail, or other travels on CENICs systems. The goal of the CENIC/DCP Acceptable Use Policy is to ensure that all uses are consistent with the stated purpose, mission, and goals. Member institutions are expected to honor the rights of other users, respect the integrity of the systems and related physical resources, and observe relevant laws, regulations, and contractual obligations. Information resources accessed or delivered through CENIC will be used by members of its community with respect for the public trust and academic freedom, and in accordance with policy and regulations established by , the State of California, and . Member institutions and their users follow normal standards of security, ethics, conduct, and protocol when using CENIC. Minimum standards of security, ethics, conduct, and protocol include: Respect for the privacy of other users Users shall not seek information on, obtain copies of, or modify files, data, or passwords of other users unless explicitly authorized to do so. Respect for copyright and license agreements Respect for the integrity of computing systems Users shall not develop programs that harass other users or infiltrate or damage other computers or systems. Information on general acceptable uses and unacceptable uses of CENIC can be found on pages 11 and 12 of this material. State Administrative Manual The State Administrative Manual, in Sections 4841.6 and 4841.7, outlines responsibilities for the custodians and users of information. These include: using information assets only for state purposes; complying with applicable law and administrative policy as well as any additional security policies and procedures established by the owner of the automated information and the agency Information Security Officer; advising the owner of the information and the ISO of vulnerabilities that may present a threat to the information, as well as means to thwart that threat; and notifying the owner of the information and the ISO of any actual or attempted violations of security policies, practices, or procedures. Excerpts of Laws and Regulations Concerning Privacy of Data Family Educational Rights and Privacy Act 20 USC S. 1232g 1232g. Family educational and privacy rights (a) Conditions for availability of funds to educational agencies or institutions; inspection and review of education records; specific information to be made available; procedure for access to education records; reasonableness of time for such access; hearings; written explanations by parents; definitions. (1) (A) No funds shall be made available under any applicable program to any educational agency or institution which has a policy of denying, or which effectively prevents, the parents of students who are or have been in attendance at a school of such agency or at such institution, as the case may be, the right to inspect and review the education records of their children. If any material or document in the education record of a student includes information on more than one student, the parents of one of such students shall have the right to inspect and review only such part of such material or document as relates to such student or to be informed of the specific information contained in such part of such material. Each educational agency or institution shall establish appropriate procedures for the granting of a request by parents for access to the education records of their children within a reasonable period of time, but in no case more than forty-five days after the request has been made. (B) The first sentence of subparagraph (A) shall not operate to make available to students in institutions of postsecondary education the following materials: (i) financial records of the parents of the student or any information contained therein; (ii) confidential letters and statements of recommendation, which were placed in the education records prior to January 1, 1975, if such letters or statements are not used for purposes other than those for which they were specifically intended; (iii) if the student has signed a waiver of the student's right of access under this subsection in accordance with subparagraph (C), confidential recommendations-- (I) respecting admission to any educational agency or institution, (II) respecting an application for employment, and (III) respecting the receipt of an honor or honorary recognition. (C) A student or a person applying for admission may waive his right of access to confidential statements described in clause (iii) of subparagraph (B), except that such waiver shall apply to recommendations only if (i) the student is, upon request, notified of the names of all persons making confidential recommendations and (ii) such recommendations are used solely for the purpose for which they were specifically intended. Such waivers may not be required as a condition for admission to, receipt of financial aid from, or receipt of any other services or benefits from such agency or institution. (2) No funds shall be made available under any applicable program to any educational agency or institution unless the parents of students who are or have been in attendance at a school of such agency or at such institution are provided an opportunity for a hearing by such agency or institution, in accordance with regulations of the Secretary, to challenge the content of such student's education records, in order to insure that the records are not inaccurate, misleading, or otherwise in violation of the privacy or other rights of students, and to provide an opportunity for the correction or deletion of any such inaccurate, misleading, or otherwise inappropriate data contained therein and to insert into such records a written explanation of the parents respecting the content of such records. (3) For the purposes of this section the term "educational agency or institution" means any public or private agency or institution which is the recipient of funds under any applicable program. (4) (A) For the purposes of this section, the term "education records" means, except as may be provided otherwise in subparagraph (B), those records, files, documents, and other materials which-- (i) contain information directly related to a student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution. (B) The term "education records" does not include-- (i) records of instructional, supervisory, and administrative personnel and educational personnel ancillary thereto which are in the sole possession of the maker thereof and which are not accessible or revealed to any other person except a substitute; (ii) records maintained by a law enforcement unit of the educational agency or institution that were created by that law enforcement unit for the purpose of law enforcement. (iii) in the case of persons who are employed by an educational agency or institution but who are not in attendance at such agency or institution, records made and maintained in the normal course of business which relate exclusively to such person in that person's capacity as an employee and are not available for use for any other purpose; or (iv) records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student's choice. (5) (A) For the purposes of this section the term "directory information" relating to a student includes the following: the student's name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student. (B) Any educational agency or institution making public directory information shall give public notice of the categories of information which it has designated as such information with respect to each student attending the institution or agency and shall allow a reasonable period of time after such notice has been given for a parent to inform the institution or agency that any or all of the information designated should not be released without the parent's prior consent. (6) For the purposes of this section, the term "student" includes any person with respect to whom an educational agency or institution maintains education records or personally identifiable information, but does not include a person who has not been in attendance at such agency or institution. (b) Release of education records; parental consent requirement; exceptions; compliance with judicial orders and subpoenas; audit and evaluation of Federally-supported education programs; recordkeeping. (1) No funds shall be made available under any applicable program to any educational agency or institution which has a policy or practice of permitting the release of educational records (or personally identifiable information contained therein other than directory information, as defined in paragraph (5) of subsection (a)) of students without the written consent of their parents to any individual, agency, or organization, other than to the following-- (A) other school officials, including teachers within the educational institution or local educational agency, who have been determined by such agency or institution to have legitimate educational interests; (B) officials of other schools or school systems in which the student seeks or intends to enroll, upon condition that the student's parents be notified of the transfer, receive a copy of the record if desired, and have an opportunity for a hearing to challenge the content of the record; (C) authorized representatives of (i) the Comptroller General of the United States, (ii) the Secretary, (iii) an administrative head of an educational agency (as defined in section 408(c) , or (iv) State educational authorities, under the conditions set forth in paragraph (3) of this subsection; (D) in connection with a student's application for, or receipt of, financial aid; (E) State and local officials or authorities to whom such information is specifically required to be reported or disclosed pursuant to State statute adopted prior to November 19, 1974; (F) organizations conducting studies for, or on behalf of, educational agencies or institutions for the purpose of developing, validating, or administering predictive tests, administering student aid programs, and improving instruction, if such studies are conducted in such a manner as will not permit the personal identification of students and their parents by persons other than representatives of such organizations and such information will be destroyed when no longer needed for the purpose for which it is conducted; (G) accrediting organizations in order to carry out their accrediting functions; (H) parents of a dependent student of such parents, as defined in section 152 of the Internal Revenue Code of 1954; and (I) subject to regulations of the Secretary, in connection with an emergency, appropriate persons if the knowledge of such information is necessary to protect the health or safety of the student or other persons. Nothing in clause (E) of this paragraph shall prevent a State from further limiting the number or type of State or local officials who will continue to have access thereunder. (2) No funds shall be made available under any applicable program to any educational agency or institution which has a policy or practice of releasing, or providing access to, any personally identifiable information in education records other than directory information, or as is permitted under paragraph (1) of this subsection unless-- (A) there is written consent from the student's parents specifying records to be released, the reasons for such release, and to whom, and with a copy of the records to be released to the student's parents and the student if desired by the parents, or (B) such information is furnished in compliance with judicial order, or pursuant to any lawfully issued subpoena, upon condition that parents and the students are notified of all such orders or subpoenas in advance of the compliance therewith by the educational institution or agency. (3) Nothing contained in this section shall preclude authorized representatives of (A) the Comptroller General of the United States, (B) the Secretary, (C) an administrative head of an education agency or (D) State educational authorities from having access to student or other records which may be necessary in connection with the audit and evaluation of Federally-supported education program, or in connection with the enforcement of the Federal legal requirements which relate to such programs: Provided, That except when collection of personally identifiable information is specifically authorized by Federal law, any data collected by such officials shall be protected in a manner which will not permit the personal identification of students and their parents by other than those officials, and such personally identifiable data shall be destroyed when no longer needed for such audit, evaluation, and enforcement of Federal legal requirements. (4) (A) Each educational agency or institution shall maintain a record, kept with the education records of each student, which will indicate all individuals (other than those specified in paragraph (1)(A) of this subsection), agencies, or organizations which have requested or obtained access to a student's education records maintained by such educational agency or institution, and which will indicate specifically the legitimate interest that each such person, agency, or organization has in obtaining this information. Such record of access shall be available only to parents, to the school official and his assistants who are responsible for the custody of such records, and to persons or organizations authorized in, and under the conditions of, clauses (A) and (C) of paragraph (1) as a means of auditing the operation of the system. (B) With respect to this subsection, personal information shall only be transferred to a third party on the condition that such party will not permit any other party to have access to such information without the written consent of the parents of the student. (5) Nothing in this section shall be construed to prohibit State and local educational officials from having access to student or other records which may be necessary in connection with the audit and evaluation of any federally or State supported education program or in connection with the enforcement of the Federal legal requirements which relate to any such program, subject to the conditions specified in the proviso in paragraph (3). (6) Nothing in this section shall be construed to prohibit an institution of postsecondary education from disclosing, to an alleged victim of any crime of violence (as that term is defined in section 16 of title 18, United States Code), the results of any disciplinary proceeding conducted by such institution against the alleged perpetrator of such crime with respect to such crime. (c) Surveys or data-gathering activities; regulations. The Secretary shall adopt appropriate regulations to protect the rights of privacy of students and their families in connection with any surveys or data-gathering activities conducted, assisted, or authorized by the Secretary or an administrative head of an education agency. Regulations established under this subsection shall include provisions controlling the use, dissemination, and protection of such data. No survey or data-gathering activities shall be conducted by the Secretary, or an administrative head of an education agency under an applicable program, unless such activities are authorized by law. (d) Students' rather than parents' permission or consent. For the purposes of this section, whenever a student has attained eighteen years of age, or is attending an institution of postsecondary education the permission or consent required of and the rights accorded to the parents of the student shall thereafter only be required of and accorded to the student. (e) Informing parents or students of rights under this section. No funds shall be made available under any applicable program to any educational agency or institution unless such agency or institution informs the parents of students, or the students, if they are eighteen years of age or older, or are attending an institution of postsecondary education, of the rights accorded them by this section. (f) Enforcement; termination of assistance. The Secretary, or an administrative head of an education agency, shall take appropriate actions to enforce provisions of this section and to deal with violations of this section, according to the provisions of this Act, except that action to terminate assistance may be taken only if the Secretary finds there has been a failure to comply with the provisions of this section, and he has determined that compliance cannot be secured by voluntary means. (g) Office and review board; creation; functions. The Secretary shall establish or designate an office and review board within the Department of Health, Education, and Welfare for the purpose of investigating, processing, reviewing, and adjudicating violations of the provisions of this section and complaints which may be filed concerning alleged violations of this section. Except for the conduct of hearings, none of the functions of the Secretary under this section shall be carried out in any of the regional offices of such Department. INFORMATION PRACTICES ACT OF 1977 The Information Practices Act, Section 1798 of the California Civil Code, places specific requirements on state agencies in relation to the collection, use, maintenance and dissemination of information relating to individuals. Careless, accidental or intentional disclosure of information to unauthorized persons can have far-reaching effects, which may result in disciplinary action against those involved in unauthorized disclosure (Section 1798.55) and civil action against the with a right to be awarded reasonable attorneys fees, if successful. For reference, the following summary of relevant provisions is provided: Article 1: General Provisions and Legislative Findings 1798.1 The Legislature declares that the right to privacy is a personal and fundamental right protected by Section 1 of Article I of the Constitution of California and by the United States Constitution and that all individuals have a right of privacy in information pertaining to them. The Legislature further makes the following findings: a) The right to privacy is being threatened by the indiscriminate collection, maintenance, and dissemination of personal information and the lack of effective laws and legal remedies. b) The increasing use of computers and other sophisticated information technology has greatly magnified the potential risk to individual privacy that can occur from the maintenance of personal information. c) In order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits. Article 2: Definitions 1798.3. As used in this chapter: a) The term personal information means any information that is maintained by an agency that identifies or describes an individual, including, but not limited to, his or her name, social security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. It includes statements made by, or attributed to, the individual c) The term disclose means to disclose, release, transfer, disseminate, or otherwise communicate all or any part of any record orally, in writing, or by electronic or any other means to any person or entity. Article 5: Agency Requirements 1798.20. Each agency shall establish rules of conduct for persons involved in the design, development, operation, disclosure, or maintenance of records containing personal information and instruct each such person with respect to such rules and the requirements of this chapter, including any other rules and procedures adopted pursuant to this chapter and the remedies and penalties for noncompliance. 1798.21. Each agency shall establish appropriate and reasonable administrative, technical, and physical safeguards to ensure compliance with the provisions of this chapter, to ensure the security and confidentiality of records, and to protect against anticipated threats or hazards to their security or integrity which could result in any injury. Article 6: Conditions Of Disclosure 1798.24. No agency may disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains... [Exceptions to this rule are listed in the statute.] Article 10: Penalties 1798.55. The intentional violation of any provision of this chapter or any rules or regulations adopted thereunder, by an officer or employee of any agency shall constitute a cause for discipline, including termination of employment. (Emphasis added.) 1798.56. Any person who willfully requests or obtains any record containing personal information from an agency under false pretenses shall be guilty of a misdemeanor and fined not more that five thousand dollars ($5,000), or imprisoned not more than one year, or both. TITLE 5, CALIFORNIA CODE OF REGULATIONS Sections 42396 through 42396.5 of Title 5 of the California Code of Regulations address privacy and the principles of personal information management applicable to the California State University. Title 5 can be found on the Web at:  HYPERLINK "http://ccr.oal.ca.gov/" http://ccr.oal.ca.gov/. For reference, the following summary is provided: 42396.2 Principles of Personal Information Management. The following principles of personal information management shall be implemented within The California State University: There should be no personal information system the existence of which is secret. Personal information should not be collected unless the need for it has been clearly established in advance. Personal information should be appropriate and relevant to the purpose for which it has been collected. Personal information should not be transferred outside The California State University unless the transfer is compatible with the disclosed purpose for which it was collected. (Emphasis added.) Personal information should be used as a basis for a decision only when it is accurate and relevant. There should be procedures established by which a person may learn what personal information about him or her has been retained by The California State University and where lawful, have those records disclosed to him or her, pursuant to the provisions of this Article. There should be established within The California State University procedures by which a person may request in writing addition to or deletion of personal information about himself or herself which does not meet the principles in this section. Such requests should be honored within a reasonable length of time or the person should be permitted to file a concise statement of dispute regarding the personal information which shall become a permanent part of the record, or, the disputed personal information should be destroyed. Precautions should be taken to prevent the unauthorized access to or use of personal information retained by The California State University. These principles shall be construed and implemented so as to be consistent with all federal and state laws otherwise regulating or allowing for the use of personal information, including but not limited to Education Code Section 89546 relating to employee records. (Emphasis added.) INFORMATION SECURITY POLICY OVERVIEW The Board of Trustees (BOT) of the California State University () is responsible for protecting the confidentiality of information in the custody of the ; the security of the equipment where this information is processed and maintained; and, the related privacy rights of the students, faculty and staff concerning this information. It is also the collective responsibility of the , its executives and managers to insure: the integrity of the data; the maintenance and currency of the applications; the preservation of the information in case of natural or man-made disasters; and, compliance with Federal and State regulations, including intellectual property and copyright. This policy applies to all students, faculty and staff, consultants employed by the or any other person having access to information technology resources. The unauthorized modification, deletion, or disclosure of information included in data files and data bases can compromise the integrity of programs, violate individual privacy rights and possibly constitute a criminal act, and is expressly forbidden. This responsibility is delegated to the campus Presidents in accordance with policies. It is anticipated that the President will assign most or all of the responsibility for policy enforcement to the CIO/ITAC Designee. Therefore, the ITAC designee should keep the President informed of any changes of security and confidentiality procedures affecting the campus information technology environment. However, this policy is not limited to those systems and equipment operated and maintained by the central Information Technology organization. It applies to all data systems and equipment on campus that contain data deemed private or confidential and/or which contain mission critical data, including departmental, divisional and other ancillary systems and equipment. SECURITY PROCEDURES Each campus and the Chancellors Office must develop and maintain a written set of security policies and procedures that at a minimum implement information security, confidentiality practices consistent with these policies, and end-user responsibilities for the physical security of the equipment and the appropriate use of hardware, software and network facilities. SECURITY POLICIES It is the policy of the that all computer equipment, hardware and software be physically secure. Campuses must have plans and procedures for data centers and shared computing environment that insure, where appropriate: Protection against natural/accidental disasters. Protection against intentional disasters. It is the policy of the that Data (Information) be secure. Campus plans must include, where appropriate: Definitions and Descriptions of: Critical applications (as defined in the State Administrative Manual). Critical information. Other critical resources. Procedures for: The implementation of cost/effective data security systems (RACF, firewalls, routers, etc.). Insuring the confidentiality and security of all information deemed confidential and private Backup and off-site storage of mission critical data Required Security Measures which include Protection against known vulnerabilities. Testing of security procedures in data centers and shared computing environments. Organization and administration. Control of operating system software. Control of application software and data. Control of Transaction systems. Control of Database systems. Control of magnetic media storage in data centers and shared computing environments Guidelines for System Design: Completeness of data. Integrity of data. Accuracy of data. Audit trails of critical data changes (grade changes, residency determination, etc.). It is the policy of the that all campuses have appropriate personnel policies and procedures relative to employees who have physical or virtual access to information technology equipment or the data residing therein. These policies and procedures should provide for: Use of resources for authorized, sanctioned and approved activities only and sanctions for policy violations. Individual unique user ID/passwords (no shared IDs). Access privileges controlled on a need to know basis (files, records, data elements, data bases, applications, screens, terminals, etc.). Password Security Requirements Appropriate protections for systems and applications accessible by remote access and/or dial up modem. Assignment of responsibilities (access privileges granted) Reassignment of responsibilities (access privileges reviewed). Termination of employment (access privileges removed). It is the policy of the that all campuses and the Office of the Chancellor comply with applicable State and Federal laws regarding data security and privacy. The Corporation for Education Network Initiatives in California (CENIC) and Digital California Project (DCP) Acceptable Use Policy The full Acceptable Use Policy is available at  HYPERLINK "http://www.cenic.org/downloads/pmo/AUP1.pdf" http://www.cenic.org/downloads/pmo/AUP1.pdf. Introduction: One of the goals of CENIC, through the DCP, is to provide K-12 schools, school districts and county offices of education and other institutionswith access to a high-speed backbone network infrastructure that interconnects those sites with each other and to information and communication resources worldwide.The intent of the DCP Acceptable Use Policy (AUP) is to ensure that all uses are consistent with DCPs status purpose, mission, and goals. The AUP does not articulate all required or proscribed behavior by DCP participants, but it provides a framework of appropriate use within which users are required to honor the rights of other users, respect the integrity of the systems and related physical resources, and observe relevant laws, regulations, and contractual obligations. Use of the DCP to access or deliver information resources will respect the principles of public trust and academic freedom, and will comply with policies and regulations established by CENIC and with local, state and federal laws. General Acceptable Use: Examples of acceptable use include, but are not limited to, the following: Activities that are part of the support infrastructure needed for instruction, scholarship and institutional management Instructional applications engaged in by students, faculty and staff. Communication and exchange for professional development, to maintain currency, or to debate issues in a field or sub-field of knowledge. Subject matters/discipline associations, government-advisory, or standard activities related to the users research, instructional and/or administrative activities. Applying for or administering grants or contracts Announcements of new products or services used in instruction and institutional research. Access to information resources, computers, and people throughout the world. Interaction with students, faculty, and staff Access to libraries, information resources, databases, and news Importation of licensed software or other copyrighted materials for fair use or with permission. Administrative, academic, and research-related discussion groups. E-commerce activities in support of the administrative and academic programs of participant institutions. Unacceptable Uses: Examples of unacceptable uses include, but are not limited to, the following: Any illegal use of DCP, or use in support of illegal activities.Illegal use shall be defined as use that violates local, state and/or federal law.stalking others, transmitting or originating any unlawful, fraudulent or defamatory communications, transmitting copyrighted material beyond the scope of fair use without permission of the copyright owner, or any communications where the message or its transmission or distribution, would constitute or would encourage conduct that is a criminal offense. Activities that interfere with or disrupt network users, services, or equipment.distribution of unsolicited advertising or mass mailings; spamming; propagation of computer worms or viruses; and using DCP to make or attempt to make unauthorized entry to other computational, informational or communications devices or resources. Use in furtherance of profit-making activities (consulting for pay, sales or distribution of commercial products or services for profit, etc.) or use by for-profit companies, unless specifically authorized by the DCP Program Steering Committee and CENIC Board of Directors. Use in support of partisan political activities. Use for private or personal activities that exceed DCP related research, instruction, or administrative applications, or when there is personal monetary gain. State Administrative Manual 4841.6 RESPONSIBILITY OF CUSTODIANS OF INFORMATION The responsibilities of a custodian of an automated file or database consist of: Complying with applicable law and administrative policy; Complying with any additional security policies and procedures established by the owner of the automated information and the agency Information Security Officer; Advising the owner of the information and the agency Information Security Officer of vulnerabilities that may present a threat to the information and of specific means of protecting that information; and Notifying the owner of the information and the agency Information Security Officer of any actual or attempted violations of security policies, practices and procedures. 4841.7 RESPONSIBILITY OF USERS OF INFORMATION The responsibilities of a user of information consist of: Using state information assets only for state purposes; Complying with applicable laws and administrative policies (including copyright and license requirements), as well as any additional security policies and procedures established by the owner of the information and the agency Information Security Officer; and Notifying the owner of the information and the agency Information Security Officer of any actual or attempted violations of security policies, practices and procedures.     Confidential Information An outline for use by faculty November 11, 2004 PAGE  PAGE 2 PAGE 12 Information Use and Confidentiality Guidelines for Faculty November 11, 2004 Some suggestions for faculty practices under FERPA Posting or release of grades Posting of grades, such as on an office door, whether with directory information (name) or education record identifiers (Social Security Number or student identification number) where they can be seen by those other than the student or a school official with a legitimate educational interest violates FERPA. Some solutions: (a) agreeing upon code numbers or words known only to the individual student and the faculty member, (b) mailing grades in a sealed envelope, or (c) informing students of the day that you will be entering grades into PeopleSoft and reminding them that they can retrieve their own grade information over the Internet. When returning tests or papers in class, take common sense precautions to ensure privacy of the grade information. Do not leave final papers or exams in a box outside your office door. This not only shares grade information inappropriately, it also opens up the possibility that A papers may be stolen and plagiarized by other students. Ask students who want their final papers or exams back to give you a pre-addressed, stamped envelope, or offer to return them during office hours the following semester. When disposing of papers or exams that students do not wish returned, its best to shred them. The University has a contract for shredding entire boxes of materials at once; campus General Services can explain the procedures for requesting such shredding. Class directories It is common to circulate class directories listing student names and contact information (e.g., e-mail address). Requiring such information to be shared with the class may create conflicts with a students request to withhold directory information. If you use such directories, state clearly that, if students have any concerns, they may discuss them with you after class. Consider encouraging the student to use a yahoo or hotmail account for the class or other techniques that will permit the student to maintain privacy of this information. (more on next page) Suggestions, continued Letters of Recommendation Letters of recommendation are a part of the students education record. The student must grant permission for the release of the information from the education record. The letter will be available to the student unless s/he has waived the right of access, in writing. The written request for a letter of recommendation should contain: The person/agency to whom the information is to be released. The purpose of the letter of recommendation. Whether or not the student is waiving his/her right to review a copy of the letter. Meetings with students Faculty commonly meet with students in their offices with the door open. During such meetings, incautious conversation about the students education record, or showing the record in a way that is visible to others, can constitute a prohibited release of the students education record. Consider the arrangement of the office, the placement of chairs in the hall for students waiting to meet, and other techniques for preserving the students right to privacy. Protecting the privacy of your grade book and notes Generally, your grade book and notes about students are sole possession records. Sharing these notes with another person or placing them where they can be viewed by others makes them education records and available to the student. If you use student graders, have them give you the grading results so that you can enter the information. If you need to discuss student problems with others (e.g., department chair or student discipline staff), do not share your notes directly; rather, summarize the problem. Employment Contracts FERPA treats student employment (student assistants, work study trainees, Graduate Assistants, Teaching Associates) as education record information that may not be released without student permission, except to agencies as provided in the law. Under the Information Practices Act, employment contracts of all other State employees are public record. An individuals name, pay title, time base, dates of employment, and gross pay rate are public record and must be released to any member of the public. Other employment-related information such as net pay or performance information is private and may be released only with written permission from the individual or as provided in law. Employment verifications beyond confirmation that someone works in a department in a particular pay title should be made by Human Services or Faculty Affairs, the offices that process official appointment status.  ? J Z j   % D -R|pdVJhTqB*CJaJphhTq>*B*CJaJphhTqB*CJaJ phhTqB*CJaJph+jhTqB*CJUaJmHnHphuhTq5B*CJ\aJ phhTqB*CJaJphhTqB*CJaJph hTq5\hSWB*CJaJphhTqB*CJaJphhCdB*CJphhTqB*CJphjhTqCJUmHnHuhTq  & G D E -$ & Fa$$a$ $ !a$$a$$a$ $^`a$ ^`%Ee<RW$ ]^`a$ $ ]a$$ & F ]a$$ ]^`a$$ ]a$$ & Fa$-;R[+, $ ]^`a$ $ ]a$ $ ]a$$ ]^`a$$ ]^`a$R[)+, F, !!P#Q#q#r#%\&&((4(5([(f(ǻݥ饵sݵsݵsgh06B*CJaJphhTq5B*CJ\phhTqB*CJaJphhTq5CJ\jhTqCJUmHnHuhTqhTqB*CJaJ ph hTqCJhTq>*B*CJph+jhTqB*CJUaJmHnHphuhTqB*CJaJphhTqB*CJphhTqB*CJaJph(F,T !!|!!y"$a$$ & Fa$$ & Fa$$ & Fa$ $^`a$$a$$]a$$ ]^`a$y""P#Q#q#r#$+%%\&& '1'g'''((4(5(!))w*+,$ & Fa$$ & Fa$$ & Fa$$a$$a$$ & Fa$f(w*q+{+++--X.t. /0=1?1@1|1~1111Qptpuprrrr!s"sղvbvUIhTqB*CJaJphhTq5B*CJ\ph'hTq56B*CJOJQJ\]phhTqB*CJOJQJphhTq5>*B*CJ\phhTq5CJ\ hTqCJhTq5>*CJ\ hTqCJ hTqB*CJ$phhTqB*CJaJphhTq5B*CJ\ph hTqCJhTqh @B*CJphhTqB*CJphhTqB*CJaJph,],,-B-q---W.X.t.u. />/00=1>1?1@1|1}1~11$a$$ & Fa$$a$$a$ $X^X`a$$ & Fa$$ & Fa$1111337777 8 8999999#:$:g:h:<<??@@qA$a$qArAAA"B#BXBYBVCWCDDaEbEGGIIKKLLMMZO[O,P-PNQOQOQyRzRRRSSUUUUdVeV;WZ?Z][^[__abbbgchc!e!e"eff@iAijj?l@l1n2nPpQptpuprr"sxt1uvv  hh]^h$a$ $^`a$$a$ &d P "s*swtxt0u1uuvvvvvvvvfxgx9y:ydyzzK|z|>}_}>~R~\~buvطscshTq>*B*OJQJaJphhTq>*B*OJQJph#jhTq>*B*OJQJUphhTq5>*\aJhTq56OJQJ\]aJhTqOJQJaJhTq5\aJhTqCJaJ hTqCJ hTqaJhTqhTqB*CJaJphhTqB*CJOJQJphhTq5B*CJ\ph$vvvvgx:y;yZyzK|L|p|>}?}U}R~ab$a$h^h $h^h`a$ h$a$$|`|a$$a$ VWoӈ܈9?@Tőؾyslsbs[s hTq5CJhTqCJOJQJ hTq>*CJ hTqCJhTqOJQJ^JaJhTqhTq56\]aJhTq56OJQJ\]aJ hTqaJhTq5\aJhTqOJQJaJhTq>**ϴձ0ϴ#ձ>**ϴ)ձ>**ϴ‚҈ӈ݈ފ18$<^<a$ $ & F  a$$a$7$8$H$ & F 8hh^h89?@TUđőّؑ $ & F h8a$$ & F ha$ $ & F ha$$ a$ $ & F a$$ & Fa$ $ & F ha$$a$őّؑxڛݛEFԠhz sf^^^^XIhTq5>*B*CJ\ph hTqPJhTqCJaJhTq0J6CJ]aJ#jhTq6CJU]aJjhTq6CJU]aJhTq6CJ]aJhTq5CJ\aJ hTq>*CJhTq56>*CJ\]aJhTq5>*CJ\aJhTqCJOJQJ\^JaJhTqCJOJQJ hTqCJ\ hTqCJhTq5B*CJ\ph-!Jtƕ 7WtȖ!wx  & F h$ & Fa$$ & F h8a$ $ & F ha$ $ & F h8a$+ԙ<wڛ$a$7$8$H$$ & F h8&dPa$$ & F 88^8`a$$ & F h8Fa$$ & F h8a$ӟԟՠ֠!"jBYgh{|ʥ˥§ & F h^h P BCϫr?TU<=?@$a$$a$ & F h&dP^h & F h^h B;<=>@ACDFGI°ðɰʰ˰Ͱΰ԰հְװذڰ۰ĺĴڜڜڜ·zhTq5B*CJ\phhvh+0JmHnHu hTq0JjhTq0JU hTqCJhTq0JCJ hPCJhvB*CJphhTqB*CJphhjhUhTq hTqCJhTq5CJ\hTq5B*CJ\ph hTqCJ0@BCEFHI°˰̰Ͱذٰڰh]h&`#$ ^`&'(9:<opFG[\stߺռпRTUſ{qqd{`h^XhTq5B*CJ\phhTqB*CJphhTqB*CJaJphhTq6CJ]hTqB*CJaJphhTq6B*CJ]aJ ph hTqCJhTq5>*CJ\hTq hTqCJ hPCJhTq5B*CJ\phhP5B*CJ\phh9S5B*CJ\phh^&5B*CJ\ph%(:;<opzjjj$ & F h^ha$$ & F h^ha$$a$$a$$a$ !/$$d%d&d'd-DM NOPQa$/$$d%d&d'd-DM NOPQa$ #FG[\stߺIռ$ & F^`a$$ & F h^ha$$a$$a$$a$$ & F h^ha$$a$ $ !a$п.}RSTUV$ & Fa$$a$$ & F h^ha$$ & F h^ha$$a$ $^`a$UV hTqCJ? 000P&P/ =!"#$% Dp@ 00P&P/ =!"#$% P Dp90P1h/ =!8"8#8$8% DpH 001h/ =!8"8#8$8% P0 HHDyK http://ccr.oal.ca.gov/yK .http://ccr.oal.ca.gov/%DyK ,http://www.cenic.org/downloads/pmo/AUP1.pdfyK Xhttp://www.cenic.org/downloads/pmo/AUP1.pdf^! 2 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~_HmH nH sH tH @`@ NormalCJ_HaJmH sH tH L@L  Heading 17$8$@&H$B*CJ,aJ,phf\@\  Heading 27$8$@&H$^`B*CJ aJ ph\@\  Heading 3I7$8$@&H$^I`B*CJaJphT@T  Heading 4L7$8$@&H$^`L B*ph8@8  Heading 5$@&>*:@:  Heading 6$@&6]<@<  Heading 7$@&5CJ@@  Heading 8$$@&a$5\D D  Heading 9 $$@&a$ 5>*\DA`D Default Paragraph FontViV  Table Normal :V 44 la (k (No List 4@4 Header  !4 @4 Footer  !6U@6 Hyperlink >*B*ph.)@!. Page NumberFV1F FollowedHyperlink >*B* phTCBT Body Text Indent^`CJaJ<QR< Body Text 3$a$CJlR@bl Body Text Indent 2$h^h`a$B*CJOJQJphtS@rt Body Text Indent 3 $ hh^h`a$B*CJOJQJph<B@< Body Text$a$CJ ^JLoL Default 7$8$H$OJQJ_HmH sH tH dT@d Block Text $]^`a$B*OJQJ^JphF>@F Title$5$7$8$9DH$a$ 5>*aJLJ@L Subtitle$5$7$8$9DH$a$ 5>*aJ\P@\ Body Text 2 $<5$7$8$9DH$^<a$ OJQJaJxx Preformatted1 # ~= z9!v%7$8$H$CJOJQJ^JaJRR Blockquote#hhdd7$8$H$]h^hd^d Normal (Web) dd[$\$!B*CJOJ PJQJ ^JaJphPK![Content_Types].xmlj0Eжr(΢Iw},-j4 wP-t#bΙ{UTU^hd}㨫)*1P' ^W0)T9<l#$yi};~@(Hu* Dנz/0ǰ $ X3aZ,D0j~3߶b~i>3\`?/[G\!-Rk.sԻ..a濭?PK!֧6 _rels/.relsj0 }Q%v/C/}(h"O = C?hv=Ʌ%[xp{۵_Pѣ<1H0ORBdJE4b$q_6LR7`0̞O,En7Lib/SeеPK!kytheme/theme/themeManager.xml M @}w7c(EbˮCAǠҟ7՛K Y, e.|,H,lxɴIsQ}#Ր ֵ+!,^$j=GW)E+& 8PK!Ptheme/theme/theme1.xmlYOo6w toc'vuر-MniP@I}úama[إ4:lЯGRX^6؊>$ !)O^rC$y@/yH*񄴽)޵߻UDb`}"qۋJחX^)I`nEp)liV[]1M<OP6r=zgbIguSebORD۫qu gZo~ٺlAplxpT0+[}`jzAV2Fi@qv֬5\|ʜ̭NleXdsjcs7f W+Ն7`g ȘJj|h(KD- dXiJ؇(x$( :;˹! I_TS 1?E??ZBΪmU/?~xY'y5g&΋/ɋ>GMGeD3Vq%'#q$8K)fw9:ĵ x}rxwr:\TZaG*y8IjbRc|XŻǿI u3KGnD1NIBs RuK>V.EL+M2#'fi ~V vl{u8zH *:(W☕ ~JTe\O*tHGHY}KNP*ݾ˦TѼ9/#A7qZ$*c?qUnwN%Oi4 =3ڗP 1Pm \\9Mؓ2aD];Yt\[x]}Wr|]g- eW )6-rCSj id DЇAΜIqbJ#x꺃 6k#ASh&ʌt(Q%p%m&]caSl=X\P1Mh9MVdDAaVB[݈fJíP|8 քAV^f Hn- "d>znNJ ة>b&2vKyϼD:,AGm\nziÙ.uχYC6OMf3or$5NHT[XF64T,ќM0E)`#5XY`פ;%1U٥m;R>QD DcpU'&LE/pm%]8firS4d 7y\`JnίI R3U~7+׸#m qBiDi*L69mY&iHE=(K&N!V.KeLDĕ{D vEꦚdeNƟe(MN9ߜR6&3(a/DUz<{ˊYȳV)9Z[4^n5!J?Q3eBoCM m<.vpIYfZY_p[=al-Y}Nc͙ŋ4vfavl'SA8|*u{-ߟ0%M07%<ҍPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 +_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!Ptheme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] SskVSskn@)~)V  A   Rf("ső UVbfioqty{y",1qAOQ!ev8 @Vcdeghjklmnprsuvwxz|}~uxxxEVXX!!T!Tl,b$^.[#􏝴L@(  V  # "? V  # "? V  # "? P   "? B S  ? Vx#t$.t%1t$cT _Hlt30924680 _Hlt30924681xxW@@xxWތg ތtg ތtf ތ4g ތf ތf ތב ތ,ב ތlב ތ֑ ތ֑ ތl֑ ތ,֑ ތՑ ތՑ ތ,Ց ތlՑ ތ,ؑ ތlؑ ތב ތ ތT ތԟ ތ ތ ތԠ a#a#lwlw4x4x?xExzz{ {ƓƓW     k#k#vwvw>xDxOxOx{ {{{ГГW   9*urn:schemas-microsoft-com:office:smarttagsplace=*urn:schemas-microsoft-com:office:smarttags PlaceName=*urn:schemas-microsoft-com:office:smarttags PlaceType9*urn:schemas-microsoft-com:office:smarttagsStateB*urn:schemas-microsoft-com:office:smarttagscountry-region | //A3B3s9t9Z:[:rIsIOOuu=?@BCEFHIWGCKV 01fg ! ''((((// 1 111*242v9}999]:d:\;c;_GdG~JJMMMMNNCRGRbtdt1;6<JLړݓ #?:=?@BCEFHIHLHI˳W333333333333333333333333333333333333333333333?JZj[ f t | !!1!:!!!""R#T#k##$$%W&t&?)<=?@BCEFHI¨ʨͨרڨ '(9<[\TW==?@@BCEFHIWfQ_bE \*_b*&6rGN+s5LXN[And#bmR*^`OJPJQJ^Jo( ^`OJQJo(o pp^p`OJ QJ o( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJ QJ o( ^`OJQJo( ^`OJQJo(o PP^P`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh pp^p`OJ QJ o(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJ QJ o(@xhh^h`)@xh^`)@xh8^8`)@xh^`()@xh^`()@xhp^p`()@xh ^ `.@xh@ ^@ `.@xh ^ `.88^8`o(()^`. L ^ `L.  ^ `.xx^x`.HLH^H`L.^`.^`.L^`L.h pp^p`OJQJo(h @ @ ^@ `OJQJo(oh ^`OJ QJ o(h ^`OJQJo(h ^`OJQJo(oh ^`OJ QJ o(h PP^P`OJQJo(h   ^ `OJQJo(oh ^`OJ QJ o(^`CJOJQJo(^`CJOJQJo(opp^p`CJOJ QJ o(@ @ ^@ `CJOJ QJ o(^`CJOJ QJ o(^`CJOJ QJ o(^`CJOJ QJ o(^`CJOJ QJ o(PP^P`CJOJ QJ o(= = = = = = = = = = bE 5= N+= N[A_b*&#bm8= 0@CJOJQJo(8= `t@CJOJQJo(9= @CJOJQJo((9= t@CJOJQJo(P9= t@CJOJQJo( 9= @CJOJQJo( 9= @CJOJQJo(" 9= @CJ OJQJo(:= @CJOJQJo((:= @CJOJQJo( P:= @xh  ^ `OJQJo(:= @h ^`OJQJo(                                   lxL. tzld,"H}V$067EN0OQTV^X!LSWZ^&Tq @vI+9SCd>PP=?@V`@Unknown G*Ax Times New Roman5Symbol3. *Cx ArialCTimesNewRomanYTimesNewRoman,BoldItalicI. ??Arial Unicode MSMTimesNewRoman,Bold9Palatino?= * Courier New7. [ @Verdana;WingdingsA BCambria Math"qhej&ej&&! U1! U1A$x24d3QHP?v2! xx!Human Resource Information System Bill Houghton Windows User(       Oh+'0t  $ 0 < HT\dl$Human Resource Information SystemBill Houghton Normal.dotmWindows User2Microsoft Office Word@@8@X@X !՜.+,D՜.+,` hp  Sonoma State University1U "Human Resource Information System Title< 8@ _PID_HLINKSA |d,http://www.cenic.org/downloads/pmo/AUP1.pdf!{4http://ccr.oal.ca.gov/!  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry FAwData 1TableFWordDocumentSummaryInformation(DocumentSummaryInformation8CompObjy  F'Microsoft Office Word 97-2003 Document MSWordDocWord.Document.89q