The College maintains and protects the confidentiality, integrity and security of its student academic records in accordance with existing state laws, College policy, and the Family Educational Rights and Privacy Act of 1974 (FERPA). Employees sign a “Policies and Procedures Acknowledgment” form indicating their responsibility for reading and following the SCC Policies and Procedures Manual that includes all policies specifically addressing security and confidentiality of records (1). All new full-time employees complete an orientation that includes a training session and a check list for meeting with key College administrators (2, 3). The check list includes conversations with two important contacts: 1 – Vice President for Information Technology and Telecommunications, who discusses with the new employees the computer security policies and their responsibilities in accessing and using the network, databases and systems, and 2 – Dean of Student Services who discusses the Student Records Policy and FERPA and emphasizes the confidentiality of student records.

The College’s Information Technology and Telecommunications Department (IT) maintains the security of the financial and student records databases. In the “Computer Resources, Network Use, and Computer and Network Security” policy (4), security refers to the protection of computer resources from accidental or intentional disclosure, modification, or destruction. The department maintains the highest level of network security to protect the integrity of all files, electronic records and student and financial databases. IT complies with the guidelines, policies, and requirements mandated in the “North Carolina Guidelines for Managing Public Records Produced by Information Technology Systems” policy published by the NC Department of Cultural Resources, Division of Archives and History (5).

The “Computer Resources, Network Use, and Computer and Network Security” policy specifies who has access and defines specific acts and activities that are prohibited. Access to all College information databases is based on an individual’s job responsibilities and access requirements related to the position. Only minimum access rights, necessary for the performance of assigned duties, are granted. User access is reviewed periodically to guard against unauthorized access and security violations. All College employees requesting access to the College’s network and systems and to the financial and student databases must complete, sign and have supervisory approval of the “Information Technology Services User Authorization Form,” acknowledging their understanding and compliance with the terms and conditions defined in the policies for accessing and using the systems (6).

In the college’s “Backup and Protection of Electronic Data” policy (7), IT is identified as being responsible for the physical security of the electronic records. These records are physically located in the file and application servers housed in a restricted access College Data Center. The Center houses the college file and application servers and backbone telecommunication equipment. The room is secured by a cipher lock and access is controlled and monitored by the IT staff. The Data Center is environmentally controlled for correct temperature and humidity and is also equipped with a generator backup in case of commercial power failure.

In addition to the databases being physically secure, network access to the student record files is restricted via the use of virtual private networks (VPN) that keep administrative databases and records on separate logical networks that are isolated from student networks and public access terminals. Additionally, secure and encrypted passwords are issued to all network users through Novell’s Directory Services. Network users must first authenticate to the network infrastructure before gaining access to another login level that facilitates access to sensitive information.

Daily backups are performed on all database and application servers and the backup process occurs over a fiber optic connection to a central backup system located in another building on campus. The CIS database (Colleague System in use for financial and human resources records) and IIPS (the current student data base system) are backed up daily via a fiber optic connection to a back up server located at the SCC Public Safety Training Center located in Macon. This off premise backup arrangement is an added protection in case disaster recovery is necessary. IT maintains hardware and software maintenance contracts for all computer hardware and programs that support the student academic records process. Further, College policy protects software licenses and outlines the consequences of unauthorized use (8).

The Student/Enrollment Services department is responsible for creating a record for each student and is responsible for the confidentiality, integrity and maintenance of each student record. All students entering the Student/Enrollment Services offices requesting any type of access or change to their records must show a photo ID as proof of identity. All requests for admission, testing (9), requests for transcripts (10), changes in name or address, changes in major, reentry to the college, changes in financial aid information and other similar activities must be made in written form and requires a photo ID (11).

A student record file is physically created by the Admissions Office and stored in cabinets that are fire-proof and secure. Each file contains, at a minimum, a completed admission application, transcripts, test scores and copies of official College communications. The file is used to create the student’s electronic record in the IIPS system. Official transcripts received by the College are evaluated by the Registrar’s Office. The transcript is placed in the student’s file and the results of the evaluation entered in the student’s electronic record.

The student files created by the Admissions Office are physically transferred to the Registrar’s office by the end of the first semester of enrollment. A student record file created for an applicant who does not enroll is kept by Admissions for one year in a separate secure area and then shredded.

Student record files of enrolled students are stored in cabinets that are fire-proof and secure, electronically imaged and then shredded by the Registrar’s Office. Any important change to a student record that generates a paper copy is imaged and then shredded. Imaged files are stored and backed up as a part of the IT daily back up process. Imaged records are available through a secure server and terminal located in the Registrar’s Office with restricted access. Student records prior to 1985 were converted to microfilm and the paper files destroyed in 1986. The microfilm is stored in a locked cabinet in a secure room located in the college Library. A backup copy of the microfilm is on file in the North Carolina State Archives.

In other College offices, files are kept in secure cabinets and disposed of according to the North Carolina Community College System (NCCCS) Records Retention and Disposition Schedule (12) and then shredded. Files in these offices include grades, specific financial information, career test scores and/or disability documentation. Each academic advisor keeps a file on each assigned advisee that may include transcript, registration information, and medical information (in the Health Science programs requiring such). These files are maintained according to the records retention and disposal policy and then shredded. In the Continuing Education (CE) office, students complete a registration form for each class that they attend. The registrations along with the roster and instructor contract for each class are stored in a secure vault in the CE office. The records are kept for one year after they are audited and then shredded. All areas follow the guidelines for disposal of student records as specified in the NCCCS Records Retention and Disposition Schedule (13).

Students’ rights to privacy and to protection from unauthorized access and use of their records are established in the College’s Student Records Policy found in the SCC Polices and Procedures Manual and published in the Student Handbook and Catalog (14, 15 & 16). The policy defines a “student record” and identifies the individuals who may have access to those records with and without student consent. The policy outlines a process for students to review their records and provides for “holds” to be placed by the College restricting release of transcripts, diplomas or other student record information for indebtedness to the College. The policy is in line with the Family Educational Rights and Privacy Act of 1974 (FERPA).

All faculty and staff handling student records have access according to their respective job duties. They participate in training on a regular basis that keeps them informed of the operational practices and requirements under the college’s Student Records Policy and FERPA. During the 2005-06 academic year, the college sponsored two training events and implemented an online training module related to privacy of student records. The first event was a presentation by Dr. Parker Young on “Legal Issues in Higher Education” during which he focused on FERPA requirements, students’ rights of access and privacy (17). The second event was a Teaching Learning Connection (TLC) program focused on “Student Academic Records: Access, Security and Disposal (18).” The College designed and maintains a web-based training module that gives faculty and staff an opportunity for individualized training on the requirements of FERPA, the College’s Student Records Policy and the College’s procedures for accessing, securing and disposing of student academic records (19).