Printed on September 22, 2019, 2:50 am
Governance, Organization, and General Policies
TCATs, Community Colleges, System Office, Board Members
TBR institutions create, collect, maintain, use, and transmit personally identifiable information relating to individuals associated with the institution including, but not limited to, students, alumni, faculty, administrators, staff, and service employees. TBR institutions are committed to protecting PII against inappropriate access and use in compliance with applicable laws and regulations in order to maximize trust and integrity.
- Data Custodians - Data Custodians are the people responsible for oversight of personally-identifiable information in their respective areas of institutional operations.
- The Data Owner (also called a Data Steward) is the person who has administrative control and has been officially designated as accountable for a specific information asset or dataset. This person would determine who has access to what and IT implements the controls to match.
- Minimum Necessary - Minimum Necessary is the standard that defines that the least information and fewest people should be involved to satisfactorily perform a particular function.
- Personally Identifiable Information (PII) - Information which can be used to distinguish or trace an individual's identity, such as their ID, Social Security number, or biometric records, alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.
- Directory information - Directory information is information that is generally not considered harmful or an invasion of privacy if released. It can also be disclosed to outside organizations.
- Members of the TBR community shall employ reasonable and appropriate administrative, technical, and physical safeguards to protect the integrity, confidentiality, and security of all personally identifiable information (PII), irrespective of its source or ownership or the medium used to store it.
- All individuals who dispense, receive, and store PII have responsibilities to safeguard it.
- In adopting this policy, the System is guided by the following objectives:
- To enhance individual privacy for members of the TBR community through the secure handling of PII.
- To ensure that all members of the TBR community understand their obligations and individual responsibilities under this policy by providing appropriate training that shall permit the TBR community to comply with both the letter and the spirit of all applicable privacy legislation. Each member institution will be responsible for determining the means of training for its institution.
- To increase security and management of Social Security numbers (SSNs) by:
- Instilling broad awareness of the confidential nature of the SSNs;
- Establishing a consistent policy about the use of SSNs throughout the System; and
- Ensuring that access to SSNs for the purpose of conducting TBR business is granted only to the extent necessary to accomplish a given task or purpose.
- To reduce reliance on the SSN for identification purposes as much as possible.
- To comply with all Payment Card Industry (PCI) standards
- To comply with any other applicable and required standards, regulations and/or laws
- To comply with Family Educational Rights and Privacy Act of 1974 (FERPA)
- Data Custodians are responsible for oversight of personally identifiable information in their respective areas of institutional operations. Activities of these officials are aligned and integrated through appropriate coordination among these cognizant institutional officials.
- This policy applies to all members of the TBR community, including all full- and part-time employees, faculty, students and their parents or guardians, and other individuals such as volunteers, contractors, consultants, other agents of the community, alumni, and affiliates that are associated with the System or whose work gives them custodial responsibilities for PII.
- Policy Requirements
- Data Trustees
- Officials responsible for each of the following areas shall be considered data custodians:
- Student Records
- Financial Aid Records
- Alumni and Donor Records
- Employee Records
- Purchasing and Contracts
- Research Subjects
- Public Safety or Campus Police
- Personally Identifiable Information
- PII may be released only on a Minimum Necessary basis and only to those individuals who are authorized to use such information as part of their official TBR duties, subject to the requirements:
- That the PII released is narrowly tailored to a specific business requirement;
- That the information is kept secure and used only for the specific official TBR [business] purposes for which authorization was obtained; and
- That the PII is not further disclosed or provided to others without proper authorization as defined above.
- PII may be handled by third parties, including cloud service providers, with the strict requirement that the information be kept secure and used only for a specific official authorized business purpose as defined in a Business Associate Agreement with that third party.
- Exceptions to this policy may be made only upon specific requests approved by the cognizant institutional official responsible for such information as specified in this policy and only to the degree necessary to achieve the mission and business needs of the institution.
- Exceptions made must be documented, retained securely, and reviewed periodically by the appropriate cognizant institutional official or his/her designee.
- Exceptions may be modified or eliminated based on this review and shall be documented and retained for auditing purposes.
- Directory Information, as defined by Federal and State law and institutional policy, will be published following the guidelines defined by the specific law.
- Based on FERPA guidelines, directory information is information that is generally not considered harmful or an invasion of privacy if released and can be disclosed without consent.
- Schools must notify students annually of their rights under FERPA.
- Information that has been collected that conforms to the HIPAA standards of de-identification or anonymization is not PII.
- Government-Issued Personal Identifiers
- Social Security Number
- Provision of Information
- TBR institutions collect SSNs:
- When required to do so by law;
- When no other identifier serves the business purpose; and
- When an individual volunteers the SSN as a means of locating or confirming personal records.
- In other circumstances, individuals are not required to provide their SSN verbally or in writing at any point of service, nor are they to be denied access to those services should they refuse to provide an SSN.
- Release of SSNs
- SSNs will be released to persons or entities outside the institution only:
- As required by law;
- When permission is granted by the individual;
- When the external entity is acting as the institution’s authorized contractor or agent and attests that no other methods of identification are available, and reasonable security measures are in place to prevent unauthorized dissemination of SSNs to third parties; or
- When the appropriate Counsel has approved the release.
- Use, Display, Storage, Retention, and Disposal
- SSNs or any portion thereof will not be used to identify individuals except as required by law or with approval by a cognizant TBR official for a TBR business purpose.
- The release or posting of personal information, such as grades or occupational listings, keyed by the SSN or any portion thereof, is prohibited, as is placement of the SSN in files with unrestricted access.
- SSNs will be transmitted electronically only for business purposes approved by the institutional officials responsible for SSN oversight and only through secure mechanisms.
- The Data Custodians who are responsible for SSNs will oversee the establishment of business rules for the use, display, storage, retention, and disposal of any document, item, file, or database which contains SSNs in print or electronic form.
- Non-SSN Government-Issued Identifiers
- In the course of its business operations, TBR institutions have access to, collect, and use non-SSN government-issued identifiers such as driver's licenses, passports, HIPAA National Provider Identifiers, Employee Identification Numbers (EIN), and military identification cards, among others.
- TBR institutions shall follow the Minimum Necessary standard and strive to safeguard these identifiers.
- TBR Institution-Issued Identifiers
- Institutional ID Number
- Assignment Eligibility and Issuance
- The institutional id is a unique alphanumeric identifier assigned by the institution to any entity that requires an identifying number in an institutional system or record.
- An Institutional ID is assigned at the earliest possible point of contact between the entity and the institution.
- The Institutional ID is associated permanently and uniquely with the entity to which it is assigned.
- Use, Display, Storage, Retention, and Disposal
- The Institutional ID is considered PII by the institution, to be used only for appropriate business purposes in support of operations.
- The Institutional ID is used to identify, track, and serve individuals across all institutional electronic and paper data systems, applications, and business processes throughout the span of an individual's association with the institution and presence in the institution's systems or records.
- The Institutional ID is not to be disclosed or displayed publicly by the Institution, nor to be posted on the institution’s electronic information or data systems unless the Institutional ID is protected by access controls that limit access to properly authorized individuals.
- The release or posting of personal information keyed by the Institutional ID, such as grades, is prohibited.
- Any document, item, file, or database that contains Institutional IDs in print or electronic form is to be protected and disposed of in a secure manner in compliance with data retention rules.
- Other Externally-Assigned Identifiers and Other Personally Identifiable Information
- TBR institutions shall follow the Minimum Necessary standard and strive to safeguard any externally assigned identifiers which may be collected.
- Responsibility for Maintenance and Access Control
- Institutional IDs are maintained and administered by the appropriate institutional office in accordance with this policy.
- Other institutional offices may maintain and administer electronic and physical repositories containing personal identification numbers for uses in accordance with this policy.
- Access to electronic and physical repositories containing PII shall be controlled based upon reasonable and appropriate administrative, physical, technical, and organizational safeguards.
- Individuals who inadvertently gain access to a file or database containing PII should report it to the appropriate authority.
- All paper documents with PII must be under lock and key or otherwise securely stored.
- Document retention policies dictate schedules for PII deletion and/or destruction. Proper disposal of PII shall involve cross-cut shredders (for paper), securely wiping/deleting data (for digital information) and other information security approved methods of eliminating this data.
- Violations of this policy resulting in misuse of, unauthorized access to, or unauthorized disclosure or distribution of personal identification numbers may subject individuals to legal and/or disciplinary action, up to and including the termination of employment or contract with the Institution or, in the case of students, suspension or expulsion from the institution.
T.C.A. § 49-8-203
NEW Guideline approved at August 19, 2014 President's Meeting; effective September 26, 2014. Revised and changed to policy at Special Called Meeting May 14, 2019.