Confidentiality/Non-Disclosure Agreement

advertisement
Confidentiality/Non-Disclosure Agreement
Frequently Asked Questions
On July 7, 2008, a mailing was sent to all VU employees for the purpose of reminding
them of their responsibilities regarding confidentiality and privacy. The mailing included
(1) a Data/Information Confidentiality-Security-Retention Statement; (2) a
Confidentiality/Non-Disclosure Agreement; and (3) a letter requesting the return of the
Agreement document in a pre-paid envelope. The initiative became a topic of discussion
among the members of the Provost’s Council based on comments and questions they
received. A list of 25 questions was developed. The following list of 13 Frequently Asked
Questions summarizes the institutional response.
Q. 1. Why is a signed document needed if faculty and staff are aware of the
confidentiality requirements?
A. 1. A signed document is necessary to show that the University takes seriously the
privacy of her students and employees and the confidentiality of the data. Having the
signed documents demonstrates that the University has taken steps to ensure that all
employees are aware of this institutional emphasis. In addition, the signed document is
necessary to show that every employee is aware of his/her responsibilities with regard to
private and confidential information.
Q.2. Governance groups did not review/approve this measure and this action came “out
of the blue” with no context. Why?
A.2. The context of the matter was explained in the letter and in the Data/Information
Confidentiality-Security-Retention Statement. Up to this point, access to various screens
and sets of data were granted with individuals signing off at each point. That system
worked while the data was more limited, when our workforce was more stable, and the
Federal laws weren’t so strict.
Now, the environment in which the University operates has changed. There is more
data, with a greater number of people needing access, with those individuals changing
positions (and their data access needs changing with the positions) much more often than
in previous years. It has become too cumbersome to track on a daily basis whether every
employee had signed off on a certain set of data. In addition, that system didn’t cover
situations in which employees became aware of data by accident.
Fortunately, the University has not experienced any serious breaches of
confidentiality. The administration has elected to incorporate best practices and be proactive as we prepare for future enhancements to Banner. In the final analysis, it only
made sense to have all employees understand the seriousness of keeping personal data
confidential and design the agreement so it applies to all types of data, rather than only
certain subsets.
The timing of this action was based on the University’s adherence to SarbanesOxley Financial and Accounting Disclosure, the University’s annual audit, and the
1
preparation for future enhancements to Banner. If employees are aware of the policies
and are acting accordingly, there should be no fear or concern with signing the
agreement.
The Human Resources (HR) Director contacted the governance group presidents
to request a place on their agendas and gave briefings to all three groups at the first
available opportunity.
Q.3. I don’t have a lock on my file cabinet or have misplaced the keys. What should I
do?
A. 3. According to the aforementioned Statement that was included in the mailing, it
is the responsibility of each employee with access to Personal Confidential
Data/Information to protect it from unauthorized access, modification, destruction, or
disclosure. If you must lock the file cabinet in order to protect it, please make
arrangements for a lock or new keys or a new cabinet. These suggestions are based on
the assumption that there is a real need to keep the confidential data in the area. If this is
the case, it is possible that a lock on a room or office might eliminate the need for a
locked cabinet.
Q. 4. Who initiated this and why? Are other public colleges and Universities asking
their employees to sign similar agreements?
A. 4. This request for signatures on a formal agreement was the combined effort of the
Management Information Center (MIC), the Business Office, and the Human Resources
(HR) Office. These offices are charged with the responsibility for the University’s
compliance with the laws, such as HIPPA, FERPA, Sarbanes-Oxley, and Data Security
Standards.
The administration and the Board of Trustees will be responsible in the event of a
security breach. The institution must put in place measures that make sense in the current
environment. For audit purposes, administrators must respond to questions like, “What
steps did the University take to protect confidential data?” By having signed agreements
on file, the University will have a response that can be easily supported by administrators
or Board members.
A search of the websites for our sister institutions revealed that all of those
institutions except one put their policies on confidentiality in places of importance in
their handbooks and several explained the sanctions related to serious violations of their
policies. Confidentiality Agreements were found to be in use in two senior institutions.
Q.5. Where is the due process? A person can be dismissed immediately without a
hearing? What about tenure?
A.5. The Confidentiality/Non-Disclosure Agreement does not change the disciplinary
rules of the University. The Agreement does not change or interfere with tenure in any
way.
2
Q. 6. Who decides when someone has violated the policy or has acted indiscreetly? Are
there hard guidelines to follow?
A. 6. Violations of the Confidentiality/Non-Disclosure Agreement will be decided in the
same ways as decisions are made about other violations of policy or work rules. For
faculty, the Dean and the Provost would be involved. For staff, this is usually a decision
on the part of the supervisor in consultation with the HR Director, and possibly the
University attorney.
One of the goals of this initiative is to ensure that employees are not in violation
because they don’t know the guidelines. Now, all employees have been made aware of
their responsibilities. They also understand that the University takes these matters
seriously. If a situation arises, no employee could honestly say he/she was not aware,
and no agency can justifiably accuse the University of failing to take appropriate steps to
protect privacy and confidential data.
Q. 7. Should maintenance staff be concerned about going into faculty or administrative
offices?
A. 7. Physical Plant employees have access to offices and facilities, and special
meetings were held with them to explain their roles with regard to protecting confidential
data. The Agreement explains to all employees their responsibilities to hold any personal
information, no matter its form, in trust and confidence. All employees must be careful
to protect computer data, written documents, and any verbal information heard in the
course of performing assigned duties.
Q.8. Some offices do not have access to a secure server, so any digital documents are
stored on local drives or flash drives, and are therefore not secure or backed up regularly.
How can employees best handle their responsibilities given this situation?
A. 8. The MIC can set you up with encryption software to protect the data on your hard
drive and thumb drives. Contact the MIC at x4332 for the details.
Q. 9. What is the process for obtaining “disclosure” approval?
A. 9. This question addresses the situation in which an employee has access to data and
receives an inquiry for which the appropriate response includes the disclosure of
confidential information.
The first consideration in this situation is the type of information (student
information, employee information, accounting information, institutional data). FERPA
guidelines govern the release of student information, and they are summarized on pages
28 and 29 of the 2008-2009 CATALOG. “Directory information” is defined in that text.
Additional background information regarding student information may be obtained from
the Registrar. In matters related to data, contact the Chief Information Officer. In
response to inquiries concerning the business affairs of the college, consult the
Controller. For questions related to employee information, contact the Human Resources
Director. These types of requests are decided on a case-by-case basis.
3
Q. 10. Why was there no institutional attempt to provide Professional Development in
regard to Federal/State Laws concerning this issue for ALL employees?
A. 10. With regard to the Data/Information Confidentiality-Security-Retention
Statement, the MIC had issued similar information in electronic mail on two previous
occasions, September 13, 2007 and December 19, 2007. These e-mails were sent to all
users to create awareness about our responsibilities for protecting confidential
information.
The law with which most faculty and staff must comply is FERPA, the Family
Educational Rights and Privacy Act. Since the enactment of this law, there have been
several sessions to inform faculty and staff of the requirements. FERPA has been a topic
for at least two years during Professional Development Week with multiple sessions
provided. The topic has been included in the New Faculty Advising Training for at least
the last five years. An audio conference was offered approximately five years ago with
many in attendance. Efforts have been underway for months to bring in a speaker for
2008-2009 on the topic of FERPA. Currently, the guidelines are included in our
CATALOG, just as they have been for the last 15 years.
Q. 11. If the entire computer is password protected, is that adequate or does each
document need to be protected?
A. 11. The personal computer (pc) password itself is probably not enough for truly
confidential information. Other dependencies include whether the pc is in a locked room,
accessible by others, behind the VU firewall and/or an operating pc firewall, whether the
pc is up to date with virus protection, patches, etc. It would be safer to have an encrypted
folder on the pc which will help protect all the files without encrypting them individually.
Q. 12. Why is the University still placing the SSN on advising folders? Would the use
of A numbers also be a violation?
A. 12. The Social Security Numbers have been used for the convenience of the students
as they check in for Start VU. At that point, students do not yet know their A- numbers.
From now on, the SSN will be marked out before being distributed across campus.
A-numbers are also protected information under FERPA guidelines. Plans are
currently underway to discontinue the use of paper advising folders in 2009, which would
eliminate this issue with regard to the widespread paper distribution of either type of
number.
Q. 13. What happens if an employee refuses to sign the agreement?
A. 13. The confidentiality agreement is required of all employees. The University
expects employees to understand and recognize their responsibility to maintain
confidentiality and protect the personal information of those we serve. Employees are
obliged to comply with this administrative directive.
4
Download