Confidentiality/Non-Disclosure Agreement Frequently Asked Questions On July 7, 2008, a mailing was sent to all VU employees for the purpose of reminding them of their responsibilities regarding confidentiality and privacy. The mailing included (1) a Data/Information Confidentiality-Security-Retention Statement; (2) a Confidentiality/Non-Disclosure Agreement; and (3) a letter requesting the return of the Agreement document in a pre-paid envelope. The initiative became a topic of discussion among the members of the Provost’s Council based on comments and questions they received. A list of 25 questions was developed. The following list of 13 Frequently Asked Questions summarizes the institutional response. Q. 1. Why is a signed document needed if faculty and staff are aware of the confidentiality requirements? A. 1. A signed document is necessary to show that the University takes seriously the privacy of her students and employees and the confidentiality of the data. Having the signed documents demonstrates that the University has taken steps to ensure that all employees are aware of this institutional emphasis. In addition, the signed document is necessary to show that every employee is aware of his/her responsibilities with regard to private and confidential information. Q.2. Governance groups did not review/approve this measure and this action came “out of the blue” with no context. Why? A.2. The context of the matter was explained in the letter and in the Data/Information Confidentiality-Security-Retention Statement. Up to this point, access to various screens and sets of data were granted with individuals signing off at each point. That system worked while the data was more limited, when our workforce was more stable, and the Federal laws weren’t so strict. Now, the environment in which the University operates has changed. There is more data, with a greater number of people needing access, with those individuals changing positions (and their data access needs changing with the positions) much more often than in previous years. It has become too cumbersome to track on a daily basis whether every employee had signed off on a certain set of data. In addition, that system didn’t cover situations in which employees became aware of data by accident. Fortunately, the University has not experienced any serious breaches of confidentiality. The administration has elected to incorporate best practices and be proactive as we prepare for future enhancements to Banner. In the final analysis, it only made sense to have all employees understand the seriousness of keeping personal data confidential and design the agreement so it applies to all types of data, rather than only certain subsets. The timing of this action was based on the University’s adherence to SarbanesOxley Financial and Accounting Disclosure, the University’s annual audit, and the 1 preparation for future enhancements to Banner. If employees are aware of the policies and are acting accordingly, there should be no fear or concern with signing the agreement. The Human Resources (HR) Director contacted the governance group presidents to request a place on their agendas and gave briefings to all three groups at the first available opportunity. Q.3. I don’t have a lock on my file cabinet or have misplaced the keys. What should I do? A. 3. According to the aforementioned Statement that was included in the mailing, it is the responsibility of each employee with access to Personal Confidential Data/Information to protect it from unauthorized access, modification, destruction, or disclosure. If you must lock the file cabinet in order to protect it, please make arrangements for a lock or new keys or a new cabinet. These suggestions are based on the assumption that there is a real need to keep the confidential data in the area. If this is the case, it is possible that a lock on a room or office might eliminate the need for a locked cabinet. Q. 4. Who initiated this and why? Are other public colleges and Universities asking their employees to sign similar agreements? A. 4. This request for signatures on a formal agreement was the combined effort of the Management Information Center (MIC), the Business Office, and the Human Resources (HR) Office. These offices are charged with the responsibility for the University’s compliance with the laws, such as HIPPA, FERPA, Sarbanes-Oxley, and Data Security Standards. The administration and the Board of Trustees will be responsible in the event of a security breach. The institution must put in place measures that make sense in the current environment. For audit purposes, administrators must respond to questions like, “What steps did the University take to protect confidential data?” By having signed agreements on file, the University will have a response that can be easily supported by administrators or Board members. A search of the websites for our sister institutions revealed that all of those institutions except one put their policies on confidentiality in places of importance in their handbooks and several explained the sanctions related to serious violations of their policies. Confidentiality Agreements were found to be in use in two senior institutions. Q.5. Where is the due process? A person can be dismissed immediately without a hearing? What about tenure? A.5. The Confidentiality/Non-Disclosure Agreement does not change the disciplinary rules of the University. The Agreement does not change or interfere with tenure in any way. 2 Q. 6. Who decides when someone has violated the policy or has acted indiscreetly? Are there hard guidelines to follow? A. 6. Violations of the Confidentiality/Non-Disclosure Agreement will be decided in the same ways as decisions are made about other violations of policy or work rules. For faculty, the Dean and the Provost would be involved. For staff, this is usually a decision on the part of the supervisor in consultation with the HR Director, and possibly the University attorney. One of the goals of this initiative is to ensure that employees are not in violation because they don’t know the guidelines. Now, all employees have been made aware of their responsibilities. They also understand that the University takes these matters seriously. If a situation arises, no employee could honestly say he/she was not aware, and no agency can justifiably accuse the University of failing to take appropriate steps to protect privacy and confidential data. Q. 7. Should maintenance staff be concerned about going into faculty or administrative offices? A. 7. Physical Plant employees have access to offices and facilities, and special meetings were held with them to explain their roles with regard to protecting confidential data. The Agreement explains to all employees their responsibilities to hold any personal information, no matter its form, in trust and confidence. All employees must be careful to protect computer data, written documents, and any verbal information heard in the course of performing assigned duties. Q.8. Some offices do not have access to a secure server, so any digital documents are stored on local drives or flash drives, and are therefore not secure or backed up regularly. How can employees best handle their responsibilities given this situation? A. 8. The MIC can set you up with encryption software to protect the data on your hard drive and thumb drives. Contact the MIC at x4332 for the details. Q. 9. What is the process for obtaining “disclosure” approval? A. 9. This question addresses the situation in which an employee has access to data and receives an inquiry for which the appropriate response includes the disclosure of confidential information. The first consideration in this situation is the type of information (student information, employee information, accounting information, institutional data). FERPA guidelines govern the release of student information, and they are summarized on pages 28 and 29 of the 2008-2009 CATALOG. “Directory information” is defined in that text. Additional background information regarding student information may be obtained from the Registrar. In matters related to data, contact the Chief Information Officer. In response to inquiries concerning the business affairs of the college, consult the Controller. For questions related to employee information, contact the Human Resources Director. These types of requests are decided on a case-by-case basis. 3 Q. 10. Why was there no institutional attempt to provide Professional Development in regard to Federal/State Laws concerning this issue for ALL employees? A. 10. With regard to the Data/Information Confidentiality-Security-Retention Statement, the MIC had issued similar information in electronic mail on two previous occasions, September 13, 2007 and December 19, 2007. These e-mails were sent to all users to create awareness about our responsibilities for protecting confidential information. The law with which most faculty and staff must comply is FERPA, the Family Educational Rights and Privacy Act. Since the enactment of this law, there have been several sessions to inform faculty and staff of the requirements. FERPA has been a topic for at least two years during Professional Development Week with multiple sessions provided. The topic has been included in the New Faculty Advising Training for at least the last five years. An audio conference was offered approximately five years ago with many in attendance. Efforts have been underway for months to bring in a speaker for 2008-2009 on the topic of FERPA. Currently, the guidelines are included in our CATALOG, just as they have been for the last 15 years. Q. 11. If the entire computer is password protected, is that adequate or does each document need to be protected? A. 11. The personal computer (pc) password itself is probably not enough for truly confidential information. Other dependencies include whether the pc is in a locked room, accessible by others, behind the VU firewall and/or an operating pc firewall, whether the pc is up to date with virus protection, patches, etc. It would be safer to have an encrypted folder on the pc which will help protect all the files without encrypting them individually. Q. 12. Why is the University still placing the SSN on advising folders? Would the use of A numbers also be a violation? A. 12. The Social Security Numbers have been used for the convenience of the students as they check in for Start VU. At that point, students do not yet know their A- numbers. From now on, the SSN will be marked out before being distributed across campus. A-numbers are also protected information under FERPA guidelines. Plans are currently underway to discontinue the use of paper advising folders in 2009, which would eliminate this issue with regard to the widespread paper distribution of either type of number. Q. 13. What happens if an employee refuses to sign the agreement? A. 13. The confidentiality agreement is required of all employees. The University expects employees to understand and recognize their responsibility to maintain confidentiality and protect the personal information of those we serve. Employees are obliged to comply with this administrative directive. 4