Student Data Security

The following provides resources and procedures regarding the maintenance and confidentiality of student records and the circumstances under which the institution may release information in student records in accord with all applicable state and federal laws and SUNY policy. This page is a resource for faculty, staff and accreditors referencing current policies, information here shall not override or otherwise supersede campus policies.

Relevant Policies and Laws Governing Student / Institutional Data

Federal Educational Rights and Privacy Act	Code of Federal Regulations Student FERPA Privacy Office of the Chief Privacy Officer (Including FPCO) Department of Education FERPA
State University of New York	Information Security Policy Compliance with FERPA Compliance with Freedom of Information Law Records Retention and Disposition Policy Guidance
State of New York	NYSED Privacy Guidance NYSED Data Privacy and Security Policy Bill of Rights for Data Privacy and Security

Storage and Maintenance of Student Records

Per SUNY Cortland's Information Security policies, SUNY Cortland’s data must be classified into one of the three categories and protected using appropriate security measures consistent with the minimum standards for the classification level as described in related information security standards, procedures, and guidelines. Policies and procedures shall apply to all faculty, staff, third-party Agents of the College as well as any other College affiliate who is authorized to access institutional data including student workers, campus committees, and contractors.

Student Information System Overview

System

SUNY Cortland utilizes a student information system (SIS) that is supported centrally by the State University of New York. The SIS maintains industry-standard security features and storage facilities designed to secure student data and appropriately limit access to systems.

SUNY Information Security Policy

Access and Security

Security at the system and database level through role-based security classes. This includes strict limits to accessing the databases directly through direct or programmatic means.

Role and job-function based security classes operate in a granular manner, providing access to limited views or functions within the application.

SUNY Cortland Information Security Policy

Banner Access Request

Self Service Access Request

Acceptable Use

Integrations

Requests for integration with the SIS is governed by the Information Security Policy and formal review by Administrative Computing and Systems Administration and Web Services. Systems must meet campus, SUNY and NYS security standards.

SUNY Cortland Information Security Policy

Acceptable Use

Campus Data Categories

Category I: Protected Data
Regulated private data including information defined as private information (i.e., personally identifiable information), non-directory or otherwise protected by law or SUNY policy.
Category II: Data for Internal Use
Non-public data not included in Category I. This data includes the Cortland ID, licensed software, as well as College business records, intellectual property, certain types of information that would constitute an unwarranted invasion of personal privacy, and any non-public data that would generally require a FOIL request prior to release.
Category III: Public Data
Data which is openly accessible to the public, may be accessed in unauthenticated environments (e.g. public website), and has no specific prohibitions on release and does not constitute an invasion of privacy or release of private intellectual property.

Family Educational Rights and Privacy Act Classifications: In addition to internal data classifications that govern the release of student records, the College operates in accord with FERPA, the federal law that grants certain rights and protections to students, parents and guardians. The official College FERPA policies provide for the assignment of directory and personally identifiable data (PII).

Directory Information
Specific categories of data that may be shared without written consent of the student. While this data may be released under FERPA, some elements are additionally governed by or protected under campus security policies.
Personally Identifiable Information (PII)
Data that SUNY Cortland will not share without written consent of the student. PII includes direct identifiers, indirect identifiers, or other information which can be used to identify a student specifically. The release of this data may constitute an invasion of privacy and/or pose a risk to student identity security.

Campus FERPA Policy	Appropriate use of student information to support the protection of student privacy in accordance with the Family Educational Rights and Privacy Act (FERPA) (20 USC §1232g; 34 CFR Part 99).	FERPA Policy
Directory Data and PII	The Family Educational Rights and Privacy Act ( 20 U.S.C. § 1232g and 34 CFR Part 99) protects personally identifiable information from students’ education records from unauthorized disclosure, and allows the disclosure of certain data elements if classified as directory data.	FERPA Definitions
Data Classification	Requests for integration with the SIS is governed by the Information Security Policy and formal review by Administrative Computing and Systems Administration and Web Services. Systems must meet campus, SUNY and NYS security standards.	Data Classification Policy

Release of Student Records

Please review the SUNY Cortland FERPA policy for additional information.

SUNY Cortland will disclose information from a student's education records only with the written or electronic consent of the student with the following exceptions, as permitted by federal law:

To school officials, SUNY System Administration, campus-related entities (e.g. Auxiliary Services Corporation), persons employed by or under contract to the campus to perform special tasks (e.g. attorneys or auditors), students serving on official committees (e.g. disciplinary or grievance committees) or assisting another school official in performing his or her professional responsibility and other SUNY colleges who have been determined to have legitimate educational interests.
Upon request to officials of another school in which a student seeks or intends to enroll.
To certain federal, state, SUNY, and local education officials in connection with certain federal or state supported education programs.
In connection with a student's request for or receipt of financial aid, as necessary to determine the eligibility, amount, or conditions of that aid.
If required by a state law concerning the juvenile justice system which law requires disclosure and which was adopted before November 19, 1974.
To organizations conducting certain studies/research for or on behalf of the College, educational agencies or institutions for the purpose of developing, validating, or administering predictive tests, administering student aid programs and improving instruction, if such studies are conducted in such a manner as will not permit the personal identification of students and their parents by persons other than representatives of such organizations, and such information will be destroyed when no longer needed for the purpose for which it is conducted.
To accreditation organizations in order to carry out their accrediting functions.
To parents of an eligible student who claim the student as dependent for income tax purposes (26 USC §152).
To comply with a judicial order or a lawfully issued subpoena after making a reasonable effort to notify the student in advance.
To appropriate parties in a health and/or safety emergency.
When the student and SUNY are engaged in litigation SUNY Cortland may disclose to the court education records that are relevant to the litigation.
To an alleged victim of any crime of violence as that term is defined in Section 16 of Title 18 USC, or a non-forcible sex offense, the final results of any disciplinary proceeding conducted by the campus against the alleged perpetrator of that crime or offense with respect to that crime or offense if the College determines as a result of the disciplinary proceeding that the student committed a violation of the College's rules or policies with respect to such crime or offense.
To anyone the final results reached on or after October 7, 1998 in a disciplinary proceeding in which a student has been determined to have perpetrated a crime of violence or non-forcible sex offense and a violation of College rules or policies.
To the parents of a student under the age of 21: information that the College has determined that the student has committed a disciplinary violation relating to alcohol or a controlled substance.
To Veterans Administration Officials pursuant to 38 USC 3690 (c).
To the Military: Directory information as it is presently defined under the Solomon Amendment, even if the institution has not designated such information as directory information in its policy. (Directory information that must be released to the Military: student's name and address, telephone listing, date and place of birth, class level, academic major, degrees received, and the educational institution in which the student was most recently enrolled. Information that is not required to release to the Military: directory information, but only if the student has requested that the College not release such information to anyone, information the institution certifies it does not have, and information not defined as directory information.)
Where the information to be disclosed is designated as Directory Information.

Record of Requests for Disclosure

SUNY Cortland will maintain a record of all external requests for, and/or disclosures of, information from a student's education records for as long as those records are maintained. The record will indicate the name of the party making the request, any additional party to whom it may be re-disclosed, and the legitimate interest the party had in requesting the information. The record of requests may be reviewed by the parents of eligible students.

Record keeping is not required if disclosure is to:

The student
A school official with a legitimate educational interest
A party with written consent from the student
A party seeking directory information
A federal grand jury or law enforcement agency pursuant to a subpoena that by its terms requires non disclosure

Records are kept with individual student record files via the campus cataloging system (OnBase).

Consent to Release

If a student wishes to grant access to student academic information to a particular party (e.g. parent, legal guardian), they may complete the Consent for Access form in the Registrar's Office.

Departmental Releases

The Student Accounts Office has an additional waiver available to allow for the viewing of financial information exclusively. Permission must be granted by the student in order for the Student Accounts Office to discuss the student invoice or financial account with any third party, including parents or guardians. If you have any questions about this, please contact the Student Accounts Office. The Financial Advisement Office shall communicate with all aid applicants and their family members whose income information is appropriately reported on the FAFSA (Free Application for Federal Student Aid).