Information Security Program

What is Private Information?

St. Olaf College is implementing an information security program to govern protected or confidential data maintained in our information systems and offices.  As part of that plan, IIT staff will write a monthly newsletter article to help you better understand the issues surrounding information security. 

This month, we will discuss the three classifications of data that St. Olaf maintains as well as the regulations that govern that data.  It is important to note that data and information can be stored and transmitted in a variety of ways, including, but is not limited to, computer files stored on desktop computers, CD’s, servers, portable electronic storage devices, paper files, audio or video files, telephone calls, and verbal communications. 

The college classifies data into three categories. 

Protected.  This data is protected under state and federal regulations such as FERPA, HIPPA, Graham-Leach-Bliley and others.  Data elements in this group include, but are not limited to, social security numbers, student ID numbers, credit card numbers, medical information, bank account numbers, grades, date and/or location of birth, drivers license information, ACH (automated clearing house) numbers, tax return information, credit rating, income history, loan payment history, passport information, salary, coursework, etc.

Confidential.  This data is not protected under state and federal regulations but the college has determined that this information should be held private.  This data may include promotion materials, employee ID numbers, review files, etc.

General.  This data pertains to the operation of the college and use is not restricted.

The use of any St. Olaf College data and information, in any format, for anything beyond the operation of the college is strictly forbidden.  Unacceptable uses includes sharing the data with groups, organizations, or activities that are not college-sponsored or college-approved, use of data for personal gain, use of data to satisfy personal curiosity, removing data or reports from the campus except in the required performance of college duties, or use by individuals outside of their normal job responsibilities. 

Individuals who are given rights to access or use college data are responsible for maintaining the privacy of protected and confidential data and must agree to abide by any college policies and state or federal laws and regulations governing such data.  Depending on the data individual work with they may be required to take FERPA, HIPPA, FTC, or other training prior to getting access to those data elements.

The protected data and information maintained by the college must be handled and managed in accordance to state or federal mandates.  Although new regulations and laws can be imposed at any time, at present three acts are responsible for the majority of the regulations that govern use of the protected data.  These three acts are Gramm-Leach-Bliley Act (GBLA), Health Insurance Portability and Accountability Act (HIPAA), and Family Education Rights and Privacy Act (FERPA).  These three protect and mandate the handling of very different data and information and, as such, the different campus officers are responsible for the campus training and adherence to the policies. 

These coordinators are responsible for ensuring that individuals who use this data are informed about the appropriate policies and procedures for handling this data and information.