Confidential Information Policy

Profile

SUNY New Paltz is committed to protecting the privacy and confidentiality of information contained in the multiple databases and print files maintained by the University in the regular course of business. Personal information that is confidential in nature will be used only in accordance with the SUNY New Paltz Information Security Program, Family Educational Rights and Privacy Act (FERPA), and all applicable SUNY, state and federal regulations.
See below for what the University considers sensitive data.

Policy

Employees at SUNY New Paltz, by nature of their positions and as required for the business of the University , will gain access to private personal information about students, faculty, staff, alumni, donors, and other constituents of the University which is maintained on University networks or devices or private networks or devices where University business is being conducted. Employees are obligated to maintain the confidentiality of any such private personal information they encounter.

SUNY New Paltz expects all employees with access to personal information to deal with that information in a respectful and professional manner. As a matter of policy, the University restricts access to personal information to only those employees who have a legitimate “job-related reasons” for gaining access. Access and release of any student educational records must be in accordance with FERPA regulations. Any personal information viewed or accessed by an employee through University systems or records is not to be shared or released to others unless there is a legally permissible purpose for doing so.

With regard to Social Security Numbers, this policy is supplemented by the Social Security Number Policy.

Inappropriate disclosure of information pertaining to students, faculty, staff and other University constituents may violate applicable law and regulations and is considered a violation of ethics and a breach of trust placed in employees by the University. Upon finding of a breach of this policy by an employee in a collective bargaining unit, the University may initiate disciplinary action pursuant to the applicable collective bargaining agreement, which may result in a sanction up to and including termination of employment.

For employees not covered by a collective bargaining agreement, sanctions may include actions up to and including termination of employment. Student employees who have violated these provisions will be referred to the student disciplinary process, as defined in the Student Handbook, and may have their student employment terminated. Volunteers who have violated these provisions will have their voluntary appointments terminated.

Employees who deal with confidential material on a regular basis will be required to read this policy and agree to it (via the annual policy review handled by Human Resources).

Guidelines

Employee, student, financial, health and medical information contained within SUNY New Paltz information systems and physical files, and in SUNY System Administration systems, is considered confidential. Access to information made confidential by law, policy, or campus practice is limited to those individuals (employees, consultants, third-party vendors, etc.) whose position legitimately requires use of this information.

Employees who have access to confidential data by virtue of their work for SUNY New Paltz understand that they may not disclose such confidential data to any person or entity without appropriate authorization, subpoena, or court order.
 

SUNY New Paltz has classified the following as sensitive data categories:

• Social security numbers (as well as national identification numbers for foreign nationals)
• Driver’s license numbers or non-driver identification card numbers
• Financial/banking account numbers, credit or debit card numbers
• Financial records & tax documents (for students, or their family who submit them for financial aid purposes).
• Education records: including transcripts, grade information, payment/tuition records, records pertaining to academic standing (for more detail on what constitutes an “education record” under FERPA, see www.newpaltz.edu/ferpa)
• Student judicial/disciplinary information
• Patient health records
• Home or cell address/telephone information
• Maiden name (or parent’s surname prior to marriage)
• Biometric records (such as fingerprints)
• Passwords (including a person’s own password)

For any data types not listed here, employees should make a reasonable judgment about whether that data should be treated as confidential or employee should seek advice from their supervisor, in accordance with Guideline 14 below.

In order to access confidential information, employees agree to adhere to the following guidelines:

1. Employees understand and acknowledge that improper use of data in the University's information systems is a violation of SUNY New Paltz policy, and it may also constitute a violation of federal and/or state laws.
2. Employees will not provide confidential information to any individual or entity without proper authorization.
3. Employees will not access, use, copy, or otherwise disseminate information or data that is not relevant and necessary to perform their specific job-related duties.
4. Employees will not remove confidential information from University facilities except as specifically authorized to do so.
5. Employees will not share their passwords with anyone (including supervisors and subordinates). Employees should not submit their campus password to any website not within newpaltz.edu or suny.edu domains.
6. Employees will not use any confidential University-related data for personal or commercial purposes.
7. Employees will refer all records requests for educational records from law enforcement, governmental agencies, and other external entities to the FOIL Officer (Associate Vice President for Communication/Chief of Staff).
8. Employees will refer external requests for all non-Freedom of Information Law (FOIL) information covered by the previously mentionedsensitive data categories to the Office of Institutional Research, the Office of Human Resources, Student Affairs, Records and Registration, Counseling or UPD, or those departments that have been explicitly authorized to respond to such requests.
9. Employees will not communicate to the general public the personally identifiable information of any SUNY New Paltz employee or student.
10. Employees will report any unauthorized access to confidential data immediately as per the New Paltz Incident Response Policy.
11. Employees understand that any improper or inappropriate use of data in the University’s information systems may result in disciplinary action pursuant to the applicable collective bargaining agreement, with sanctions up to and including termination of employment.
12. Employees are not permitted to store any sensitive data on external or portable media such as external hard drives, flash drives, CDs, DVDs, tapes, etc. without express authorization from the Chief Information Officer. Storing such confidential data on local computer drives (as opposed to your personal network drive “F” on the Admin LAN) on office computers or laptops is strongly discouraged. University owned computers (and personal computers which are routinely be used for University business) may be scanned periodically to check for confidential information stored on the device.
13. Employees storing confidential data on University servers must, on an operation basis, remove files containing confidential data when it is no longer needed.
14. Employees who are uncertain about what constitutes legitimate use or release of information should always err on the side of confidentiality and refer their questions about appropriateness of a request for personal information from University systems or records to their supervisor before releasing the information.
15. Departments which are storing sensitive or confidential information in cloud storage systems such as OneDrive, SharePoint, or Teams, should consult with Paul Chauvet, Information Security Officer, before doing so.  There must be a plan to limit access, a retention policy, and removal procedure in place before any such data should be stored in those locations.

Procedures

Supervisors are required to review this policy with each employee assigned to their department if their department deals with any sensitive information. During the department orientation process, supervisors should provide each employee with a description of the type(s) of confidential information their specific position will work with in the performance of their duties. Supervisors shall review this policy on an annual basis with their staff and confirm that each employee has reviewed and understood the policy.