Confidential Information Policy

Tags policy

Overview 

The State University of New York at New Paltz is committed to protecting the privacy and confidentiality of information contained in all electronic and print sources maintained by the University in regular business. Personal information that is confidential in nature will be used only in accordance with the SUNY New Paltz Information Security Program, Family Educational Rights and Privacy Act (FERPA), and all applicable SUNY, state and federal regulations. 
 
See the Sensitive Data Categories section below for what the University considers sensitive data. 
 

Policy 

Employees at SUNY New Paltz, by nature of their positions and as required for the business of the University, will gain access to private personal information about students, faculty, staff, alumni, applicants, donors, and other constituents of the University. This information may be  maintained on University networks or devices or private networks or devices where University business is being conducted. Such information may also be contained in paper records. Employees are obligated to maintain the confidentiality of any such private personal information they encounter. 
 
SUNY New Paltz expects all employees with access to personal information to deal with that information in a respectful and professional manner. As a matter of policy, the University restricts access to personal information to only those employees who have legitimate “job-related reasons” for gaining access. Access and release of any student educational records must be in accordance with FERPA regulations. Any personal information viewed or accessed by an employee through University systems or records is not to be shared or released to others unless there is a legally permissible purpose for doing so. 

With regard to Social Security Numbers, this policy is supplemented by the Social Security Number Policy

Inappropriate disclosure of information pertaining to students, faculty, staff, and other University constituents may violate applicable law and regulations and is considered a violation of ethics and a breach of trust placed in employees by the University. Upon finding of a breach of this policy by an employee in a collective bargaining unit, the University may initiate disciplinary action pursuant to the applicable collective bargaining agreement, which may result in a sanction up to and including termination of employment. 

For employees not covered by a collective bargaining agreement, sanctions may include actions up to and including termination of employment. Student employees who have violated these provisions will be referred to the student disciplinary process, as defined in the Student Handbook, and may have their student employment terminated. Volunteers who have violated these provisions will have their voluntary appointments terminated. 

Employees who deal with confidential material regularly will be required to read this policy and agree to it (via the annual policy review handled by Human Resources, Diversity, and Inclusion). 
 

Sensitive Data Categories 

Employee, student, financial, health and medical information contained within SUNY New Paltz information systems and physical files, and in SUNY System Administration systems, is considered confidential. Access to information made confidential by law, policy, or campus practice is limited to those individuals (employees, consultants, third-party vendors, etc.) whose position legitimately requires use of this information. 

Employees who have access to confidential data by virtue of their work for SUNY New Paltz understand that they may not disclose such confidential data to any person or entity without appropriate authorization, subpoena, or court order. 
  

SUNY New Paltz has classified the following as sensitive data categories: 

  • Social security numbers (as well as national identification numbers for foreign nationals) 

  • Driver’s license numbers or non-driver identification card numbers 

  • Financial/banking account numbers, credit, or debit card numbers 

  • Financial records & tax documents (for students, or their family who submit them for financial aid purposes). 

  • Education records: including transcripts, payment/tuition records, records pertaining to academic standing (for more detail on what constitutes an “education record” under FERPA, see www.newpaltz.edu/ferpa

  • Student judicial/disciplinary information 

  • Patient health records 

  • Home or cell address/telephone information 

  • Maiden name (or parent’s surname prior to marriage) 

  • Biometric records (such as fingerprints) 

  • Passwords (including a person’s own password) 

Additionally, Nonpublic personal information (NPI) should also be considered confidential.  NPI is, as per the Gramm-Leach-Bliley Act, "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available." 

For any data types not listed here, employees should make a reasonable judgment about whether that data should be treated as confidential, or employee should seek advice from their supervisor, in accordance with Guideline 14 below. 

 

Employee Responsibilities 

In order to access confidential information, employees agree to adhere to the following requirements: 

  1. Employees understand and acknowledge that improper use of data in the University's information systems is a violation of SUNY New Paltz policy, and it may also constitute a violation of federal and/or state laws. 

  1. Employees will not provide confidential information to any individual or entity without proper authorization. 

  1. Employees will not access, use, copy, or otherwise disseminate information or data that is not relevant and necessary to perform their specific job-related duties. 

  1. Employees will not remove confidential information from University facilities except as specifically authorized to do so. 

  1. Employees will not share their passwords with anyone (including supervisors and subordinates). Employees should not submit their campus password to any website not within newpaltz.edu or suny.edu domains or through the Microsoft Single Sign On (SSO) system. 

  1. Employees will not use any confidential University-related data for personal or commercial purposes. 

  1. Employees will refer all records requests for educational records from law enforcement, governmental agencies, and other external entities to the FOIL Officer (Vice President for Communication/Chief of Staff). 

  1. Employees will refer external requests for all non-Freedom of Information Law (FOIL) information covered by the previously mentioned sensitive data categories to the Office of Institutional Research, the Office of Human Resources, Student Affairs, Records and Registration, Counseling or UPD (University Police Department), or those departments that have been explicitly authorized to respond to such requests. 

  1. Employees will not communicate to the general public the personally identifiable information of any SUNY New Paltz employee or student. 

  1. Employees will report any unauthorized access to confidential data immediately as per the New Paltz Incident Response Policy. 

  1. Employees understand that any improper or inappropriate use of data in the University’s information systems may result in disciplinary action pursuant to the applicable collective bargaining agreement, with sanctions up to and including termination of employment. 

  1. Employees are not permitted to store any sensitive data on external or portable media such as external hard drives, flash drives, CDs, DVDs, tapes, etc. without express authorization from the Chief Information Officer. 

  1. Employees are not permitted to store any sensitive data on personal computing devices such as personal laptops, desktops, smartphones, or tablets. This includes synchronizing OneDrive, Teams, or SharePoint folders to personal devices if those contain sensitive data. 

  1.  Employees should not store sensitive data on local computer drives (as opposed to your personal network drive “F” on the Admin LAN) on office computers or laptops is strongly discouraged. University owned computers and cloud services may be scanned periodically to check for confidential information stored on the device. 

  1. Employees storing confidential data on University servers must, on an operational basis, remove files containing confidential data when it is no longer needed. 

  1. Employees who are uncertain about what constitutes legitimate use or release of information should always err on the side of confidentiality and refer their questions about appropriateness of a request for personal information from University systems or records to their supervisor before releasing the information. 

  1. Departments which are storing sensitive or confidential information in cloud storage systems such as OneDrive, SharePoint, or Teams, should consult with Paul Chauvet, Information Security Officer, before doing so. There must be a plan to limit access, a retention policy, and removal procedure in place before any such data should be stored in those locations. 

  1. Faculty conducting research involving sensitive or confidential data should ensure they are following guidelines and requirements set by the University’s HREB (Human Research Ethics Board). 

 

 

Record Retention Requirements 

Retention of sensitive data without a business need increases both the risk of unauthorized exposure and the effort required to protect sensitive data. Further, excessive retention may contravene the GLBA (Gramm-Leach-Bliley Act) data-retention limit. 

Divisions and departments shall develop, implement, and maintain procedures for the secure disposal of student, employee, and other individual information, in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. Periodically review your data retention policy to minimize the unnecessary retention of data 

When there are any questions as to whether any data needs to be retained to meet federal, state, SUNY, or SUNY New Paltz requirements, please consult the University's Internal Controls Coordinator. 

For data in systems such as Banner, or Banner Xtender, please consult Administrative Computing for assistance. 

 

Clean Desk/Screen Policy 

Employees should ensure that any sensitive paper documents are locked away (in a locked desk or file cabinet) when they are not in use (including when you leave your office). 

Employees should also ensure that there is no sensitive information on their computer screens visible to others without a need to access that information. This includes when you are meeting with people in-person, or when you are sharing your screen via online screen sharing tools such as on WebEx, Teams, or Zoom. 

 

Sensitive information and email 

As per the Faculty and Staff Email Policy, University emails should not contain any sensitive information in unencrypted form.  Even in encrypted form, email should be used sparingly for sensitive information, particularly social security numbers. 

As per the Credit Card Processing and Handling Policy – credit card numbers should not be stored within email in any way (even if encrypted). 

What to do if you receive sensitive information via email 

Sometimes, even when you do not ask people to send sensitive information via email, people do it anyway. In situations like this, what you should do is: 

  • Reply to the sender (removing any sensitive information the sender has provided before you send) asking them to submit the information through a more secure format. 

  • Delete the original message (with the sensitive data) from your Inbox, then from your Deleted Items folder. 

 

 

Procedures 

Supervisors are required to review this policy with each employee assigned to their department if their department deals with any sensitive information. During the department orientation process, supervisors should provide each employee with a description of the type(s) of confidential information their specific position will work with in the performance of their duties. Supervisors shall review this policy annually with their staff and confirm that each employee has reviewed and understood it. 
 

 

Review 

This policy will be reviewed and updated as needed. Said review will occur at least once every two years. 

 

Policy History 

  • Date of first approval by President’s Cabinet: November 8, 2013 

  • Current version approved by President’s Cabinet December 1, 2023

100% helpful - 5 reviews