Confidential information must be protected from unauthorized disclosure or public release based on state or federal law. Examples of confidential information include but are not limited to the following:
- Social Security numbers (SSNs)
- Some Research Data
- Credit card numbers
- Financial account numbers
- Student education records (including schedules)
- Medical Records
Federal laws that require the confidentiality of information include:
- The Family Educational Rights and Privacy Act (FERPA) which protects the educational records of all students.
- The Health Insurance Portability and Accountability Act (HIPAA) and Protected Health Information (PHI) which requires the protection and confidential handling of protected health information.
- The Gramm Leach Bliley Act (GLBA) which requires financial institutions to protect the security and confidentiality of customer information.
Directory information refers to items of information contained in the educational record which may be released without the student's prior, written consent. Texas A&M University defines the following items as directory information:
- Universal Identification Number (UIN)
- Address (Local)
- Address (Permanent)
- Telephone number (Local)
- Telephone number (Permanent)
- Email address
- Program of study (college, major, campus)
- Dates of attendance
- Previous educational agencies/institutions attended
- Participation in officially recognized activities and sports
- Degrees, honors, and awards received
However, students may place a directory hold on any or all of this information at https://howdy.tamu.edu. Once the student has placed a hold on his or her directory information, this information may not be released without the prior, written consent of the student.
When accessing confidential information such as bank statements and credit card data, you should always use a Virtual Private Network (VPN) that encrypts all data sent to and from your computer.
You can also ensure a link is secure by:
- Looking for the padlock symbol in the URL browser box that appears when you log in.
- Only accessing sites with a web address that begins with “https://”. (The ‘s’ stands for secure.)
These two measures indicate that a digital certificate has been issued by a trusted third party, and the information transmitted from the website has been encrypted.
Storing Confidential Information - University SAP 29.01.03.M1.16, Portable Devices requires encryption of Texas A&M related confidential information that resides on portable computing devices. It is recommended that all confidential data be encrypted even if it resides on stationary systems.
Transferring Confidential Information - Security Control SC-13 Cryptographic Protection requires encryption of confidential information when it is transmitted through email or to an off-campus site or when it is accessed from a remote location.
Quick Checklist for Protecting FERPA Data
- Post grades using secure technology (for help contact Instructional Technology Services at email@example.com or 979.862.3977, or visit http://its.tamu.edu/).
- Encrypt all confidential information.
- Use UINs instead of Social Security numbers. Take the appropriate steps when Social Security Numbers are ABSOLUTELY necessary.
- DO NOT allow students to see other students grades, even by sorting through a stack of papers to pick up their graded work.
- DO NOT discuss the progress of any student with anyone other than the student (including parents/guardians) without the consent of the student.
- DO NOT provide anyone with lists of students enrolled in classes for any commercial purpose.
- DO NOT provide anyone with student schedules or assist anyone other than professional university employees in finding a student on campus.
Do NOT send confidential information through email. Use Filex instead.
Filex is an easy tool for transferring confidential information. Upload files to the Filex server and add email addresses for recipients. For files containing sensitive or confidential information, Filex includes an encryption option. Filex sends a link via email to download the file, which the recipients click to obtain the file directly from the Filex server. If you selected the encryption option, Filex provides a key for you to send to your recipients to unlock the encrypted file. For step-by-step instructions, see Using the Filex file distribution system.
Safe File Transfer Tools
If you need to transfer confidential information between two systems that you manage, use secure protocols like SCP or SFTP. WinSCP is an easy-to-use, Windows tool for SCP and SFTP.
By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. When you use encryption, it is important to have a recovery plan in case you forget your key.
For details, see Security Control SC-13 Cryptographic Protection.
Whole Disk Encryption
To better protect your data, consider whole disk encryption. It prevents a thief from even starting your computer without a passphrase.
- PGP Desktop - Texas A&M provides and supports PGP Desktop as a recommended whole disk encryption product for Windows computers. This makes your entire hard drive or flash drive unreadable by anyone who does not have the key. One advantage of using PGP Desktop is that we can recover your data in the event of a lost encryption key. Departments interested in using this software may purchase it through the Texas A&M Software Center. PGP Desktop is not currently offered as a tool to individual users. Contact firstname.lastname@example.org additional information.
- FileVault - For Mac Users, FileVault is a built-in tool for whole disk encryption. If you are using this tool, make sure that you have a recovery plan in case you forget your encryption key. You can create a recovery key to share with your trusted IT person or administrative assistant. This way if you forget your password, they can use the recovery key to decrypt your data.
FERPA requires that student grades be accessible only to individual students and other authorized personnel. Posting grades in a secure course management system (such as eCampus) is the preferred method for distributing grades online at Texas A&M University. Instructional Technology Services (ITS) can provide help in using instructional technologies.
If you do not use a Learning Management System, give students their grades individually.
Report disclosures of confidential information as soon as you realize they have occurred by emailing email@example.com. For additional details about reporting disclosure of sensitive personal information, see SAP 29.01.03.M1.24.
Visit the following web sites for information on confidential information:
- Office of the Registrar's FERPA Statement for Faculty, Staff, and Administrators
- Gramm Leach Bliley Act (GLBA) - financial aid
- SAP 29.01.03.M1.17, Information Resources - Privacy
- Student Health Services' Protected Health Information (PHI) or HIPAA information
- SAP 29.01.03.M0.01, Security for Electronic Information Resources
- Security Control SI-4 Information System Monitoring
If you have any questions about FERPA, please contact the Office of the Registrar, Records Section at 979.845.1003 or firstname.lastname@example.org.