Protect IT: Empowered to protect your digital life

Protecting Confidential Information

Many Texas A&M employees work daily with confidential information. It is our responsibility to protect it by becoming familiar with what data is confidential, the technologies that can protect this information and the practices that help prevent its release.

In this Article

What information is confidential?

Confidential information must be protected from unauthorized disclosure or public release based on state or federal law. Examples of confidential information include but are not limited to the following:

  • Social Security numbers (SSNs)
  • Some Research Data 
  • Credit card numbers
  • Financial account numbers
  • Student education records (including schedules)
  • Medical Records
  • Passwords

Federal laws that require the confidentiality of information include:

Directory Information

Directory information refers to items of information contained in the educational record which may be released without the student's prior, written consent. Texas A&M University defines the following items as directory information:

  • Name
  • Universal Identification Number (UIN)
  • Address (Local)
  • Address (Permanent)
  • Telephone number (Local)
  • Telephone number (Permanent)
  • Email address
  • Program of study (college, major, campus)
  • Dates of attendance
  • Previous educational agencies/institutions attended
  • Participation in officially recognized activities and sports
  • Degrees, honors, and awards received
  • Classification

However, students may place a directory hold on any or all of this information at https://howdy.tamu.edu. Once the student has placed a hold on his or her directory information, this information may not be released without the prior, written consent of the student.

What are the rules about storing and transferring confidential information?

Storing Confidential Information - University SAP 29.01.03.M1.16, Portable Devices requires encryption of Texas A&M related confidential information that resides on portable computing devices. It is recommended that all confidential data be encrypted even if it resides on stationary systems.

Transferring Confidential Information - University SAP 29.01.03.M1.31,Encryption of Confidential and Sensitive Data requires encryption of confidential information when it is transmitted through email or to an off-campus site or when it is accessed from a remote location.

Credit Cards - University SAP 21.01.02.M0.03 Credit Card Collections defines the very stringent requirements for accepting credit card payments. See Credit Card Procedures and Policies for details.

Quick Checklist for Protecting FERPA Data

  • Post grades using secure technology (for help contact Instructional Technology Services at its@tamu.edu or 979.862.3977, or visit http://itsinfo.tamu.edu/).
  • Encrypt all confidential information.
  • Use UINs instead of Social Security numbers. Take the appropriate steps when Social Security Numbers are ABSOLUTELY necessary.
  • DO NOT allow students to see other students grades, even by sorting through a stack of papers to pick up their graded work.
  • DO NOT discuss the progress of any student with anyone other than the student (including parents/guardians) without the consent of the student.
  • DO NOT provide anyone with lists of students enrolled in classes for any commercial purpose.
  • DO NOT provide anyone with student schedules or assist anyone other than professional university employees in finding a student on campus.
How can I safely transfer confidential information?

Filex

Do NOT send confidential information through email. Use Filex instead. 

Filex is an easy tool for transferring confidential information. Upload files to the Filex server and add email addresses for recipients. For files containing sensitive or confidential information, Filex includes an encryption option. Filex sends a link via email to download the file, which the recipients click to obtain the file directly from the Filex server. If you selected the encryption option, Filex provides a key for you to send to your recipients to unlock the encrypted file. For step-by-step instructions, see Using the Filex file distribution system.

Safe File Transfer Tools

If you need to transfer confidential information between two systems that you manage, use secure protocols like SCP or SFTP. WinSCP is an easy-to-use, Windows tool for SCP and SFTP.

How can I safely store confidential information?

Encrypt Files

By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. When you use encryption, it is important to have a recovery plan in case you forget your key.

For details, see SAP 29.01.03.M1.31.

Whole Disk Encryption

To better protect your data, consider whole disk encryption. It prevents a thief from even starting your computer without a passphrase.

  • PGP Desktop - Texas A&M provides and supports PGP Desktop as a recommended whole disk encryption product for Windows computers. This makes your entire hard drive or flash drive unreadable by anyone who does not have the key. One advantage of using PGP Desktop is that we can recover your data in the event of a lost encryption key. Departments interested in using this software may purchase it through the Texas A&M Software Center. PGP Desktop is not currently offered as a tool to individual users. Contact ciso@tamu.edufor additional information.
  • FileVault - For Mac Users, FileVault is a built-in tool for whole disk encryption. If you are using this tool, make sure that you have a recovery plan in case you forget your encryption key. You can create a recovery key to share with your trusted IT person or administrative assistant. This way if you forget your password, they can use the recovery key to decrypt your data.
How can I safely post grades?

FERPA requires that student grades be accessible only to individual students and other authorized personnel. Posting grades in a secure course management system (like eLearning or eCampus) is the preferred method for distributing grades online at Texas A&M University. Instructional Technology Services (ITS) can provide help in using instructional technologies.

If you do not use a Learning Management System, give students their grades individually.

What should I do if I know confidential information has been disclosed?

Report disclosures of confidential information as soon as you realize they have occurred by emailing itrm@tamu.edu. For additional details about reporting disclosure of sensitive personal information, see SAP 29.01.03.M1.24.

Additional Resources

Visit the following web sites for information on confidential information:

If you have any questions about FERPA, please contact the Office of the Registrar, Records Section at 979.845.1003 or records@tamu.edu.