COMPREHENSIVE STANDARD P11:
           The institution protects the security, confidentiality, and integrity of its student academic records and maintains special security measures to protect and back up data.

STATEMENT OF COMPLIANCE: The Citadel is in compliance with Comprehensive Standard P11.

RATIONALE FOR JUDGMENT OF COMPLIANCE:

Three complementary college policies, all of which explicitly require compliance with the Family Educational Rights and Privacy Act (FERPA), govern the security, confidentially, and integrity of student records at The Citadel:

•  The statement on "Confidentiality of Student Records" lets students, faculty, and staff know who has a right to information on student records and under what circumstances that information may be released. This statement is published in the undergraduate Catalog [Reference 1] ("Confidentiality of Student Records," pp. 39-41), the Catalog of the College of Graduate and Professional Studies [Reference 2] ("Confidentiality of Student Records," p. 14), the Faculty Manual [Reference 3], and on The Citadel's main web site [Reference 4].

•  The "Policy on the Security and Confidentiality of Student Records" [Reference 5] addresses physical security of records, access to records, training of personnel with access to them, release of information in records, and proper disposal of records. It also assigns responsibility for the implementation of the policy to the heads of departments who use the records; and it charges each department to establish, as necessary, specific procedures to implement the general policy.

•  The "Information Security Plan for Student Records" [Reference 6] explicitly charges the institutional Privacy Officer with the responsibility for coordinating with the vice presidents to maintain the information security program, stipulates requirements for external service providers with access to student records, and gives further directives to departments regarding access to student records and other sensitive information.

Taken together, these three policies inform students, faculty, and staff of their rights and obligations under the law and establish guidelines on how the law will be implemented at The Citadel. In doing so, they demonstrate that protecting the security, confidentiality, and integrity of all student records — both academic and student affairs records — is one of The Citadel's highest priorities.

The college official who serves as the primary resource in matters of security and confidentiality of student records is the institutional Privacy Officer (currently the Special Assistant to the President for Legal Matters) who answers directly to the President. His responsibilities include administering the information security program, monitoring applicable laws and policies, conducting internal training sessions, responding on behalf of the college to unusual requests for information from student records, and responding, if necessary, to complaints concerning violations of policy [Reference 7].

At the beginning of every academic year, and at other times as necessary, the Privacy Officer offers training sessions to inform faculty, staff, and cadets with designated command responsibilities of the applicable laws, policies, and procedures. Also at the beginning of every academic year, he or she distributes to all students a special notice, in writing, to inform them of their rights under FERPA [Reference 8].

Special Security Measures to Protect and Back Up Data

Academic Records Systems:
             The academic records of Citadel students who attended the college before 1919 are stored securely in the original ledger books in The Citadel Archives. The academic records of those who attended between 1919 and 1988 are stored on both paper and on microfilm and are kept in vaults under the control of the Office of Records Management. The academic records of those who have attended since 1988 are kept in electronic form only.
             The Citadel's electronic student academic records are created and stored in the college's Student Information System (SIS). On weekday nights a small portion of these records are transferred to the college's Cadet Information System (CIS).

Ownership of Electronic Data:
             At The Citadel all electronic data — including academic records — are "owned" by the department that is responsible for their creation.
             A relatively small amount of student academic information is owned and maintained by the Department of Athletics (for purposes of reporting eligibility of student athletes to the NCAA), the Admissions Office (for purposes of recruiting and admissions), and the Office of Academic Enrichment (for use by the Writing and Learning Center and the Office of Access Services, Instruction and Support). In each case, these are temporary records and are disposed of in accordance with departmental policy after they have served their purpose.
             With these three exceptions, the Registrar owns all student records, electronic and otherwise.

Control of Access to Electronic Data:
             Students, faculty, and staff can access SIS and CIS only through personal, password-protected accounts. This access is tailored to the legitimate information needs of the individual. Thus, for example, students can view only their own grades, and faculty can enter grades only for course sections they are teaching.
             SIS access is approved in writing or online by the Registrar, and CIS access is approved by the Commandant of Cadets.
             There are no shared SIS and CIS accounts. Each account is the responsibility of its individual owner, and the college's computer usage policy prohibits the sharing of computer account passwords.
             Faculty and staff are required to change their SIS passwords every 90 days.
             Information Technology Services staff are prohibited by departmental policy from adding, changing, or deleting any administrative information system data, including academic records.

Protection of Social Security Numbers:
             To protect students' privacy, The Citadel limits the use and display of student social security numbers. Instead, the college uses "Citadel ID numbers" to identify students whenever feasible. These 9-character IDs follow this format: CIT-03-1234. In this example 03 represents the year a student entered The Citadel, and 1234 is a random number. However, we do not try to prevent social security numbers from being seen by appropriate staff in administrative offices such as the Registrar's Office, Financial Aid, Admissions, Human Resources, and Payroll. Doing so would cripple college operations.

Posting of Grades and Other Academic Records:
             No one is allowed to post grades or other academic records in a public place. Students can use the PAWS component of SIS to see their grades soon after instructors enter them online.

Data Backups:
             Every weeknight, SIS and CIS data are backed up to magnetic tape before batch processing begins. When batch processing is completed, both systems are backed up again — this time to a different tape. When the night operator leaves the Bond Hall computer center (south end of campus), he takes both of the daily backup tapes to the college's Public Safety office just in case the computer center is damaged or destroyed during the night. When the operations manager arrives each morning, he takes both backup tapes to a fireproof safe located in Jenkins Hall (north end of campus). Backup tapes are reused every two to three weeks.

Off-site Storage:
             Every week the night operator takes a complete set of SIS and CIS backups to a North Charleston bank approximately ten miles north of The Citadel. He or she stores these tapes in one of the bank's safe deposit boxes.

DOCUMENTATION: