Main content

Campus Technology Services

8
30
Our Hours Today:
8:00am-6:45pm

Confidential Information Policy

Purchase College is committed to protecting the privacy and confidentiality of information contained in the multiple databases and print files maintained by the college in the regular course of business. Personal information that is confidential in nature will be used only in accordance with Purchase College Information Security Program, Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA) regulations, and all applicable SUNY, state, and federal regulations.

 Policy

Employees at Purchase College by nature of their positions will gain access to private personal information about students, faculty, staff, alumni, and other constituents of the college. Employees are obligated to maintain the confidentiality of any such private personal information that is encountered.

Purchase College expects all employees with access to personal information to deal with that information in a respectful and professional manner. As a matter of policy, the college restricts access to personal information to only those employees who have a legitimate “job-related reason” in the performance of their duties for gaining access. Access and release of any student educational records must be in accordance with FERPA regulations.

Access and release of any health records must be in accordance with HIPAA regulations. Any personal information viewed or accessed by an employee through college systems or records is not to be shared or released to others unless there is a legally permissible purpose for doing so. In addition, in accordance with Section 203-d of the New York Labor Law, Purchase College will not:

  • Publically post or display anyone’s Social Security number;

  • Visibly print a Social Security number on an identification badge, including any time card;

  • Place Social Security numbers in files with open access; or

  • Communicate an employee’s personal “identifying information” to the general public.

Personal Identifying information (PII) is defined by NYS as including an employee’s Social Security number, financial account number and PIN, or driver’s license number. Access to PII will be restricted to those with a demonstrable need for access.

Inappropriate disclosure of information pertaining to students, faculty, staff, and other college constituents may violate applicable law and is considered a violation of ethics and a breach of trust placed in employees by the college. Upon finding of a breach of this policy by an employee in a collective bargaining unit, the college may initiate disciplinary action pursuant to the applicable collective bargaining agreement, up to and including termination of employment.

Employees who deal with confidential material on a regular basis will be required to sign a confidentiality statement and to complete annual information security training. Each campus manager will determine employees required to have access to PII who must receive training and sign confidentiality statements.

Guidelines

Employee, student, financial, and medical information contained within Purchase College information systems (electronic and physical files) and external SUNY systems is considered confidential. Access to information made confidential by law or campus practice is limited to those individuals (employees, consultants, adjunct professors, third-party vendors, etc.) whose position legitimately requires use of this information.

The employees (Purchase College faculty, staff, student employees, and volunteers appointed by the college) understand that by virtue of their work for Purchase College they may have access to data that are confidential, and therefore understand they may not disclose such confidential data to any person or entity without appropriate authorization, subpoena, or court order.

Examples of confidential PII information include the following:

  • Social Security numbers (SSN)

  • Motorist identification number

  • Bank account numbers and PIN

In addition, FERPA regulations cover

  • Educational records

  • Information (including directory information) made confidential by written request.

In order to access confidential information, employees agree to adhere to the following guidelines:

  1. Employees understand and acknowledge that improper or inappropriate use of data in the college’s information systems is a violation of college policy, and it may also constitute a violation of federal and/or state laws.

  1. Employees will not provide confidential information to any individual or entity without proper authorization.

  1. Employees will not access, use, copy or otherwise disseminate information or data that is not relevant and necessary to perform their specific job-related duties.

  1. Employees will not remove confidential information from college facilities except as specifically authorized to do so.

  1. Employees will not share their user ID and password with anyone.

  1. Employees will not use the data for personal or commercial purposes.

  1. Employees will refer all requests for educational records from law enforcement governmental agencies and other external entities to the vice president for student affairs for matters related to students and to the FOIL Officer for all other requests.

  1. Employees will refer external requests for all college statistical, academic or administrative data to the Office of Institutional Research, Office of Human Resources, or those departments that have been authorized to respond to such requests.

  1. Employees will not communicate any Purchase College employee’s personal identifying information to the general public.

  1. Employees will report any unauthorized access to confidential data immediately to their supervisor and to the Chief Information Officer.

  1. Employees understand that any improper or inappropriate use of data in the college’s information systems may result in disciplinary action pursuant to the applicable collective bargaining agreement, up to and including termination of employment.

  1. Employees are not permitted to store Social Security numbers, credit card numbers, motorist/non-driver IDs or bank account numbers on individual staff computers, or portable media such as external hard drives, USB thumb drives, CDs, DVDs, tapes, etc. without express authorization from the Chief Information Officer. Storing any other confidential data on individual staff computers or any type of portable media is strongly discouraged.

  1. Employees storing confidential data on college servers must on an operational basis remove files containing confidential data when no longer needed.

  1. Employees who are uncertain about what constitutes legitimate use or release of information should always err on the side of confidentiality and refer their questions about the appropriateness of a request for personal information from college systems or records to their supervisor before releasing the information.

Procedures

  1. Supervisors are required to review the Information Security Policy Regarding Confidential Information with each new employee assigned to their department. During the department orientation process, supervisors should provide each employee with a description of the type(s) of confidential information his or her specific position will work with in the performance of his or her duties.

  1. Employees in areas of the college that deal with confidential material will be required to sign a confidentiality statement to be stored in the employee’s personnel file. Each vice president in conjunction with their managers will determine employees required to sign confidentiality statements.

  1. Supervisors shall review the policy on Information Security Policy Regarding Confidential Information on an annual basis and confirm in writing that each employee in the unit reviewed and understood the policy.