Troy University
SACS Reaffirmation of Accreditation
3.9.2 The institution protects the security, confidentiality, and integrity of its student records and maintains special security measures to protect and back up data. (Student records)
 
X Compliance   Partial Compliance   Non-Compliance

Narrative:  

Troy University is in compliance with this Comprehensive Standard.

Troy University protects the security, confidentiality and integrity of its student records and provides appropriate security measures to protect this data; therefore, Troy University is in compliance with this Comprehensive Standard.
 

Maintenance and Security of Student Records

Student records are stored in accordance with American Association of Collegiate Registrars and Admissions Officers (AACRAO) retention standards, as well as the State of Alabama Department of Archives and History directives. Permanent student paper records for the Troy campus, Phenix City campus, and Global Campus sites are housed on the Troy, Ala. campus. Physical records for Dothan and Montgomery, Ala. campuses are housed on their respective campuses. All paper records are kept in locking, fireproof file cabinets and/or in a fire vault.

Troy University uses Datatel’s Colleague Student information system as its administrative software for student records. The Datatel Colleague Student information system offers a layered, role-based user security system. Each user of the system has specific roles assigned to unique logins. The roles are approved by division supervisors. The Troy University Department of Information Technology maintains a central repository of electronic resource user credentials, and this central repository is constantly monitored to safeguard against inappropriate login provisioning. The Datatel Colleague Student information system is backed up nightly to a local data repository, and daily copies of data are stored in a remote vault for one year. Weekly backups of the data are warehoused at a remote location indefinitely. Additionally, daily data copies are migrated to a remote backup facility for one week.

Since the fall of 2005, all student records received by University records personnel are scanned upon receipt into a document imaging system. Scanned documents may be retrieved by authorized University personnel through a secured, password-protected Web access. The document imaging process allows all locations of Troy University to have immediate access to student records, irrespective to the original point of receipt of the document.

The document imaging system is backed up daily to two remote locations and one local repository, and these daily backups are maintained for 30 days. Access to the document imaging system is maintained by the Department of Information Technology through its central repository of electronic resource user credentials.

Access to all electronic student data occurs through unique user credentials employing an advanced encryption process to further protect the data. Department of Information Technology backup and administration processes are audited by the State of Alabama Public Examiners office, McAfee Secure Audit Team, and an independent information technology audit firm. The audits reveal no findings and full compliance with regulatory standards. Troy University’s information technology systems are scanned daily by McAfee Secure Audit Team and an independent information technology audit firm. Troy electronic systems are in full compliance with National Infrastructure Protection Center (NIPC), Visa Cardholder Information Security Program (CISP), Payment Card Industry (PCI), Visa International Account Information Security (AIS), MasterCard Site Data Protection (SDP) and Data Security Corporation (DSC) security standards.


Privacy of Student Records

Each student has the right to consent to disclosure of personally identifiable information contained in his or her education records, except to the extent that the Federal Educational Rights and Privacy Act (FERPA) authorizes disclosure without consent.

One exception which permits disclosure without consent is disclosure to school officials with legitimate educational interests. A school official is a person employed by the University in an administrative, supervisory, academic, research or support staff position (including law enforcement personnel and health staff); a person or company with whom the University has contracted (such as an attorney, auditor or collection agent); a person serving on the Board of Trustees; or a student serving on an official committee, such as a disciplinary or grievance committee or assisting another school official in performing his or her tasks.

A school official has a legitimate educational interest if the official needs to review an educational record in order to fulfill his or her professional responsibility.

Students are informed of these policies through information widely disseminated through the Undergraduate Catalog, the Graduate Catalog and the Student Handbook (The Oracle). For more details, see Comprehensive Standard 3.9.1.


Release of Education Records

The University is authorized to provide access to student records, without the student’s written consent, to University officials and employees who have legitimate educational interest. These persons are those who have responsibilities in connection with academic, administrative or service functions and who have reason for using student records connected with academic/administrative responsibilities as opposed to a personal or private interest. Such determination will be made on a case-by-case basis by the University Registrar in consultation with the Executive Vice Chancellor/Provost.

At the direction of the University Registrar, the University may release the following directory information upon request: name, local address (including email), telephone numbers, name and address of emergency contact, dates of attendance, school or division of enrollment, enrollment status, field of study, credit hours earned, degrees earned, honors received, and participation in University recognized organizations and activities. Any student who does not wish directory information released must file written notice in the office of the registrar.

University officials will release educational information upon receipt of a signed, dated, written consent of the student which must specify the records that may be disclosed and identify the party to whom the disclosure may be made. Parents of a dependent student, as defined by the Internal Revenue Code of 1954, Section 152 and who supply supporting documentation, may be granted access to a student’s educational record under some circumstances.

Other circumstances may allow access to a student’s educational record such as information required for financial aid, organizations conducting studies on behalf of educational agencies, requests from federal or state educational authorities, information provided to accrediting organizations, compliance with a lawfully issued subpoena, and information required in connection with a health or safety emergency.

Non-university individuals (including parents except as described above) may not have access to educational records other than directory information unless authorization from the student is obtained or a lawfully issued subpoena/court order is issued to the University.

Examples of data items not released include grades; grade point averages; the specific number of hours/credits enrolled, passed or failed; Social Security Number; and name of parents or next of kin.

Oversight to ensure compliance with these policies rests with the University Registrar who reports to the Executive Vice Chancellor/Provost.

In conclusion, Troy University is in compliance with this Comprehensive Standard.

 

Supporting Documentation Location
American Association of Collegiate Registrars and Admissions Officers (AACRAO) http://www.aacrao.org/
Comprehensive Standard 3.9.1 http://sacs.troy.edu/reports/03-09-01.html
Datatel's Colleague Student http://www.datatel.com/experience/products/colleague/student.cfm
Federal Educational Rights and Privacy Act (FERPA) http://www.ed.gov/policy/gen/guid/fpco/ferpa/
Graduate Catalog, 2008-2009 http://www.troy.edu/catalogs/0809grad_pdf/
Information Technology Department https://it.troy.edu/
Internal Revenue Code of 1954, § 152 https://sacs.troy.edu/reference/IRS-Code_1-152-1.pdf
State of Alabama Department of Archives and History Directives http://www.archives.state.al.us/officials/RDA.html
Student Handbook (The Oracle), 2008-2009 Edition http://sacs.troy.edu/reference/Oracle-Student-Handbook-2008-2009.pdf
Undergraduate Catalog, 2008-2009 http://www.troy.edu/catalogs/0809undergrad_pdf/

 

Last Updated: 08/22/2008