4.6 - Confidentiality Policy

: Human Resources
: President
: 09/20/2018
: 09/20/2018
: 09/20/2019
Comment on Policy

4.6.1 - AUDIENCE

All University employees granted access to confidential Institutional Data and Student Education Records.


The purpose of this Policy is to provide University employees with a basic understanding of their responsibilities to protect and safeguard Student Education Records and other confidential Institutional Data to which they have access as a result of their employment and to establish guidelines for the use and dissemination of such information.


Institutional Data: is any information, including Directory Information, Personally Identifiable Information, and Student and Employee Financial Information that can be linked to any individual, including but not limited to, students, faculty, staff, or contractors.  Institutional Data and all applications storing and transmitting such data, regardless of the media on which they reside, are valuable assets, which the University has an obligation to manage, secure, and protect.

Directory Information: means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.  The University designates the following categories of student information as public, or directory information: a student’s name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, the most recent educational agency or institution attended, electronic mail addresses and photographs. It also states that directory information does not include a student’s social security number or student identification number. “Directory information” however, does include, student identification numbers or user identification when such identifiers cannot be used to gain access to education records unless used in conjunction with other factors authenticating the user’s identity.

Employee Financial Information—that information the University has obtained from an employee in the process of offering a benefit or service.  Offering a benefit or service includes all University sponsored benefit plans and University financial services such as flexible spending accounts, and personal payroll services.  Examples of employee financial information include bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.

Personally Identifiable Information (“PII”): PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity that is not been designated as directory information, such as social security number, place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information relating to an identified or identifiable person.  An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.

Student Financial Information—that information the University has obtained from a student in the process of offering a financial product or service, or such information provided to the University by another financial institution.  Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR § 225.28.  Examples of student financial information include bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.

Student Education Records— all records which contain information directly related to a student and maintained by the University, including those files, documents, and other materials (in handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche) that contain information directly related to a student which are maintained by the University or by a person acting for the University pursuant to University or divisional policy.  Information that is captured as a result of a student’s various activities at the University is part of the student record.  This information includes, but may not be limited to, logs, databases or other records of: websites the student has visited, purchases made at University facilities, entry day/time into University facilities, library use and biometric records.

Records that are not “Education Records” include, but are not limited to, sole possession, law enforcement, employment, medical, counseling, and post-attendance records. More specifically, the following are not considered “educational records”: (a) notes belonging to a faculty or staff member and intended for the faculty/staff member’s own use are not subject to inspection, disclosure, or challenge unless the person maintaining the notes disclosed the information to a person in the University community other than the student named in the notes (upon such a disclosure, the records are then open for review by the student); (b) security records pertaining to an investigation when the record is maintained solely for campus safety and security purposes, is revealed only to law enforcement agencies of the same jurisdiction, and is maintained separately from education records; (c) student employment records, provided the record is maintained in the normal course of business and is used only in relation to the student’s employment; (d) student records that are made or maintained by a physician, counselor, psychologist, or other recognized professional acting in that capacity are not subject to the provisions of access, disclosure, and challenge when the records are used only for treatment of a student and are made available only to persons providing the treatment; (e) records which contain only information about an individual after he or she is no longer a student at the University, such as alumni records; and (f) grades on peer-graded papers before they are collected and recorded by a teacher.

Family Educational Rights and Privacy Act of 1974 as Amended—The Family Educational Rights and Privacy Act (FERPA) (20 USC Section 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records.  The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.  Additional information on FERPA is available online at http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

4.6.4 - THE POLICY

In accordance with the Family Educational Rights and Privacy Act of 1974 (FERPA), employees of Thomas More University are required to protect the security and confidentiality of Students Educational Records.  All employees might have access to these records, and willful or unauthorized disclosure violates Thomas More University’s policy, as well as federal law.  University employees will have access to student records on a “need-to-know” basis.  It is the responsibility of all employees who have access to Student Education Records, to be informed about FERPA laws and University requirements.

In addition to Student Education records, employees may not disclose confidential information gleaned from business transactions and must protect confidential relationships between the University and its employees, students, and suppliers (hereinafter referred to as “Institutional Data”).  Institutional Data that has not been made public is confidential and employees may not release such information to anyone unless required for a business purpose of the University or by legal process such as a subpoena or court order. 

Further, employees may not use Institutional Data for private interest or personal gain.  No employee may remove Institutional Data, confidential or not, including, without limitation, documents, notes, files, records, computer files or similar materials from the University’s property without permission from the employee’s supervisor, except in the ordinary course of performing duties on behalf of the University.  The University prohibits employees from attempting to obtain and from possessing non-public Institutional Data for which they have not received access authorization.  An employee who is unsure about the confidential nature of specific information or the employee’s authority to access or use confidential information must ask their supervisors for clarification.

Violations of this Policy will result in the University taking appropriate disciplinary action against the violator, up to and including discharge from employment with the University.  Disciplinary action will be taken in accordance with the University’s policies and procedures that apply to the violator.  Conduct that violates this Policy also may result in civil or criminal charges and penalties against the violator.


Family Educational Rights and Privacy Act (FERPA) (20 USC Section 1232g; 34 CFR Part 99)
Fair and Accurate Credit Transactions Act of 2003
Financial Services Modernization Act of 1999, also known as the Gramm–Leach–Bliley Act (GLBA)

Acceptable Use Policy
FERPA Policy


Employees must notify the University of any violation of this Policy or its guidelines.  Employees may report their concerns immediately to their supervisor, department or division head, or area vice president.


4.6.8 - HISTORY

This is a new policy, replacing language in the Staff Manual (May 2014).

4.6.9 - APPENDIX

There are no appendices to this Policy.

4.6.10 - APPROVALS

Laura Custer, Director of Human Resources

Dr. Kathleen Jagger, Acting President