Standards and Procedures for the Protection and Use of Faculty, Staff and Student Identifiers
Only individuals with a "need-to-know" should be authorized to access student and employee records. New hires are required to sign the University’s Employee Access and Compliance agreement (EACA) prior to receiving access to institutional identifiers. Student employees with access to student and employee records must sign the EACA or an equivalent non-disclosure agreement as a condition of employment.
The sharing of authentication credentials (NetIDs, passwords) or authenticating on behalf of another individual for the purpose of granting access to student or employee records is strictly prohibited.
Business and academic units should maintain accurate records of those employees who have been granted authorized access to institutional identifiers.
Reviews of access permissions should be conducted, at minimum, on an annual basis and appropriate changes made as warranted by an employee’s change in status or work responsibilities.
Records containing identifiers are not to be distributed to or viewed by unauthorized individuals. Such documents are to be stored in secured locations. Individual workstations, multi-function devices (printers, copiers, scanners), and portable media (USB drives, laptops, iPads, smart phones) are not considered secure unless the stored records are encrypted and password protected. In high traffic areas, such documents are not to be left on desks or other visible areas (e.g., computer monitors) in “open view” where they can be subject to casual or incidental viewing.
Repositories of identifiers stored in either paper or electronic formats are to be destroyed (e.g., shredding papers, wiping electronic files) prior to disposal.
SSNs are included in archived databases and in imaged documents. Such historical records cannot be altered. All records and files containing SSNs data are to be considered sensitive information and must be handled and stored accordingly.
Removal of University records containing SSNS or institutional identifiers from the campus is prohibited unless authorized by division or department heads for specific business purposes.
The University at Albany may release SSNs or other identifiers to third parties as allowed by law, when authorization is granted by the individuals (student or staff), when the Office of the University Counsel has approved the release (e.g. subpoenas) or when the authorized third party is acting as the University at Albany's agent in the context of a valid contract or agreement, and when appropriate security is guaranteed by the contract or agreement (e.g., financial institutions providing student loans or other financial services).
All such distributions to third parties of institutional data must be performed by University systems of record or by University employees authorized to release this data. Individual employees are not permitted to release this information directly to third parties without proper authorization.