Information security should be a top priority in schools.
It’s important for schools to train all staff and faculty members on protecting all student information. Unintentional mistreatment treatment of confidential information may lead to fraudulent activities that could pose a threat to identity theft which could leave the school legally liable.
Traci,
Information Technology is by far one of the most important functions utilized to create a complaint culture. With the technology available, we have the capability to store documents electronically that otherwise will utilize a large amount of physical space to store. We must have many safeguards in place to save this information and make it easily accessible. We must also remember that within the last 20 years we have gone from little technology to technology overload, and by far, the majority of the people cannot keep up with the change. The only way that we can create and maintain a compliant culture within our organization, we must continue to educate our employees in all aspects of the information technology of our organization.
Jorge
Jorge,
Great points on the importance of technology as it relates to compliance.
Traci Lee
Human resources is a critical function and an important tool in creating a compliant culture in an organization. It is not just a matter of making sure employees are properly classified for FSLA purposes. It is more about hiring the right people who will decide to do the right thing when difficult situations occur. Human resources is also involved to make sure that employees are properly trained on the compliance regulations that face each department and the institution as an entity.
John,
I completely agree! Hiring and training the right people is critical. I also think that HR is key to supporting how to address/handle matters when an employee does something inappropriate.
Traci Lee
With regards to information security, it is VERY important to be compliant everyday and keep all personal information secured. Any and all documents that hold personal information including credit card numbers, socials etc are kept in a locked cabinet at all times. Once information is no longer needed, and if it doesn't need to be retained permanently, it is then shredded.
Allison,
Great points! In addition to student files and documents, consider any printouts including reports from student information systems, spreadsheets, etc. that are sometimes printed for reference. I have often seen schools that are meticulous about securing files forget to address such printouts laying around the campus on desks, in trash cans (vs. shredding bins) and other vulnerable places.
Traci Lee
If the student has signed a FERPA allowing that person to be given information about their schedule and financial information, then as I understand it, I am allowed to give them that information. If the parent/spouse is NOT on the FERPA, I always say that I don't know, or if they push the issue, I explain the FERPA and what it allows me to share. I then ask that they have the student fill out a FERPA naming them as someone I can share information with. If the student does so, then I share the information. This happens a lot with student accounts and husbands/wives wanting financial info for budget planning and soforth.
We've also had instances where ex-spouses or ex-girl/boyfriend have shown up on campus looking for a student. In one case the ex was harassing the student and threatening them, so we as a staff have chosen to not give out any information. I always have them identify themselves, and then I will ask them to hold on while I check. I then go into class and speak to the student and let them make the decision.
My first line of defense, however, is that I feign ignorance and say I don't know anything and suggest they contact the student themselves. Better to have someone mad at me for upholding the law than mad at me for not upholding it.
Human resources impacts compliance in both directions. Following the proper practices in hiring and supporting faculty and staff is vital to the survival of a trade school. Therefore, the "i's" and "t's" need to be dotted and crossed for privacy issue, healthcare issues, etc. or regulatory agencies may clamp down on the school. However, creating the right envirnment around these practices is a boon to the productiveness of all employees, and the organization.
Marketing is an especially important business area where business function is critical to creating a compliant culture in any organization.
The marketing material sets the tone for how staff communicates with potential students. These materials need to be spot on in terms of compliance regulations and the importance of this needs to be communicated with staff. I have found that informing my admissions staff of the importance of marketing/advertising compliance has worked to self audit some of our materials that may have made it to publication without my review. This knowledge has created a compliant culture within our admissions department.
Kara,
Excellent points. It's also important that all materials are consistent and aligned - information in such marketing materials should match what is provided in disclosures, annual reports, and other places where such information is stated.
Traci Lee
Marketing: As stated in the training ALL advertising materials should be reviewed for compliance at all levels.
We can not promise the world to every student without first having the data to support such promise.
truth in advertising is just that "the truth".
Information security has taken center stage in the media. On any news day information is being compromised. lost, and stolen in some very complicated methods. On the simpler side just what is said in a voice mail message could bring on a whole set of problems never before imagined. I had a student very upset at me for not leaving a detailed message concerning a financial issue. When I tried to explain that I couldn’t take a chance that the information might be overheard or intercepted it was met with disbelief. As if I was using the security issue as an excuse for being lazy.
Imformation security is a critical business function when creating a complaint culture because you always want to make sure that you keep all student & personal records in a information secured by making sure cabinets are locked. Also to provide a place were shred is available to secure information that is no longer needed.
Jenifer,
This is certainly becoming an area of increased scrutiny. Great point on shredding as I have seen some schools with good intentions create a "to be shredded" box but, it must be in a secure spot if there is a time lag before the documents are actually destroyed.
Traci Lee
It is critical that the business stay focused on information security. For example, when emails are sent with student personal information, those emails should be sent using proper email security protocol. Also, the email should contain only the information required to complete that specific inquiry or task. It is important to archive emails that may have pertinent information that may used as documentation related to a future student audit.
Mary,
This has become a very important piece of security that schools should ensure they are handling properly.
Traci Lee
I think creating a compliant culture in an organization in every one of these areas is extremely critical. I think it begins by following the organizations very own policies and procedures. It is not acceptable to not comply with regulations, but it also is not acceptable for organizations to not follow their own policies. Policies are written so that everyone in the organization has an idea or an outline as to how to comply to certain situations. Compliance begins from within and polcies and procedures should be there to notify and explain while audits are in place to enforce compliance.
Renee,
Very true - some people get so focused on the external regulations, they forget to apply internal policies to any reviews.
Traci Lee
Kristina,
I totally agree with you that information security is very important. There is a certain level of trust that is given to us by students when they submit paperwork that contains personal information. I think it is crucial that if we need to dispose of paperwork it is done in a responsible manner.