With identity theft on the rise, it is crucial that financial aid administrators take responsibility for safeguarding the confidential information of students and parents. Colleges and universities are required to develop, implement and maintain a comprehensive written information security program. Here are a few best practices:

• Designated employee(s) to coordinate the institution’s information security program.
  
  
• A risk assessment to identify reasonable, foreseeable internal and external risks to the security and integrity of customer information. At a minimum, the risk assessment should include consideration of risks in each of the following operational areas: (1) employee training and management, and (2) information systems detecting, preventing and responding to attacks, intrusions, or other system failures.
  
  
• Information safeguards that are designed and implemented to control the risks identified through the risk assessment and that regularly test and monitor the effectiveness of the safeguards, systems and procedures.
  
  
• A contractual arrangement that requires service providers to implement and maintain appropriate safeguards for customer information.
  
  
• Periodic evaluation and adjustment in the information security system program, based on results of testing and monitoring.

Along with these elements, it is pertinent to recognize the importance of staff training and the oversight of enforcing the procedures for safeguarding information in daily staff contact with students. Following are some tips that will help minimize the risk of confidential information falling into the wrong hands:

• Make available the school’s information security policies and procedures to all staff.
  
  
• Train staff, including temporary staff and work-study students, on safeguarding confidential information.
  
  
• Create an information security and confidentiality agreement that is signed by all employees and work-study students.
  
  
• Restrict access to confidential data to only staff needing it to perform their job functions. Unauthorized users should not have access to the data. View California Civil Code, Information Practices Act, Section 1798.24 and other state-specific civil codes, for criteria on disclosure of personal information to the public.
  
  
• Avoid the use of Social Security numbers as passwords and general identifiers on documents visible to the general public. Select longer, difficult-to-guess passwords, keep them in a secure area and change them frequently.
  
  
• Log off unattended workstations to ensure that confidential data is not left displayed. Screensavers with timeout and password features and the use of encryption are effective tools to reduce the risk of unauthorized individuals acquiring confidential information. Encryption uses a mathematical formula to scramble your data into a format that is unreadable by anyone who is not the authorized user.
  
  
• Include identity of staff completing transactions as a feature on the school system.
  
  
• Secure confidential paper records and shred promptly when no longer needed. At a minimum, school procedures must follow the record retention requirements outlined in the Code of Federal Regulations.
  
  
• Immediately delete system access (to either internal or external systems) for former employees and have their computer hard drives re-formatted. Requests to delete access to external systems (i.e., National Student Loan Data System, Department of Education and EDFUND) must be sent in a timely manner to each agency. Each agency has its own policy on timely notification. EDFUND requires institutions to provide notification within five working days of the change.
  
  
• Educate students and parents on safeguarding personal information to avoid identity theft. The Department of Education’s Web source, www.ed.gov/misused, provides a handout that can be used by students and parents.

We hope this reminder to those who handle institution records that it is important to take every precaution possible to protect others’ confidential information. The standard for handling confidential information should be to treat it the same way you would treat your own personal information!

©2006 EDFUND – REPRINT BY PERMISSION ONLY.
FOR MORE INFORMATION ON EDFUND PRODUCTS AND SERVICES, CONTACT MICHAEL AMALOO, SENIOR CLIENT RELATIONS MANAGER AT: 17011 LINCOLN AVENUE, PMB 504, PARKER, CO 80134 – TELEPHONE: TOLL FREE 1.866.299.1741 – FAX: 303.840.2851- MAMALOO@EDFUND.ORG - WWW.EDFUND.ORG.