JOSEPH’S COLLEGE COSMETOLOGY l ANNUAL NOTIFICATION OF FERPA REQUIREMENTS
FAMILY EDUCATION RIGHTS AND PRIVACY ACT (FERPA)
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C.s 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students”.
• Parents or eligible students have the right to inspect and review the student’s education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.
• Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.
• Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR s 99.31):
1. School officials with legitimate education interest;
2 Other schools to which a student is transferring;
3. Specified officials for audit or evaluation purposes;
4. Appropriate parties in connection with financial aid to a student;
5. Organizations conducting certain studies for or on behalf of the school;
6. Accrediting organizations;
7. To comply with a judicial order or lawfully issued subpoena;
8. Appropriate officials in cases of health and safety emergencies; and
9. State and local authorities, within a juvenile justice system, pursuant to specific State law.
Schools may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.
Joseph’s College Cosmetology is required to:
• Annually notify students of their rights under FERPA;
• Under FERPA, a school is required to provide a student with an opportunity to inspect and review his or her education records within 45 days of the receipt of a request;
• Joseph’s College Cosmetology will provide copies of education records, or make other arrangements to provide the student access to the records upon request at no charge to the student or parent; and
• Maintain a record in a student’s file listing to whom personally identifiable information was disclosed and the legitimate interests of the parties had in obtaining the information (does not apply to school officials with a legitimate educational interest or to directory information).
I have read and understand my rights regarding the FERPA requirements of the school and myself.
FERPA.doc Rev. 10/2022
___ Student Signature Date
JOSEPH’S COLLEGE COSMETOLOGY POLICY ON CYBER SECURITY AND PROTECTING PII AUGUST 1, 2015
Joseph’s College Cosmetology has a policy that protects data used in all aspects of the administration of the Title IV Federal student financial aid programs. Joseph’s College will assess and implement strong security policies and controls and undertake ongoing monitoring and management for the systems, databases and processes that support all aspects of the administration of Federal student financial aid programs authorized under Title IV of the Higher Education Act of 1965, as amended (the HEA). These systems, databases and processes include all systems that collect, process, and distribute information including PII in support of applications for and receipt of Title IV student assistance.
Joseph’s College has entered into agreement with The Student Aid Internet Gateway (SAIG) Enrollment Agreement that Joseph’s College must ensure that all Federal Student Aid applicant information is protected from access by or disclosure to unauthorized personnel. Including various Federal and state laws and other authorities, including the HEA; the Family Educational Rights and Privacy Act (FERPA); the Privacy Act of 1974, as amended; the Gramm-Leach Bliley Act; state data breach and privacy laws; and potentially other laws, they may be responsible for losses, fines and penalties (including criminal penalties) caused by date breaches.
Joseph’s College will follow industry standards and best practices in managing information and information systems and in securing PII. These standards and practices include:
• Assessing the risk and magnitude of harm that could result from unauthorized access, use, disclosure, disruption, modification or destruction of information or information systems;
• Determining the levels of information security appropriate to protect information and information systems;
• Implementing policies and procedures to cost-effectively reduce risks to an acceptable level; and
• Regularly testing and evaluation of information security controls and techniques to ensure effective implementation and improvement of such controls and techniques.
Such standards and practices also include collaborating with, and utilizing the resources of, US CERT and other organizations dedicated to protection of information systems and the sensitive data they process.
The SAIG Agreement also includes a provision that in the event of an unauthorized disclosure or an actual or suspected breach of applicant information or other sensitive information (such as PII), Joseph’s College must immediately notify FSA at CPSSAIG@ed.gov. This provision is especially important as it helps FSA identify risks and breaches that impact multiple institutions and other entities.
Joseph’s College will also comply with the Gramm-Leach-Bliley Act. Joseph’s College is required to ensure the security and confidentiality of customer records and information. The
HEA also requires Joseph’s College to maintain appropriate institutional capability for the sound administration of the Title IV programs. Such capability would include satisfactory policies, safeguards, monitoring, and management practices related to information security. Further, FERPA generally prohibits Joseph’s College from having policies or practices that permit the disclosure of education records or PII contained therein without the written consent of the student, unless an exception applies.
Joseph’s College has entered into contractual arrangements with FAME, UNISA, Inc., Coordinating Commission for Postsecondary Education to fulfill institutional obligations with respect to the Title IV federal student financial assistance programs. Joseph’s College remains liable for any action by its third-party servicers.
Gramm Leach Bliley Act (GLBA)
Under the GLBA, Joseph’s College are required to ensure the security and confidentiality of student financial aid records and information. The GLBA requires Joseph’s College to, among other things:
• Develop, implement, and maintain a written information security program;
• Designate Ken Broekemeier and IT service provider, Intellicom, Inc. as responsible for coordinating the information security program;
• Identify and assess risks to student information;
• Design and implement an information safeguards program;
• Select appropriate service providers that are capable of maintain appropriate safeguards; and
• Periodically evaluate and update their security program.
Under these GLBA requirements, Jane Nims, President, Ken Broekemeier and Intellicom, Inc. have, at a minimum, evaluated and documented their security posture against the requirements of GLBA and have taken immediate action to remediate any identified deficiencies.
Joseph’s College also includes review and understand the standards defined in the NIST SP 800171, the recognized information security publication for protecting “Controlled Unclassified Information (CUI),” a subset of Federal data that includes unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations and federal policies. These recommended requirements for non Federal entities that handle CUI, including:
• Limit information system access to authorized users (Access Control Requirements);
• Ensure that system users are properly trained (Awareness and Training Requirements);
• Create information system audit records (Audit and Accountability Requirements);
• Establish baseline configurations and inventories of systems (Configuration Management Requirements);
• Identity and authenticate users appropriately (identification and Authentication Requirements);
• Establish incident-handling capability (Incident Response Requirements);
• Perform appropriate maintenance on information systems (Maintenance Requirements);
• Protect media, both paper and digital, containing sensitive information (Media Protection Requirements);
• Screen individuals prior to authorizing access (Personnel Security Requirements)’
• Limit physical access to systems (Physical Protection Requirements);
• Conduct risk assessments (Risk Assessment Requirements);
• Assess security controls periodically and implement action plans (Security Assessment Requirements);
• Monitor, control, and protect organizational communications (System and Communications Protection Requirements); and
• Identify, report, and correct information flaws in a timely manner (System and Information Integrity Requirement).
Joseph’s College has purchased the Zix system of security protecting student information including social security numbers, date of birth and any other personal information within the schools emailing system. Any email within Joseph’s College school system with the josephscollege.edu will use the Zix system that will encrypt the information so outside entities cannot receive this information.
Joseph’s College also employs and IT service from Intellicom, Inc. who help with any cyber security issues that may appear.
(Policy on Cybersecurity)(Effective July 1, 2022, the following was implemented with the previous information.)
Gramm Leach Bliley Act
The Gramm Leach Bliley Act (GLBA) was passed by Congress in 1999 and is enforced by the Federal Trade Commission. It is a federal law that protects customer’s non public information, otherwise known as NPI. Examples of NPI include social security numbers, credit card numbers, tax return information, driver’s license, and dates of birth. This also includes student financial aid records and information.
GLBA is comprised of two categories: the Financial Privacy Rule and Safeguards Rule.
FINANCIAL PRIVACY RULE
An institution achieves compliance with the Financial Privacy Rule when FERPA rules are established and maintained. Joseph’s College acknowledges and practices all FERPA guidelines as posted on our website at https://josephscollege.edu/Consumer Information/FERPA (Please see attached FERPA document that is signed by students in orientation.)
SAFEGUARDS RULE
Higher education institutions, such as Joseph’s College, are also subject to the Safeguards Rule Act. This Rule addresses the administrative, technical, and physical safeguarding of consumer information. We are required to take necessary precautions to ensure the privacy, security, and confidentiality of customer and student records. A Security Program is required. Joseph’s College has implemented a Program to comply with the Gramm Leach Bliley Act (GLBA). This Program safeguards student and financial information, as well as all non public information in paper and electronic form, regarding various Federal and state laws and other authorities, including the HEA; the Family Educational Rights and Privacy Act (FERPA); the Gramm Leach Bliley Act; state data breach and privacy laws; and potentially other laws.
The Joseph’s College Security Program seeks to (1) ensure the security and confidentiality of customer and student records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer or student. This program is a plan to assess existing risks to customer or student information including ways to manage and control the existing risks. Our plan also monitors third party outsourcing arrangements to ensure compliance with the college’s policies and procedures. 12 main components comprise our Security Program.
SECURITY PROGRAM COMPONENTS
1. Ken Broekemeier has been designated as the “qualified individual” to implement and enforce the information Security Program. He also communicates and oversees our contracted IT provider, Intellicom, Inc, located at 1700 2nd Ave, Kearney, Nebraska
2. Our Email is safely transmitted and received via ZIX encryption to secure our NPI information. This security system protects student information including social security numbers, date of birth and additional personal information. A password for computer login and another for email is also required. All computers have up to date Webroot protection software, provided by Intellicom, Inc.
3. Docusign is utilized by our Financial Aid and Admissions Departments for safe document transmission and retrieval. DocuSign uses AES 128 bit encryption and SSL 256 bit encryption to ensure documents in the system are always encrypted Multi factor authentication is required for associates using Docusign
4. Our Admissions Department utilizes Salesforce. It is encrypted for NPI student enrollment information. All associates using Salesforce use multi factor authentication.
5. Our website (josephscollege.edu) is secured, and the SSL certificate is updated annually. The SSL is a digital certificate that authenticates a website's identity and enables an encrypted connection. Webhosting is provided by Intellicom, Inc.
6. When our Financial Aid Department accesses the Department of Education website multi factor authentication is used via an additional token that is required with password.
7. All Joseph’s College employees use multi factor authentication when accessing information with our system. A password is required to log in, with an additional security requirement of the MFA from Microsoft Azure. Email is also encrypted safely via ZIX security.
8. Physical access barriers to written and electronic NPI have also been established. Barriers include secured access to rooms and file cabinets where paper records are kept. Doors to office areas are to be locked during non business hours. Student information is to be processed in work areas that are behind doors or in other areas not regularly accessible to the public Sensitive documents at our Corporate Offices are disposed of and shredded through Paper Tiger, Inc. At each campus, documents are shredded on site. Maintenance staff are trained to ensure that secure areas remain locked and confidential information is safeguarded. Computer screens displaying personally identifiable information are to be minimized when not in use to prevent inadvertent breeches. User IDs, passwords, and PINs are not to be posted near or on computers.
9. All Joseph’s College computers and devices are inventoried. WIFI is password protected and is not available to the public. When computers are retired and no longer used, we dispose of them with Sadoff E Recycling & Data Destruction in Lincoln, Nebraska. The data contained on such equipment is erased and destroyed for the safety of confidential information.
10. A security penetration test will be conducted annually with Intellicom, Inc.
11. Security training will be conducted annually with Joseph’s College associates. New associates will be given training upon hire. Access to our security protocols will also be posted in the campus Team Leader office.
12. As noted in the Federal Student Aid Internet Gateway Enrollment agreement, Joseph’s College will notify the FSA at CPSSAIG@ed.gov of any breach of applicant or other sensitive information.
