Acknowledgement and Compliance Statement

Issued by:

Office of the Chief Information Officer

APPLICATION

The following Acknowledgement and Compliance Statement is provided to protect employees and students at The State University of New York at Stony Brook. Personnel, student, financial, medical and patient information contained within Stony Brook's information systems and external SUNY systems is considered confidential. This confidential information and any other information made confidential by law is limited to those individuals (employees, consultants, adjunct professors, third-party vendors, etc.) whose position requires use of this information.

GUIDELINES

By signing the statement below, you are acknowledging your acceptance and adherence to the confidentiality requirements imposed by federal and state law and Stony Brook policy. If you should ever be uncertain about what constitutes legitimate use or release of information, err on the side of confidentiality and refer the inquiry to the Office of Legal Counsel for Stony Brook University.

I, _____________________________________________, understand that by virtue of my work for The State University of New York at Stony Brook, that I may have access to data which is confidential and is not to be disclosed to any person or entity without appropriate authorization, subpoena, or court order. In order to access confidential information, I agree to adhere to the following guidelines:

  1. I understand and acknowledge that improper or inappropriate use of data in the University's information systems is a violation of University procedures and it may also constitute a violation of federal and state laws.
  2. I will not provide confidential information to any individual or entity without proper authorization.
  3. I will not review records or files for which I do not have a legitimate need to know in order to perform my work.
  4. I will not remove confidential information from University facilities except as specifically authorized to do so.
  5. I will not make copies of any records or data except as specifically authorized in performance of my work.
  6. I will not share my user id and password with anyone, including my support staff, if any.
  7. I will not use the data for personal use or for commercial purposes.
  8. I will refer all requests for information from law enforcement governmental agencies, and other external entities to the Office of Legal Counsel.
  9. I will refer external requests for all University statistical, academic or administrative data to the Office of Institutional Studies, Office of the University Counsel, or those departments that have been authorized to respond to such requests.
  10. I agree to report any unauthorized access to confidential data immediately to the CIO.
  11. I understand that any improper or inappropriate use of data in the University's information systems may result in the cancellation of my contract with the University and legal action.
  12. If through the performance of my work, data is required to reside on a machine outside the direct control of the Division of Information Technology, I agree to take precautions against the possible disclosure of this data. Precautions include but are not limited to encryption of the data, installation and use of a firewall, limit access to this machine during the time when the data is present on it.

FERPA COMPLIANCE STATEMENT

History

The Family Rights and Privacy Act (FERPA) of 1974 (“Act”), as amended, seeks to guarantee both a student's right of access to records and the confidentiality of student information for anyone who has ever matriculated at an educational institution. Individuals who have been denied admission to the University are not covered by the act.

There is nothing in the act that is intended to restrict the use of student information by University officials in the normal exercise of their duties involving the educational interests of the student. With very limited exceptions, student information must not be transmitted by these officials to anyone outside the University without either the express written release by the student or pursuant to lawfully issued subpoena/order. Releases pursuant to subpoena or other legal mandate must be coordinated through the Office of University Counsel (2-6110).

Education records are defined as records directly related to the student and maintained by the University. This generally does not include records of the law enforcement unit, medical or similar professional records, and employment records (Note: student employment records are considered to be education records by FERPA). Further reference to campus policy may be found in the University's policy manual, section P 507R, Student Access to Academic Records.

Guidelines for Release of Student Information

Conditions for student access are:

  • Presentation by the student of a pictured identification card, or
  • Receipt of a signed and dated request from the student.

Students must NOT be allowed access to:

  • Education records that contain information on more than one student (the student may review only the specific information about himself or herself);
  • Financial records of the student's parents;
  • Letters of recommendation or reference received after January 1, 1975 for which the right of inspection has been waived.

Directory Information

The following is considered DIRECTORY INFORMATION and is available to the public upon request in accordance with New York's Freedom of Information Law UNLESS the student has formally requested that this information be held private/confidential.

Student's name, addresses, telephone numbers, date and place of birth, major field of study, class, participation in officially recognized activities and sports, weight and height of members of athletic teams, likenesses used in University publications, dates of attendance, degrees and awards received and previous institutions attended.

To Request Nondisclosure of Directory Information

This designated directory information is subject to release by the University at any time unless the University, Office of the Registrar, received prior written objection from the student. Currently enrolled students may withhold disclosure of directory information by filing a request from with the Registrar's Office.

Release of Education Records

The University is authorized to provide access to student records to campus officials and employees who have legitimate educational interest in such access, without the student's written consent. These persons are those who have responsibilities in connection with campus academic, administrative or service functions and who have reason for using student records connected with their campus or other related academic/administrative responsibilities as opposed to a personal or private interest. Such determination will be made on a case-by-case basis.

University officials will release educational information upon receipt of a signed, dated, written consent of the student which must specify the records that may be disclosed and identify the party to whom the disclosure may be made.

Parents of a dependent student, as defined by the Internal Revenue Code of 1954, Section 152 and who supply supporting documentation, may be granted access to a student's educational record under some circumstances.

Other circumstances that allow access to a student's educational record:

  • in connection with Financial Aid
  • to organizations who are conducting studies that are on behalf of educational agencies
  • to Federal or State educational authorities
  • to accrediting organizations; in compliance with a lawfully issued subpoena; in connection with a health or safety emergency.

Non-University individuals (including parents except as described above) may not have access to educational records other than Directory Information unless authorization from the student is obtained or a lawful subpoena/court order is issued to the University.

Examples of data items not released: grades; grade point average; the specific number of hours enrolled, passed, or failed; Social Security Number; name of parents or next of kin; and/or residency status.

The above are interpretative guidelines only. For clarification and further detail or any specific questions you may have, please write to either: The Office of University Counsel, West Campus, or the University Registrar.

SANCTIONS

Vendor Compliance

Violators of this policy will be subject to the cancellation of contract and civil action. Illegal acts involving Stony Brook computing and networking resources may also subject users to prosecution by state and federal authorities.

Family Educational Rights and Privacy Act

Certain consequences are possible if an individual is found in non-compliance with these rules and regulations as defined by FERPA:

  • Accountability in a court of law (confidentiality and privacy requirements are regulated by Federal law);
  • Possible loss to the University of available funds under Federal programs administered by the Secretary of Education.

I have read this acknowledgement and do hereby demonstrate my understanding and agreement to abide by these guidelines by affixing my signature and the date below.

____________________________________
(Signature)

____________________________________

(Date)