Nov 21, 2024  
2024-2025 Academic Catalog 
    
Catalog Navigation
  Catalog Home
  Mission of Tusculum University
  The Campus
  Academic Calendar
  Financial Aid
  Tuition and Fees
  Course Descriptions
  Programs of Study
  Undergraduate Admissions
  Undergraduate Academic Policies
  General Education Curriculum
  Graduate Admissions
  Graduate Academic Policies
  College of Business
  College of Civic & Liberal Arts
  College of Education
  College of Science, Technology, & Mathematics
  The Honors Program
  Student Services
  Board of Trustees
  Faculty
  Archived Catalogs
  My Catalog
HELP
2024-2025 Academic Catalog

Student Records/Right to Privacy

Tusculum University complies with the Federal Family Educational Rights and Privacy Act of 1974 (FERPA) and the Tennessee Student Information in Higher Education Act. While the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. § 1232) prohibits the release, to third parties (not inclusive of individuals with an educational need to know), of information contained in a student’s educational records (excepting the notification of parents or guardians of students under the age of 21 in cases of alcohol and drug related violations, and victims in violence related incidents), the University complies with the Tennessee Student Information in Higher Education Act of 2005 in seeking to make student information readily available to students to promote an educational partnership. Nonetheless, students requesting such release to other individuals must complete a form available on the Tusculum University website to allow the University to work with them while satisfying the federal regulations. Tusculum students have the right to inspect their records to challenge the accuracy of those records.

FERPA defines requirements that are designed to protect the privacy of the students concerning their records maintained by the University. The law requires that:

  1. The student must be provided access to official records directly related to the student. This does not include private records maintained by instructional, supervisory or administrative personnel. A student who wishes to see his/her records must make an appointment through the Registrar’s Office. A student may not remove any materials but is entitled, at his/her own expense, to one (1) copy of any material contained in this file.
  2. The student must be given the opportunity for a hearing to challenge such records on the grounds that they are inaccurate, misleading or otherwise inappropriate. The right to a hearing under the law does not include any right to challenge the appropriateness of a grade as determined by the instructor.
  3. The student’s written consent must be received prior to releasing identifiable data from the records to anyone other than those specified in paragraphs 4 and 5 below.
  4. The University is authorized under FERPA to release public directory information concerning students. University personnel authorized to release such information are established through institutional policy and procedure. Students may opt out of having this information released. Data considered to be public directory information by the University which may be released on general request includes the student’s name, address, telephone listing, email, enrollment status (full or part-time), photo, date and place of birth, major field of study and anticipated graduation date, dates of attendance, site, degrees and awards received, most recent previous educational agency or institution attended by the student, participation in school activities and sports and any other information authorized in writing by the student. Directory information is subject to release by the University unless the Registrar’s Office has received a prior written request from the student specifying that the information not be released.
  5. Tusculum University is authorized to provide access to students’ records to Tusculum University officials and employees who have legitimate interests in such access; these are persons who have responsibilities in the University’s academic, administrative or service functions. Tusculum University may disclose personally identifiable information from a student’s education records, without consent, to another school in which the student seeks or intends to enroll.
  6. Minors and dependents: Once a student attends an institution of postsecondary education at any age, he or she becomes an “eligible student,” and all rights under FERPA transfer from the parent to the student. Schools are not required to disclose education records to parents without the consent of the eligible student, even if the student is a “dependent student,” as that term is defined in Section 152 of the Internal Revenue Code. All students, regardless of age or dependency, retain rights over their own education records maintained by Tusculum University. A student must complete a consent form provided by the University to give access to their parent or any other authorized individual.

An amendment to FERPA was made as part of the USA Patriot Act of 2001 that allows Tusculum University officials to provide, without consent or knowledge of a student, personally identifiable information from a student’s education record in response to the U.S. Attorney General or his designee in response to an ex parte order in connection with the investigation or prosecution of terrorism crimes.

 

Tusculum University GLBA Information Security Program Standard

 

This outlines the University’s GLBA Information Security Program Standard. Tusculum University is required by the Gramm-Leach-Bliley Act (GLBA) and its implementing regulation called the Safeguards Rule (the Rule) (16 CFR Part 314) to develop, implement, and maintain a comprehensive written Information Security Program (ISP) to safeguard customer information in the University’s care.  

 

The objectives of the ISP are to:

  1. Ensure the security and confidentiality of customer information
  2. Protect against anticipated threats or hazards to the security or integrity of such information 
  3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to customers.  

 

Scope of Customer Information  

The ISP applies to any record containing nonpublic personal information in paper, electronic or other form, about a student or other third party who has a continuing relationship with the University, where such information is obtained in connection with the provision of a financial service or product by the University, and that is maintained by the University or on the University’s behalf.  

 

Nonpublic personal information means information: 
  1. A student or other third party provides in order to obtain a financial service or product from the University
  2. About a student or other third party resulting from any transaction with the University involving a financial service or product, or  
  3. Otherwise obtained about a student or other third party in connection with providing a financial service or product to that person.  

For example, nonpublic personal information includes bank and credit card account numbers, income and credit histories, as well as names, addresses, and social security numbers associated with financial information. Customer information does not include records obtained in connection with single or isolated financial transactions such as ATM transactions or credit card purchases. 

 

Information Security Program (ISP)

 

  1.  Information Security Program Coordinator(s)

The University has designated the Director of Information Systems as its ISP Coordinator. The Coordinator may designate others to oversee particular elements of the ISP. The University has partnered with a cybersecurity firm to help monitor user actions in select systems and provide necessary security testing both internally and externally on a periodic basis. Questions regarding the ISP should be directed to the Director of Information Systems.  

  1. Risk Identification and Assessment.

Tusculum University is currently working with a 3rd party provider, a cybersecurity firm, to identify and assess reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Tusculum and the 3rd party provider will assess the sufficiency of any safeguards in place to control these risks. This applies to information in any format, whether electronic, paper, or other form. 

The Director of Information Systems/ISP Coordinator will assess:  

  • Employee training and management: evaluate the effectiveness of current employee training and management procedures relating to the access and use of covered records.  
  • Information systems, information processing, and disposal: assess the risks to covered information associated with the University’s information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  
  • Detecting, preventing and responding to attacks and system failures: evaluate procedures for and methods of detecting, preventing and responding to attacks, intrusions, or other system failures. 
  1. Designing and Implementing Safeguards.  

The Director of Information Systems will work with a trusted 3rd party to design and implement safeguards to control the risks identified in assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Testing and monitoring may be accomplished through existing network monitoring, problem escalation procedures, and other data management practices.  

  1. Overseeing Service Providers.  

The Director of Information Systems will develop and incorporate standard contractual provisions for service providers that will require providers to implement and maintain appropriate safeguards. The Director of Information Systems will assist in instituting methods to select and retain only those service providers capable of maintaining appropriate safeguards for customer information to which they will have access.  

  1. Adjustments to Program.  

The Director of Information Systems will evaluate and adjust the ISP as needed, based on risk identification and assessment activities and when material changes to the University’s operations or other circumstances may have a material impact on the ISP.

 

The Director of Information Systems will report to the Board of Trustees annually, to include the current status of the ISP, results from any risk and security related assessments, management plans, corrective actions management has taken towards any security violations, updates involving vendors/service providers, and any recommendations the security team may have for the information technology infrastructure of Tusculum University.