Handling Student and Employee Data Locally at K-State (Complying with FERPA, GLBA and CUI)
The following frequently asked questions provide data access and sharing guidance at Kansas State University. Once a user has obtained approval from a data steward for specific data access, the user must adhere to data sharing guidelines and only authorized individuals may access and receive the data. You are responsible for understanding the regulations surrounding data sharing, and you are accountable for your actions.
This document does not constitute an exhaustive list of guidance. For any additional questions or clarification, please consult with the appropriate department to ensure full compliance with university policies and applicable regulations.
What are the data compliance guidelines?
Can I download student/employee data locally for work?
1. Yes, you can download student data locally for your job. However, you must adhere to strict protections to comply with FERPA, GLBA, and CUI regulations.
2. Employees must adhear to strict guidelines regarding the use of employee data.
What steps can I take to be GLBA, CUI and FERPA compliant?
- Use Approved Storage Solutions: Store your data only on K-State-approved solutions, such as OneDrive (preferred) or CatFiles. Avoid using personal devices or unapproved storage services like Dropbox or Google Drive.
- Encryption: Ensure that data is encrypted both at rest (when stored) and in transit (when being transferred). This protects the data whether it is on your device or being shared
- If your device is managed by the Division of IT, full disk encryption is already enabled.
- If you are unsure about encryption, contact your IT Point of Contact or the IT Service Desk.
- Access Control: Limit access to only authorized users. Ensure that only individuals with explicit permission from a Data Steward can view or edit the data. Always set permissions carefully, especially when sharing through OneDrive or Teams.
- Data Minimization: Only download the data necessary for a specific task. Avoid downloading more information than needed to minimize risk.
- Secure Storage: Store sensitive data on K-State-managed devices. Do not store sensitive student data on personal or unapproved devices. If your device is managed by the Division of IT, full disk encryption[1] is already enabled.
- Data Retention: Do not retain sensitive data longer than necessary. Once your work is complete, delete the data according to K-State's guidelines or seek help from your IT Point of Contact.
- Cautious Data Sharing: Before sharing sensitive data externally, obtain approval from your Institutional Data Steward. Ensure that the data is encrypted and protected with proper access controls.
- Report Data Breaches: Immediately report any suspected data breaches or unauthorized access to the K-State Information Security Office.
What storage options are approved for sensitive student and/or employee data?
K-State has two approved storage solutions for sensitive student and/or employee data:
- SharePoint/OneDrive (Preferred Option): SharePoint and OneDrive is a secure and compliant cloud storage platform that supports encrypted data storage and sharing. It is the recommended choice for sensitive data storage due to its robust encryption and access control features. You can securely share files by managing access permissions. Please refer to the KB Article(s) for OneDrive best practices https://support.ksu.edu/TDClient/30/Portal/KB/Search?SearchText=%2523OneDrive
- CatFiles (Alternative Option): CatFiles can be utilized if the business process requires it, but it is not considered more secure than OneDrive. CatFiles is an on-premises storage solution that offers similar levels of encryption and access control. Use CatFiles only when your specific workflow necessitates it.
- ImageNow/Perceptive Content can be utilized if the business process requires it.
Is SharePoint/OneDrive FERPA compliant for securely storing student data?
Yes, SharePoint/OneDrive is a compliant solution that encrypts data both at rest and in transit. When using either solution, please adhere to the following guidelines:
Can I store sensitive financial data subject to GLBA on SharePoint/OneDrive?
Yes, SharePoint and OneDrive is an approved storage solution for financial data covered by GLBA. Ensure you follow the same guidelines:
- Share data only with approved and authorized personnel.
- Enable encryption for the transfer and storage of sensitive data.
How do I securely remove student or employee data from my device?
When your device reaches the end of its life, please collaborate with your IT Point of Contact and ensure that K-State Policy 3436: Media Sanitization and Disposal Policy is adhered to: https://www.k-state.edu/policies/ppm/3400/3436.html
Is my device encrypted for secure data storage?
- If your device is managed by the Division of IT, full disk encryption is already enabled.
- If your device is not managed by the Division of IT or you are unsure about the encryption status, please reach out to your IT Point of Contact or contact the IT Service Desk at https://support.ksu.edu to verify or enable encryption.
Can I use USB drives or other removable media to store student or employee data?
No, USB Drives or other removable media are not suitable to store student or employee data.
How can I transfer data to someone else?
To transfer sensitive data, follow these guidelines:
- Use secure methods such as OneDrive with restricted access.
- Avoid sending sensitive data as an email attachment unless both the email and the attachment are encrypted.
- For extremely sensitive data, consult K-State Data Stewards for approval and additional guidance.
How long can I keep downloaded student or employee data on my device?
Keep data only for as long as necessary for your current work. Once you are done, delete it from your device. If your device is no longer in use, make sure to follow K-State Policy 3436: Media Sanitization and Disposal Policy. You can find more information here: https://www.k-state.edu/policies/ppm/3400/3436.html
Please also review the Records Retention Schedules for additional guidance on specific retention policies.
What if I suspect a data breach or unauthorized access?
If you believe that sensitive data has been accessed without authorization or if a data breach has occurred, please report it immediately to the K-State Information Security Office at security@ksu.edu.
Can I share downloaded student or employee data with external parties?
All external requests must be submitted under the Open Records Act. Student data cannot be shared due to federal laws prohibiting disclosure. For further information, please see the following: https://www.k-state.edu/communications-marketing/services/open-records/#:~:text=Kansas%20Open%20Records%20Act%20(KORA)&text=You%20may%20inspect%20and%20obtain,records%20from%20Kansas%20State%20University
Can I email sensitive student or employee data?
It is discouraged to email sensitive student data unless necessary. If you must send such information via email, please follow these guidelines:
- Encrypt both the email and the attachment. This step ensures that even if the email is intercepted, the sensitive information remains secure. For instructions on how to encrypt emails, please refer to the following Knowledge Base Article: https://support.ksu.edu/TDClient/30/Portal/KB/ArticleDet?ID=97
- Limit recipients to only those who need access. Always verify email addresses before sending, especially when communicating outside of K-State.
- Use OneDrive links instead. A more secure option is to upload the data to OneDrive and share a link that restricts permissions, rather than sending the data as an email attachment.
Can I share sensitive student or employee data internally via Microsoft Teams?
Yes, Microsoft Teams, both a full “Team” and individual “Chat” is an approved platform for sharing sensitive student data within K-State, provided the following precautions are observed:
- Private Channels: Create private channels in Teams to restrict access to only the necessary individuals.
- Control Access: Ensure that only authorized users can access the Teams workspace or channels where sensitive data is shared.
- Monitor Sharing Links: Avoid sharing files with broad permissions, such as “anyone with the link.” Instead, restrict access to specific individuals or Microsoft Teams groups.
Can I share sensitive student or employee data externally outside of K-State?
Do not share any sensitive data through Microsoft Teams with external partners.
Can I share sensitive student or employee data on personal devices?
Sensitive information such as FERPA data, Personally Identifiable Information (PII), and Controlled Unclassified Information (CUI) should never be stored on personal devices.
How can I ensure compliance with data security?
To maintain compliance and protect data, follow these guidelines:
- Store Data Only in Approved Locations: If you discover data stored in an unapproved location, securely delete it immediately.
- Avoid Long-Term Storage: Do not retain sensitive data longer than necessary. Regularly review your files and delete any that are outdated.
- Follow Data Retention Policies: Adhere to K-State’s data retention policies to manage and securely dispose of data that is no longer needed.
What is K-State's Data Access and Retention policy?
For information on research data and retention, please see Pre-Awards Policy 7010 subsection .440. https://www.k-state.edu/policies/ppm/7000/7010.html#.440
[1] Full Disk Encryption (FDE) is a security measure that automatically encrypts all data on a computer's hard drive, making it unreadable without the proper authentication, such as a password or encryption key. This ensures that even if the device is lost or stolen, the data remains secure and inaccessible to unauthorized users.