California Polytechnic State University San Luis Obispo
CONFIDENTIALITY-SECURITY POLICY
May 1998

Access to computers and data is a privilege extended at the discretion of Cal Poly and the University retains the right and authority to revoke or restrict such privileges at any time.

I agree to adhere to the established policy related to all Cal Poly data, screen security and confidentiality. I understand my professional responsibility includes trust and agree to perform my job in conformance with the security procedures of the University as stated below:

1. University computers will be used for authorized purposes only. All data processed is considered sensitive and/or confidential. This data is governed by federal, state and university policies. Access to data is based on the "need to know" philosophy that is directly related to my assigned duties at the University.
2. I understand that I am responsible for the security of whatever data I retrieve. I will provide all necessary safeguards to all sensitive and/or confidential information including reproduction, destruction or modification of data.
3. I have read the campus policies with regard to the summary of the Privacy Rights of Students in Education Records, California Penal Code Section 502, and the Information Practices Act of 1977 (appended) and will abide by those regulations.
4. I understand that I am to restrict my retrieval and other computing activities only to data I have been specifically permitted to access as related to my assigned duties and using only functions and utilities which I have been authorized and trained to use.
5. I understand that my account and password are issued for my exclusive use only and I am responsible for the security thereof. An assigned password shall not be shared with, or delegated to others. I understand that I am also responsible for any student assistant, temporary help and/or production accounts issued in my name.
6. I understand that if I move to another department on campus, I will retain the same account number and password, although my security access may change.
7. I understand that if my relationship with the University is terminated for any reason, I will no longer have access to University equipment and data.

Failure to abide by this agreement may result in my access and/or account being restricted , denied or discontinued. I further understand that illegal access of data may be a violation of the California Penal Code 502 and/or the Information Practices Act of 1977 and therefore punishable up to and including dismissal from position, fine and/or imprisonment.

PRIVACY RIGHTS OF STUDENTS IN EDUCATION RECORDS

The federal Family Educational Rights and Privacy act of 1974 (20 U.S.C. 1232g) and regulations adopted thereunder (34 C.F.R. 99) set out requirements designed to protect the privacy of students concerning their records maintained by the campus. Specifically, the statute and regulations govern access to student records maintained by the campus, and the release of such records. In brief, the law provides that the campus must provide students access to records directly related to the student and an opportunity for a hearing to challenge such records on the grounds that they are inaccurate, misleading or otherwise inappropriate. The right to a hearing under the law does not include any right to challenge the appropriateness of a grade as determined by the instructor. The law generally requires that written consent of the student be received before releasing personally identifiable data about the student from records to other than a specified list of exceptions. The Institution has adopted a set of policies and procedures concerning implementation of the statutes and the regulations of the campus. Copies of these policies and procedures may be obtained at the Judicial Affairs Office. Among the types of information included in the campus statement of policies and procedures are: 1) the types of student records and the information contained therein; 2) the official responsible for the maintenance of each type of records; 3) the location of access lists which indicate persons requesting or receiving information from the record; 4) policies for reviewing and expunging records; 5) the access rights of students; 6) the procedures for challenging the content of student records; 7) the cost which will be charged for reproducing copies of records, and 8) the right of the student to file a complaint with the Department of Education. An office and review board have been established by the Department to investigate and adjudicate violations and complaints. The office designated for this purpose is: The Family Education Rights and Privacy Act Office (FERPA), U.S. Department of Education, 33 "C" Street, Room 4511, Washington , D.C. 20202 .

The campus is authorized under the Act and The California State University, Executive Order No. 382, to release "directory information" concerning students. "Directory information" includes the student's name, address, telephone listing, e-mail address, place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, photograph, degrees and awards received, and the most recent previous educational agency or institution attended by the student. The above designated information is subject to release by the campus at any time unless the campus has received prior written objection from the student specifying information which the student requests not be released. Written objections should be sent to the Director, Judicial Affairs.

The campus is authorized to provide access to student records to campus officials and employees who have legitimate educational interests in such access. These persons are those who have responsibilities in connection with the campus' academic, administrative or service functions and who have reason for using student records connected with their campus or other related academic responsibilities.

CALIFORNIA PENAL CODE SECTION 502

502. Computer crimes: Status as felonies:

(b) Any person who intentionally accesses or causes to be accessed any computer system or computer network for the purpose of (1) devising or executing any scheme or artifice to defraud or extort or (2) obtaining money, property, or services with false or fraudulent intent, representations, or promises shall be guilty of a public offense.

(c) Any person who maliciously accesses, alters, deletes, damages or destroys any computer system, computer network, computer program, or data shall be guilty of a public offense.

(d) Any person who violates the provisions of subdivision (b) or (c) is guilty of a felony and is punishable by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both such fine and imprisonment, or by a fine not exceeding two thousand five hundred dollars ($2,500), or by imprisonment in the county jail not exceeding one year, or by both such fine and imprisonment."

INFORMATION PRACTICES ACT OF 1977

The Legislature declares that the right to privacy is a personal and fundamental right protected by Section 1 of Article 1 of the constitution of California and by the United States Constitution and that all individuals have a right of privacy in information pertaining to them.

Each agency shall maintain in its records only personal information which is relevant and necessary to accomplish a purpose of the agency required or authorized by the California Constitution or statute or mandated by the federal government.

A state employee's home address and home telephone number are exempt from disclosure with specific exceptions. With respect to information the public is entitled to concerning state employees, the following may be released: a) name, b) employing agency and name of unit, c) work location, d) classification, e) job description, duties and responsibilities, f) gross salary rate, g) date appointed/separated, h) time base, e.g., full time, part time, I) tenure, e.g., permanent, probationary, and j) cost to the state for training, travel, attendance at conferences, etc.

When an employee is subject to harm because of the nature of his or her job or unique personal circumstances, exceptions to the general policy are called for. Some employers allow the use of pseudonyms, for example, so long as the employee is accountable to his or her superiors.

Performance evaluations are not open to public inspection unless subject to litigation.

Article 10. Penalties

1798.55 The intentional violation of any provision of this chapter or any rules or regulations adopted thereunder, by an officer of employee of any agency shall constitute a cause for discipline, including termination of employment.

1798.56 Any person who willfully requests or obtains any record containing personal or confidential information from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than five thousand dollars ($5,000), or imprisoned not more than one year, or both."

INFORMATION TECHNOLOGY POLICIES AT CAL POLY