I completely agree. It can be a very eye opening (and sometimes painful) experience initially. However, the experience is about the best way to identify where training needs and other management involvement is required. Knowing that some regulatory bodies are doing the same thing, it's particularly important to know exactly what is being said.
Oftentimes, inappropriate comments are not done intentionally but, simply because someone doesn't know the answer and tries to "do the right thing" by improvising which can lead to trouble.
I feel that all three areas are equally critical in creating a compliant organization. At the school that I work for, all Marketing materials are reviewed by our Compliance department. Also, our Education Directors are responsible for ensuring that materials in the classrooms have the proper copyright permissions.
I recently had a visit from two gentlemen that are licensed by the State of Florida and they discussed FACTA law(Fair and Accurate Credit Trasnactions Act of 2003) that went into effect June 1, 2005; as an attempt to reduce identity theft.
They offer a free service to meet with your employees and discuss the importance of proper records keeping, sharing & disposal. They also offer identity theft insurance to individuals which is not a required purchase.
Since this service if free it may be a handy tool to clarify the importance of security when it comes to student/staff records.
I absolutely agree with you Traci. Now a days information is everywhere and it seems almost natural just to spew it out, unfortunately that's just what can get you in trouble. It seems like most of the admissions, financial aid, and business office employees are given the training needed for privacy regs and rules, however the instructors are left out of the process.
All three have to be considered vital part of an organization such as ours. Every time you hire someone make sure you train them well.
Marc - Great point on training - I think too many schools do not make this a high enough priority. As busy as we all may be, taking the time to train new employees is critical to success and, crucial to ensuring compliance. Even those that may have experience should be trained on the specifics for a new organziation that may have different regulatory guidelines or, at a minimum, different school policies that must be followed.
I think that in our business information security is the greatest issue that we face. Whether it be accidentally throwing a piece of paper away in the trash, with student information on it instead of shredding it or talking in the lunch room or at a restraurant with a co worker and what seems to be perfectly innocent can be overhead. All these things can cause us major problems.
True, Letha. There is often a focus on intentional violations but, the accidental mistreatment of confidential information can also lead to major issues for organizations and individuals.
I completely agree with Cheryl. Of the three different business functions, human resources is one of the most vital in the sense that compliance depends on the members of the administration and faculty. Having a strong administration and faculty who understands the importance of rules and regulations in the education sector are the the first step towards compliance. Therefore, human resources should also be very familiar with the structure of the regulations from accrediting agencies and waht it takes to meet these regulations.
Information security presents challenges both in terms of the consequences of non-compliance, and in terms of convincing co-workers of the need to comply. Its importance is magnified because the consequences of a breach can be so far-reaching. So often we realize what we should have done only after a breach has occurred. Prevention is much better than corrective action, but is much harder to sell. But with the increase in identity theft, it is even more important to protect student information, both hard copies of personal information and electronically-stored information.
Great points, Beth. There are more and more laws regarding privacy forcing entities to protect clients (students in our industry) privacy. Additionally, security breaches can compromise the integrity of the data itself - certainly there have been cases of breaches where grades were allegedly altered - creating major challenges for colleges and universities to "fix" any data which is no longer valid. As you point out, these are often discovered after-the-fact, creating a domino effect of issues to resolve.
I am very interested in follow-up training on FERPA. I knew that our students sign release forms in their enrollment packets but there seems to be gray areas. For instance, when a parent calls and asks if their adult child was in class that day or even what their schedule is for that term. Or when a spouse or parent shows up at the campus wanting to know if the student is in class. It can get confusing without the proper training.
I beleive Information Security is a very critical area. Not only with Identitiy Theft being a large problem in the world today, there are times when a student may needed certain information for legal reasons. The school may find themselves in more trouble than just an audit finding, if they cannot provide information needed.
Bonnie - you bring up an interesting point. There is so much focus on privacy but, it is also critical to have appropriate records accessible when they should legally be provided for whatever means for the student. So, in addition to privacy, accuracy and accessibility should also be considered.
While all are important, I feel that in today's society, the issue of information secutiry is most crucial. Particularly with regard to FERPA, the institution must be absolutely letter perfect in adhering to the regulations.
This seems to keep coming up as a major topic. Kathleen (earlier on these postings) also indicated an interest in further training on FERPA as the regulations can be challenging, particularly when parents and spouses are sometimes involved in financing the student's education.
All the areas mentioned in the question are important to building a compliant culture. I will discuss the area of human resources. I think the first step in building a compliant culture is talking about it in the interviewing process and setting the stage for the expectation of quality outcomes and continuous improvement. All the paperwork the applicant receives should be organized. The "why" behind things should be explained so the paperwork is completed in an accurate and timely manner. All new employees should attend a new hire orientation that talks about compliance and regulatory agencies.
In terms of visits from accrediting bodies and approval agencies faculty credentials and files are critical to the success of the visit. One missing official transcript in a faculty file can lead to many citations. One faculty development plan missing or lack of evidence of follow through on a faculty development plan can lead to many citations.
It takes a team effort to build a compliant culture. The hiring manager needs to set the stage. The trainer for orientation needs to make a good impression and explain the importance of having a good relationship with regulatory bodies and being compliant. The HR person or whoever is responsible for files needs to have a good tracking system to monitor missing items from files and follow up. The hiring manager needs to value compliance and make sure the employee submits all required documents in a timely manner.
The HR department also helps initiate review processes and monitors compensation to make sure the policies are compliant. As an organization grows it can become challenging for a departmental manager to keep up with annual reviews, etc.
Faith - I could not agree more - employees understanding the "why's" up front helps them have complete buy in versus just thinking that it's a company policy that has no purpose. Education is truly a "people business" and building the human resources right is critical to success - both in achieving results and in operating within compliant boundaries.
I agree that many employees don't recognize the importance of confidentiality with items such as note paper , faxes and other items that contain studnet information. I have a policy in my Career Services office that all paper must be shredded. This eliminates the opportunity for anything to go into the trash that contains confidential information.
Information security is extremely important. Any and all paperwork that pertains to a student, which is being disposed of, should be shredded not just tossed in the trash. Then you know that personal information cannot get into the wrong hands.
