Data Security Standard

The purposed of this standard is to establish a framework for the secure management and use of UAI to ensure the confidentiality, integrity, and availability of the data and align with the Data Security Policy. This standard applies to all University data, and does not supersede federal and state laws or regulations, legal requirements, or contractual obligations for protecting data. This standard applies to all users who store, collect, transmit, oversee, or display University data.

Providing University Administrative Information to Others

This section discusses providing University Administration Information (UAI), other than Public Information; or access to that information to others and the terms under which UAI may be provided and who must approve these requests. Unless an information request is covered below the recipient of such request must seek the approval of their Dean or Vice President before providing the requested information.

Education Records
  1. Education Records are protected under the Family Educational Rights and Privacy Act of 1974 (“FERPA”), as amended, and its implementing regulations.
  2. All faculty and staff must comply with the University’s FERPA Policy Statement.
  3. All requests from outside entities for education records or student information must be referred to the Office of the University Registrar (804) 289-8639.
Requests from law enforcement officers, subpoenas, and search warrants

If a law enforcement officer or agent requests access to or copies of University Administrative Information, the individual to whom such request is made should:

  1. Request and review the individual’s badge or other official identification; and
  2. Inform the officer or agent they are being referred to the appropriate University administrator
    1. For inquiries relating to students:
      1. All requests for information regarding current students should be referred to the University Registrar (804) 289-8639. If a law enforcement officer needs to locate a student immediately, refer them to Campus Police (804) 289-8715.
    2. For inquiries relating to faculty, trustees, or staff:
      1. If the law enforcement official makes a verbal or written request or presents a subpoena or court order, refer the officer or agent to the Associate Vice-President for Human Resources (804) 289-8166 or to the University General Counsel (804) 287-6683.
      2. If the law enforcement official presents a search warrant the agent or officer may begin a search as soon as the warrant is served. The university staff or faculty member on whom the order is served should immediately contact one of the following individuals depending on availability to inform them that a court-ordered search has been requested or initiated:
        University General Counsel (804) 287-6683 (o) (804) 334-3870 (c)
        Associate Vice President for Human Resources (804) 289-8166
      3. University faculty and staff should cooperate with the search when a search warrant is served. If computers, email, phone records, or electronic information sources are involved in the search, contact the Vice President for Information Services (804) 289-8771 or the Director of Information Security (804) 289-8655.
        Unlike search warrants, subpoenas do not require an immediate response. Subpoenas are usually served by the Sheriff’s Office and allow 10 days for response. If a law enforcement official presents a subpoena, contact one of the following individuals, depending on availability:
        University General Counsel (804) 287-6683
        Associate Vice President for Human Resources (804) 289-8166
      4. The University’s General Counsel will review the information and coordinate the University’s response. Only requested information will be released.
    3. Special Considerations regarding the “USA Patriot Act.”

      The “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act," Pub. L. No. 107- 56, 115 Stat. 272-402 (2001) (codified in various titles and sections of U.S.C.) is also known as the "USA Patriot Act.” If law enforcement officials present an order under this act or FISA ("Foreign Intelligence Surveillance Act") the University's General Counsel will coordinate the University’s compliance with such order, involving appropriate representatives from Information Services, Human Resources and other areas of the University.

      If you are served with an order under the USA Patriot Act or under FISA, contact the University General Counsel immediately (804) 287-6683 (o) or (804) 334-3870 (c). If the General Counsel is not available, contact Vice President for Information Services (804) 289-8771.

      A search warrant issued under the "USA Patriot Act" may contain the stipulation that the institution does not disclose that the warrant has been served or that information has been provided pursuant to the warrant. You should not inform anyone other than the administrators listed above about this action.
Confidential or Restricted Information supplied to or accessed by contractors or vendors, outside agencies, and individuals

The University has business relationships with various third party contractors and vendors. These relationships may require that these contractors and vendors be provided with or have access to University Administrative Information.

    1. University Administrative Information or access to that information may not be provided to contractors or vendors unless a verified business relationship exists and access to such information is necessary for the contractor or vendor to provide services to the University.
    2. Prior to providing a vendor, contractor, or other outside entity with data files or access to University Administrative Information, the University faculty or staff member responsible for the relationship must ensure that the vendor, contractor or outside entity has signed an appropriate confidentiality agreement or that the terms of the overall agreement with the vendor, contractor or outside entity contains an appropriate confidentiality provision. The University General Counsel and Information Services must review and approve new or amended contracts that involve the transfer, storage or management of Confidential or Restricted data before those contracts or amendments are finalized.
    3. Confidential or Restricted data or access to that information will be furnished to contractors, vendors and other outside entities only if essential and the information provided will be limited to the minimum necessary for the contractor, vendor, or outside entity to provide services to the University.
    4. The University faculty or staff member responsible for the relationship must work with University Information Services staff to develop any data extracts or reports to ensure that they comply with specifications and with the data transmission portion the Data Security Policy. Information Services staff will provide guidance regarding the use of record identifiers.
      All transmission of Confidential or Restricted data must conform to the requirements listed in the External Data Transfer Policy

Employment verifications requests and background checks

  1. For inquiries relating to current or former students:
    1. All requests for employment information regarding current or former students should be referred to the University Registrar (804) 289-8639. The University Registrar will verify the request and waiver and refer the requestor as necessary. Do not respond to these requests for information about students unless the Registrar has referred the requestor to you.
  2. For inquiries relating to faculty or staff:
    1. University community members may occasionally have a need to have employment and/or salary information confirmed as part of a job interview, loan application, real estate transaction, etc. All requests for employment or income verification should be referred to the Employment Verification page on the HR website. Refer to the Employment Verification web page for instructions on how to access and use The Work Number.
    2. All other HR-related questions and requests, including background checks, should be referred to the URHR Inbox at URHR@richmond.edu or the HR Solution Center at (804) 289-8747 (URHR). The HR Solution Center will review the request and refer the requestor to members of the university as necessary. Do not respond to these requests unless they come through Human Resources.
Job references
  1. For inquiries relating to current or former students:

    Requests for verification of enrollment or degrees should be referred to the Office of the University Registrar (804) 289-8639.

    When asked to write letters of recommendation for students or former students, faculty and staff should not share information from student Education Records, including grades or grade point averages, with others outside the institution without written permission from the student.

    To release information relating to Education Records (non-directory information), faculty and staff must obtain written consent from the student for such disclosure. Consent for the disclosure of a student’s Education Records must:
    1. Be in writing,
    2. Be signed and dated by the student,
    3. Specify the records that may be disclosed,
    4. State the purpose of the disclosure; and
    5. Identify the party or class of parties to whom the disclosure may be made
  2. For inquiries relating to faculty or staff:

    Job reference checks should be referred to Human Resources unless you have been asked and agreed to serve as a reference for a colleague.

  3. Request for Information about University Trustees
    The President’s Office website publishes basic information about trustees, including name, city, state, and committee assignments. Individuals who seek additional information should be referred to the Secretary of the Board of Trustees at (804) 289-8732.