Policy Statement
Ramapo College is committed to protecting the privacy and confidentiality of personal information, including sensitive Personally Identifiable Information (PII), in compliance with applicable laws and regulations such as the Family Educational Rights and Privacy Act (FERPA), New Jersey statute 56:8-161 and Identity Theft Prevention Act, and the Federal Bureau of Investigation (FBI) classifications of PII.

Reason for Policy
Sets forth policy to ensure proper stewardship and safeguarding of personally identifiable information in accordance with the law.

To Whom does the Policy Apply
All Ramapo employees

Supplemental Resources

• Procedure 410: Data Protection (PII)
• FERPA Policy (Ramapo College)
• Policy 642: Records Retention
• USDOE FERPA Regulations
• New Jersey Identity Theft Prevention Act
• Policy 604: Responsible Use of Electronic Communication
• Statement on Use of Artificial Intelligence in the Workplace
• Cybersecurity Policy and Protocol Manual (PENDING)
• Acceptable Use of College Systems & Data Policy (PENDING)

PROCEDURE 410: DATA PROTECTION (PII)

I. Personal Information Definitions
a. High-Risk Personal Information
The following types of information are considered high-risk and must be protected with the highest level of security measures:

• Social Security number (SSN)
• Driver’s license number or State/Federal identification card number
• Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
• User name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account
• Biometric data (e.g., fingerprints, iris scans)
• Medical and health information, as outlined by HIPAA
• Passport numbers
• Criminal history records

Access to high-risk data is strictly limited to authorized positions on a need-to-know basis.

The college logs and annually reviews systems with access to high-risk data, implements encryption on servers that store sensitive information, and reviews user access controls within those systems and servers to protect this data from unauthorized access, disclosure, or misuse.

b. Moderate-Risk Personal Information
The following types of information are considered moderate-risk and are protected with security controls:

• Date of birth
• Place of birth
• Mother’s maiden name
• Home address
• Email address (when not combined with access information)
• Telephone number
• Employment information
• Educational information
• R Number (employee/student ID)*

Access to moderate-risk data is limited to authorized positions. Additionally, certain combinations of moderate-risk PII may elevate the overall classification to high-risk. Classification determinations regarding these combinations are the responsibility of ITS leadership.

* An R Number is a unique identifier assigned to each student and employee within the institution, and while it is sensitive, it does not directly reveal personal information. On its own, it is considered moderate risk. The risk level of an R number can increase when combined with other sensitive information.

c. Low-Risk Personal Information
The following types of information are considered low-risk data, but should still be handled with care:

• Religious beliefs
• Political affiliations
• Sexual orientation

While these types of information may be less sensitive, measures are taken to protect them from unauthorized access or disclosure.

II. PII Evaluation, Classification, and Authorization
Evaluation. Ramapo College regularly evaluates PII to determine its confidentiality impact level. Factors considered include:

• Identifiability: How easily the PII can be used to identify specific individuals.
• Quantity of PII: Number of individuals affected in case of a breach.
• Data field sensitivity: Sensitivity of individual PII elements.
• Context of use: How PII is collected, stored, used, processed, and disclosed.
• Legal obligations: Compliance requirements for protecting PII.
• Authorized Access: Positions with access to high- and moderate-risk PII
• Location: Sources and locations from which PII is accessed and stored.

Classification. When multiple pieces of moderate-risk PII are combined in a way that could lead to identification or cause significant harm if breached, the overall classification may be elevated to high-risk. Classification determinations regarding these combinations are the responsibility of ITS leadership.

Authorization. Positions authorized to access high- and moderate-risk PII are determined by unit heads in collaboration with system functional administrators. ITS implements security measures to safeguard against unauthorized access or disclosure. By default, student positions are not permitted access to moderate or high-risk PII on any campus system. Any exceptions must be formally requested through ITS and approved by the Vice President with oversight of People Operations and Employee Resources.

III. Data Handling and Breach Notification
All college records are considered property of Ramapo College and must be handled in accordance with state law, institutional requirements, and Ramapo College Records Retention Policy. In the event of a security breach involving personally identifiable information, the College will follow the applicable notification procedures outlined in the New Jersey Identity Theft Prevention Act.

IV. Compliance
Units within the College that handle or process high- and moderate-risk PII are responsible for ensuring the security, privacy, and proper management of that PII. At minimum, employees should always password protect documents containing personally Identifiable Information (PII) before sending them via email.

Ramapo College complies with the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student education records. The College’s FERPA policy is overseen by the Office of the Registrar in accordance with regulations set forth by the U.S. Department of Education.

The Responsible Unit shall annually review this policy to ensure compliance with FERPA, New Jersey Identity Theft Prevention Act, and other applicable laws and regulations.

Any breach disclosure will be discussed in conjunction with both Legal Counsel and the College’s cyber insurer.

Violations of this policy may result in disciplinary action, up to and including termination of employment or expulsion from the College.

Exceptions to this policy may apply to students and employees in the European Union (EU) and in the European Economic Area (EEA) under the General Data Protection Regulation (GDPR).