Chapter 3354:2-11 Student Fees and Protection of Data

3354:2-11-01 Tuition and student fees.

The board will establish tuition and general and support service fees in compliance with State law. Any instructional fees (such as lab fees) will be established annually as needed by the president of the college.

Replaces: 3354:2-11-04

Effective: 5/3/2004
Promulgated Under: 111.15
Statutory Authority: 3354
Rule Amplifies: 3354
Prior Effective Dates: 1/11/1996

3354:2-11-02 Computer software.

(A) Copyright

(1) It is the policy of Lakeland community college to comply with all state, federal, and international software copyright laws. Under these laws, commercial and shareware software are licenses purchased by the college for use and are not owned by the college. These licenses stipulate that:

(a) Software is covered by copyright which means that under no circumstances can copies be made of the program without the explicit permission of the copyright holder and the college.

(b) Modifications to the software are not allowed.

(c) Decompiling (i.e., reverse engineering) of the program code is not allowed without the permission of the copyright holder.

(d) One archival copy of the software is legal in most cases and is the responsibility of the information technology Services department to administer. This backup copy cannot be used except when the original package fails or is destroyed.

(e) Development of new works build upon the package (derivative works) are not allowed without permission of the copyright holder.

(B) Virus

(1) The college will provide virus detection methods on all computer systems, if possible, and to immediately localize any computer virus infection and eliminate the source. Individuals who intentionally infect any of the college's computer systems will risk penaltie

(C) Access

(1) Access to computing resources is granted to an individual by the college solely for the college's use and purpose. Access is a right that may be limited or revoked if an individual misuses the right or violates applicable college policies or state or federal law.

Effective: 5/3/2004
Promulgated Under: 111.15
Statutory Authority: 3354
Rule Amplifies: 3354
Prior Effective Dates: 7/7/1994

3354:2-11-03 Acceptable use policy for electronic communication.

(A) Purpose

(1) This policy provides a guide to Lakeland Community (College students, employees, and other authorized users in the acceptable us of college electronic communication resources, computers, information systems and networks (electronic resources). These resources are provided in support of the college's mission and administrative activities of the institution.

(2) The college reserves the right to protect the integrity of its electronic resources systems and facilities (for supporting voice, data, and video communications).

(B) Guiding principles

(1) The use of college electronic resources in no way exempts any user from the normal requirement of ethical or legal behavior.

(2) Each user of college electronic resources is responsible for his/her actions.

(3) The college cannot insure individuals against the existence or receipt of materials that may be offensive. As such, users of electronic resources are warned that they may come across or be recipients of material they find offensive. Those who use e-mail and/or make information about themselves available on the Internet should be forewarned that the college cannot guarantee them protection against invasions of privacy and other possible dangers that could result from the individual's distribution of personal information.

(4) The consumption of college electronic resources are only for college-related activities.

(C) Responsibilities

(1) Users of college electronic resources are responsible for their own actions and are to be respective of:

(a) The privacy of/or other restrictions placed upon date or information stored in or transmitted across computer and network systems even when that data or information is not securely protected;

(b) An owner's interest in proprietary software or other assets pertaining to computers or network systems;

(c) The finite capacity of computers or network systems by limiting use of computers and network systems so as not to interfere reasonable with the activities of other users.

(2) Members of the college community also are expected to follow all other policies, procedures or rules established to manage electronic communication systems including those established to control access to, or the use of, computer data, files or other information.

(3) The college requires individuals to use electronic resources in a responsible manner and will not accept actions which include any of the following:

(a) Harass, threaten, or otherwise cause harm to specific individuals;

(b) Impede, interfere with, impair or otherwise cause harm to the activities of others;

(c) Download or post to college computers, or transport across college networks, material that is illegal, proprietary, in violation of local, state and federal laws and college contracts, or otherwise is damaging to the institution;

(d) Harass or threaten classes of individuals.

(D) Administration

(1) The college reserves the right to examine computer files as necessary to enforce its policies regarding harassment and the safety of individuals; to prevent the posting of proprietary software or electronic copies of electronic texts or images in disregard of copyright restrictions or contractual obligations; to safeguard the integrity of computers, networks and data either at the college or elsewhere. The college may restrict the use of its electronic resources in the event of any violation of college policies, or local, state or federal laws. The college reserves the right to limit access to its networks through college-owned or other computers and to remove or limit access to material posted on college-owned computers.

Replaces: 3354:2-11-03

Effective: 5/3/2004
Promulgated Under: 111.15
Statutory Authority: 3354
Rule Amplifies: 3354
Prior Effective Dates: 1/15/1998

3354:2-11-04 Data security and privacy assurance.

(A) Purpose

(1) Lakeland community college endeavors to protect the confidentiality, integrity and availability of all data in its care. Lakeland provides legitimate and timely access to information necessary to its teaching, learning, and administrative functions in support of its mission. The college recognizes that the interests of information security and free access to information are at times in conflict. Lakeland will attempt to resolve these conflicts, but prefers to protect data in what it views as necessary in compliance with federal, state, or local laws.

(2) Information security is to be embedded into all Lakeland activities. Rather than being merely the responsibility of the designated compliance officers, every Lakeland employee is responsible for the security of college information.

(B) Definitions

(1) Information security provides that data that should remain confidential is protected against inappropriate use, while data required to carry out the college's mission is available to those who need it.

(2) Covered data refers to all information collected by, shared with, or reported to the college in the course of its daily activity that is protected by local, state or federal law or that the college is contractually obligated to protect. In addition, Lakeland may designate additional covered data through the creation of standards, procedures and guidelines. Covered data includes, but is not limited to:

(a) Education records of students as defined by the Family Educational Rights Privacy Act (FERPA)

(b) Protected health information as specified by the Health Insurance Portability and Accountability Act (HIPAA);

(c) identity theft regulations as enacted by the Federal Trade Commission at 16 C.F.R. 681 ("Red Flag" Rules);

(d) student and customer financial information as specified by the Gramm Leach Bliley Act; and

(e) credit card data covered by the Payment Card Industry standards.

(C) Guiding principles

(1) Compliance. Lakeland is committed to ethical business practices and compliance with all applicable laws, regulations, and policies that govern the privacy of Covered Data.

(2) Minimize access privileges. Lakeland only grants to assigned individuals the reasonable, minimum access to covered data as needed to accomplish their institutional or pedagogical goals.

(3) Separation of duties. As can be reasonably accommodated, for each assigned duty that uses covered data, the College assigns one or more individuals or review bodies to oversee the proper handling and protection of that data.

(4) Balance with Ohio Public Records Law Lakeland favors reasonable expectations of privacy of its constituents, consistent with the accomplishment of institutional goals and in accord with applicable laws, standards and college policies. However, the College must always balance that expectation relevant to any records request under the State of Ohio's Public Records Law.

(5) Notification. In the event of a breach of security that leaks covered data, senior college officials will determine, in light of the circumstances and applicable law, what risks are posed by the breach and whether and how those persons whose covered data was released should be notified.

(D) Responsibilities

(1) Compliance Officers are responsible for the creation, implementation, and oversight of Information Security for Lakeland's Covered Data. Although these Compliance Officers may report to different College officials, they are required to work closely together, along with other Lakeland employees, to:

(a) identify reasonable, foreseeable vulnerabilities and threats to Covered Data;

(b) design and implement safeguards to minimize risk, including the development and communication of College procedures;

(c) periodically evaluate the effectiveness of safeguards;

(d) limit the damage from security breaches; and

(e) report findings to relevant College officials. Lakeland's designated Compliance Officers by area are the:

(i.) Director for admissions and registrar for the Family Educational Rights and Privacy Act;

(ii.) Director for human resources for the Health Insurance Portability and Accountability Act;

(iii.) Controller and bursar for red flag rules;

(iv.) Director of administrative technologies for the Gramm Leach Bliley Act; and

(v.) Director of financial systems and deputy treasurer for Payment Card Industry Data Security standards.

(2) In addition to its Compliance Officers, Lakeland has established additional responsibilities to support Information Security for its Covered Data including, but not limited to:

(a) Network, system, database, and application security administrators to define standards, procedures, and guidelines that minimize the risk of intrusion or breach, while allowing Lakeland entities to utilize these assets to their maximum benefit;

(b) Area data custodians. Every piece of information collected by the College in its daily activities is collected on behalf of a department that requires that data for the realization of a specific goal. Employees in these departments are the custodians of that data, and have a responsibility to work with relevant compliance officers for maintaining the confidentiality and integrity of any Covered data; and

(c) Incident Response Teams. An Incident Response Team will be activated when a possible breach in information security for college covered data occurs to provide effective and orderly response and communications. An incidence response team will include relevant college officers and the affected compliance officer(s).

(E) Additional assurance responsibilities

(1) If, in the process of executing their duties, a member of Lakeland discovers a possible breach of information security for college covered data, they must report their findings immediately to either:

(a) college officer; or

(b) the relevant compliance officer. That college or compliance officer will coordinate necessary steps to investigate that possible breach as well as concurrently notify the college's chief of Staff. The college's chief of Staff will determine the appropriateness of activating an Incident response team.

(2) As permitted by federal, state, or local laws, covered data may be disclosed to third parties pursuant to an executed agreement that requires that third party by contract to implement and maintain necessary information security safeguards.

Effective: 3/20/2015
Promulgated Under: 111.15
Statutory Authority: 3354
Rule Amplifies: 3354
Prior Effective Dates:

3354:2-11-05 Identity theft protection.

(A) Purpose

(1) The college creates, obtains, and stores personally-identifiable financial and other sensitive information, and desires to ensure appropriate measures are taken to prevent identity theft involving such information. Therefore, the college shall maintain an active identity theft prevention program in accordance with federal Trade commission regulations enacted under 16 CFR 681.2 (often referenced as the "Red Flag Rule").

(2) The controller and bursar shall serve as "Compliance Officer" leading development, implementation, and oversight of the identity theft program.

(B) Definitions

(1) "Covered accounts" are the college's tuition loan plans, emergency loans, Perkins loans, Nursing loans, federal family education loans (FFEL), and employee computer loans, and any other future accounts and/or transaction credits into the future.

(2) "Identifying information" is "any name or number that may be used, alone or in conjunction with any other information, to identify a specific person," including without limitation: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, student identification number, employee identification number, computer's internet protocol address, and routing code.

(3) "Identity theft" is a "fraud committed or attempted using the identifying information of another person without authority."

(4) "Red Flag" means a "pattern, practice, or specific activity that indicates the possible existence of identity theft."

(C) Identifying red flags

The program should identify red flags for covered accounts and incorporate those red flags into the program.

(1) The program should incorporate the following risk factors in identifying relevant red flags for covered accounts:

(a) The types of covered accounts offered or maintained by the college.

(b) The methods provided by the college to open covered accounts.

(c) The methods provided by the college to access covered accounts.

(d) The college's experience, if any, with identity theft.

(2) The program should incorporate appropriate red flags from relevant experiences and sources, including without limitation:

(a) Incidents of identity theft previously experienced.

(b) Methods of identity theft that reflect changes in risk.

(c) Regulatory or professional guidance.

(3) As appropriate, the program shall include relevant red flags from the following categories of risk factors:

(a) Alerts, notifications, or other warnings received from consumer reporting agencies or service providers.

(b) The presentation of suspicious documents.

(c) The presentation of suspicious personal identifying information.

(d) The unusual use of, or other suspicious activity related to, a covered account.

(e) Notice from customers, employees, students, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.

(D) Detecting and responding to red flags

The college's identity theft prevention Program should address the detection of red flags in connection with the opening of new covered accounts and existing covered accounts.

The program should provide for appropriate responses to detected red flags to prevent and mitigate identity theft. The responses should be commensurate with the degree of risk posed, and may include:

(1) Monitoring a covered account for evidence of identity theft.

(2) Denying access to the covered account until other information is available to eliminate the red flag, or close the existing covered account.

(3) Contacting the student, former student, current employee, or former employee.

(4) Changing any passwords, security codes or other security devices that permit access to a covered account.

(5) Reopening a covered account with a new account number.

(6) Notifying a college administrator and the relevant compliance officer (controller and Bursar).

(E) Updating the identity theft prevention program

The College should periodically, and at least annually, update the program in accordance with appropriate factors, which may include:

(1) The experiences of the organization with identity theft.

(2) Changes in methods of identity theft.

(3) Changes in methods to detect, prevent and mitigate identity theft.

(4) Changes in the types of accounts that the organization offers or maintains.

(5) Changes in the business arrangements of the organization, including without limitation, service provider agreements.

(F) Methods of administering the program

In administering the Identity Theft Prevention Program, the Compliance Officer shall be responsible for:

(1) Training of College staff on the program.

(2) Requiring and reviewing reports on compliance with this program. The Identity Theft Program should include appropriate details about this reporting process.

(3) Leading prevention and mitigation efforts in particular circumstances.

(4) Monitoring and ensuring College compliance with the Identity Theft Prevention Policy and Program.

(5) Overseeing the activities of service providers performing activities related to covered accounts to ensure that such activities are conducted pursuant to reasonable policies and programs designed to detect, prevent, and mitigate the risk of identity theft.

Replaces: 3354:2-11-05

Effective: 4/14/2003
Promulgated Under: 111.15
Statutory Authority: 3354
Rule Amplifies: 3354
Prior Effective Dates: 4/14/2003