Policy on Safeguarding Financial-Customer Information at the University of Mary Washington
Policy Statement
In order to safeguard the personal information that it gathers from consumers of its financial services, the University of Mary Washington takes specific actions that it documents in ways that are accessible to those customers. Those actions include:
- designation of at least one employee to coordinate the actions;
- identification and assessment of risks in relevant areas of operation, as well as evaluation of the effectiveness of steps to address those risks;
- implementation of a regularly monitored and tested overall safeguards program;
- selection of appropriate service providers (when needed) to implement the program; and
- evaluation and adjustment of the overall safeguards program to reflect changing circumstances and results of tests.
Definitions AND RELATIONSHIP TO THE GRAMM-LEACH-BLILEY ACT
Consumer and Customer: A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. A customer is a consumer with a continuing relationship with a financial institution (definitions from the Federal Trade Commission; see http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm).
Under regulations issued in May 2000, colleges and universities are deemed to be in compliance with the the Gramm-Leach-Bliley Act's privacy provisions related to customer financial information if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the act related to the administrative, technical, and physical safeguarding of customer information (source: The National Association of College and University Business Officers (NACUBO -- see http://www.nacubo.org/x1176.xml)).
University of Mary Washington ProcedurE
Designation of coordinator for actions aimed at safeguarding personal information gathered from consumers of financial services
The University of Mary Washington has designated the Vice President for Administration and Finance as coordinator.
Identification and assessment of risks in relevant areas of operations and evaluation of effectiveness of steps to address those risks
The Vice President for Administration and Finance annually identifies and assesses risks in relevant areas. The VP for Administration and Finance oversees the development of steps to address those risks, and an annual review of the effectiveness of those steps, which often may be the subject of normal annual internal audit processes.
Implementation of a regularly monitored and tested overall safeguards program
The Associate Vice President for Business and Finance (AVP/BF) oversees the implementation of the safeguards program and is responsible for ongoing monitoring and testing. He or she communicates the elements of the safeguards program having to do with institutional business components managed or maintained by other offices to those offices, which are in turn responsible for the implementation of the relevant steps tied to those components.
The University's financial-information safeguards program consists of:
- managing and training employees,
- designing and operating information systems (paper and computer-based), and
- managing system failures.
Whenever the University employs external service providers to supply any relevant component of financial services, they will qualify for selection only after they have assured the University of their ability to effectively comply with this policy and procedure. Those service providers must provide regular reports on risk assessment, mitigation-step design and implementation, monitoring and testing, and evaluation of effectiveness their safeguards program to the institutional officers identified in this procedure.