Gramm-Leach Bliley Act (GLB Act)
Policy on Compliance with the Gramm-Leach-Bliley Act (GLBA)
Policy Title: Compliance with the Gramm-Leach-Bliley Act (GLBA)
Policy Number: FA-GLBA-001
Date of Adoption: 07/01/2024
Approved By:
- Shawn Domingo – Director, Financial Aid & Scholarships
- Elba Serrano – Assistant Director, Financial Aid & Scholarships
Review Date: 07/01/2024
1. Purpose
The purpose of this policy is to ensure that the San Joaquin Delta College Financial Aid Office complies with the requirements of the Gramm-Leach-Bliley Act (GLBA), which aims to protect the privacy and security of students' nonpublic personal information (NPI). The policy outlines the procedures for safeguarding student financial aid data, preventing unauthorized access, and ensuring compliance with GLBA regulations.
2. Scope
This policy applies to all staff, faculty, and administrators involved in the management, handling, or processing of student financial aid data at San Joaquin Delta College. This includes, but is not limited to, those involved in the administration of federal, state, and institutional financial aid programs.
3. Background
The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, includes provisions aimed at protecting the privacy and security of consumers' personal financial information held by financial institutions, including educational institutions that participate in federal student aid programs. As part of the Federal Student Aid (FSA) program, San Joaquin Delta College is required to safeguard nonpublic personal information related to students’ financial aid.
4. Definition of Nonpublic Personal Information (NPI)
Under the GLBA, "nonpublic personal information" (NPI) refers to any personally identifiable information that is collected by the Financial Aid Office from students or their families for the purpose of determining eligibility for financial assistance. This includes:
- Financial information (e.g., income, assets, tax returns, etc.)
- Personal information (e.g., Social Security number, date of birth, address, etc.)
- Student account information (e.g., financial aid award, disbursement details, etc.)
5. Responsibilities of the Financial Aid Office
The Financial Aid Office at San Joaquin Delta College is responsible for the following actions to ensure compliance with GLBA:
5.1 Privacy Policy
- The Financial Aid Office will provide clear and transparent notices to students about its practices for collecting, using, and sharing nonpublic personal information. This includes both an initial privacy notice and an annual privacy notice to inform students of their rights under GLBA.
- The office will ensure that students are given the option to opt-out of information sharing with non-affiliated third parties, in compliance with GLBA.
5.2 Safeguarding Nonpublic Personal Information
- All nonpublic personal information (NPI) will be securely stored and transmitted in compliance with federal privacy laws and institutional data security protocols.
- Paper-based records containing NPI will be kept in locked, secure locations and access will be limited to authorized personnel only.
- Electronic records containing NPI will be encrypted both during transmission and while stored in databases, in accordance with applicable security standards.
- Access to financial aid systems and student data will be granted on a need-to-know basis, with appropriate user authentication and access controls in place.
5.3 Training and Awareness
- All Financial Aid Office personnel will receive regular training on GLBA requirements, privacy laws, data security best practices, and institutional policies on safeguarding student information.
- Staff will be instructed on recognizing and reporting potential breaches of privacy or unauthorized access to NPI.
5.4 Third-Party Vendors
- When third-party vendors or contractors are used to process or handle NPI on behalf of the Financial Aid Office, the college will ensure that these vendors are contractually obligated to comply with GLBA standards for data protection.
- The college will perform due diligence when selecting third-party vendors to ensure they have appropriate safeguards in place to protect the privacy of student data.
6. Data Security Measures
The Financial Aid Office will implement and maintain robust data security measures to ensure that student financial aid data is protected against unauthorized access, disclosure, or loss. This includes:
- Physical Security: Restricting access to areas where sensitive financial aid data is stored (e.g., file rooms, servers, and workstations).
- Network Security: Employing firewalls, intrusion detection systems, and encryption to protect sensitive data transmitted over the internet or internal networks.
- Data Disposal: Properly disposing of paper and electronic records containing NPI when they are no longer needed, through shredding of documents and secure wiping of electronic storage devices.
7. Incident Response and Breach Notification
In the event of a data breach involving nonpublic personal information, the Financial Aid Office will follow the college’s established incident response and breach notification procedures. This includes:
- Notifying affected students as soon as possible, in accordance with GLBA breach notification requirements.
- Cooperating with college administration, IT, and legal counsel to investigate and mitigate the breach.
- Reporting the breach to appropriate regulatory authorities, as required by law.
8. Compliance Monitoring and Auditing
The Financial Aid Office will regularly monitor and audit its processes to ensure compliance with the Gramm-Leach-Bliley Act. This includes:
- Conducting periodic reviews of data security and privacy practices.
- Evaluating the effectiveness of employee training programs.
- Performing risk assessments to identify and address any vulnerabilities in the handling of student financial aid data.
9. Policy Review
This policy will be reviewed and updated annually to ensure that it remains in compliance with the Gramm-Leach-Bliley Act and other applicable privacy and security laws. Any updates or changes to the policy will be communicated to all relevant personnel.
10. References
- Gramm-Leach-Bliley Act of 1999 (Pub. L. 106-102)
- U.S. Department of Education, Family Educational Rights and Privacy Act (FERPA)
- San Joaquin Delta College Data Security Policy
- San Joaquin Delta College Privacy Policy