ID Card Data policy

Policy Statement

This policy defines how data encoded on university-issued ID cards can be accessed and used.

Rationale:

University ID cards have sensitive data encoded on them that must be accessed and used for only approved purposes and in a secure manner with the consent of the information owners.

Applicability of the Policy

This policy applies to all University employees and any third parties with whom the University contracts for services.

Policy Elaboration

University ID cards are produced and issued by Oneonta Auxiliary Services (OAS) to identify members of the University community and provide services. Services the cards provide through a proximity chip or magnetic stripe include:

• building and room access through the Card Access system
• meal services in dining halls
• Dragon Dollars debit-style accounts
• access to Oneonta Public Transit buses
• library services

Event Attendance

University offices or departments may wish to swipe University ID cards to facilitate taking attendance at special events or mandatory training sessions. Attendance Reports will include:

• A00 number
• Last name
• First name
• Email address
• Flag indicating the confidential status of a student record

Anyone wishing to use the process must have a Banner account and be granted permission to access the report creation job process. Access to the process will be granted by the Registrar (for student attendees). Access to employee card data is not approved at this time except as listed above. Any other related data (address, academic major, department, etc.) must be requested through established Banner reporting procedures and in compliance with established policies.

Card Readers

Any office or department wishing to access ID card data must purchase a card reader approved by the Office of IT Security. The data collected must be stored securely and viewed only by authorized personnel.

Distribution of Data

ID card data, data collected through a card reader of any type and any data included in a report generated from it is for the sole use of the office or department that has been granted access to the data and reports as described by this policy. Data and reports must not be released to any other office, department or outside agency.

Other Uses

Other uses of ID card data not listed above must be reviewed and approved by the Office of IT Security and the owners of the information. Oneonta ID Card Data policy OAS Number

The OAS number is for OAS’s sole use and may not be stored or used by the University without prior approval of OAS.

Definitions

Information owners - Persons responsible for determining who should have access to protected resources within their jurisdiction, and what those access privileges should be. In the case of ID cards, the information being accessed is:

• University ID (A00) numbers owned by the University Registrar, Employee Services, the Human Resources
• Offices of Sodexo, OAS, and the Research Foundation
• OAS numbers owned by OAS
• OAS number – A unique number assigned to each card by OAS and used to provide dining Dragon Dollars services.
• Magnetic Stripe – A strip of magnetic tape affixed to the back of the ID card and encoded with identification information for the person to whom the card is issued.
• Proximity Chip - a microcircuit embedded in Oneonta’s ID cards that transmit data to the Card Access system when presented to the door control devices.

Procedures

Anyone planning to use card swipe data will contact the Office of IT Security to discuss the project prior to the collection of any data.

Related Documents / Policies

SUNY Oneonta Information Technology Security Program

SUNY Oneonta Confidentiality Policy and Agreement

SUNY Oneonta FERPA Policy