The FTC regulations (16 C.F.R. Part 314) require financial institutions, including colleges and universities, to develop plans and establish policies to protect customer financial information. These regulations stem from the Gramm-Leach-Bliley Act (GLBA) which was enacted in 2000, which requires financial institutions to take steps to ensure the security and confidentiality of customer records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers. The GLB Act broadly defines “financial institutions” as any institution engaging in the financial activities including “making, acquiring, brokering, or servicing loans” and “collection agency services.” Because higher education institutions participate in financial activities, such as making Federal Perkins Loans, FTC regulations consider them financial institutions for GLB Act purposes. Under regulations promulgated in May 2000, colleges and universities are deemed to be in compliance with the privacy provisions of the GLB Act if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the Act related to the administrative, technical, and physical safeguarding of customer information.
Standards for Safeguarding Customer Information; Final Rule (16 C.F.R. § 314): Customer information(that is, personal information provided by customers as part of a financial transaction, such as student loans or parental tuition payments) is protected by the Gramm-Leach-Bliley Act (GLBA).
All employees are responsible for protecting the personal information that the University of Missouri gathers and uses - it only takes a few details about an individual for a criminal to steal an identity: information that the University faculty and staff compile, store and access regularly.
Whenever you gather information (especially sensitive or private information), make sure you understand and clearly note the purpose(s) for which that information is being gathered. That way, you can ensure the information is used appropriately in the future.
As a general rule, you should only be accessing information or records when you have a legitimate need to know or access that information - for instance, only accessing student records when there is a legitimate educational purpose, and only accessing business records when there is a legitimate business purpose.
Privacy regulations may apply to sensitive information that is stored or transmitted on any type of media - electronic, paper, microfiche, and even verbal communication.
GLB Campus Committee Contacts: https://umsystem.edu/ums/fa/glb/glb-contact
For legal assistance, please contact the Office of the General Counsel at https://umsystem.edu/ums/gc/
 NACUBO Advisory Report 2003-01