Scattered information leads to confusion about who has access

But exactly who has access to SIS and for what reasons seem to be so tangled a mystery that apparently not even university officials can solve it.

SIS is a computer database that contains student information for the Financial Aid, Bursar's, Admissions and Registrar's offices. It is based on nine-digit student identification numbers that are usually the same as students' Social Security numbers.

The information contained in SIS includes grades, class schedules, financial aid status and Social Security numbers that can unlock everything from tax records to medical records. Most of the information cannot be legally released by the university.

The University of Arizona plans to eventually centralize all student information on campus - including additional services like Parking and Transportation and the Student Recreation Center - together in one "affiliate database," said Liz Taylor, director of the CatCard project.

Right now, Taylor said, too much information is in too many places. She said administrators are in the process of putting student information in one central database that only authorized employees will be able to access.

Hundreds - possibly thousands - of university employees have access to SIS and students' personal information. University officials contacted during the past week, however, did not know exactly who has access and why, and referred questions to other administrators in a never-ending circle of questions.

Registrar Jack Farrell originally referred SIS inquiries to Mike Torregrossa, coordinator of student information and integrated data systems, but Torregrossa was only familiar with the technical aspects of the system.

"Student Information Systems is a very secure system with many safeguards to prohibit the wrong people from getting student's information," Torregrossa said. "Access is granted on a need-to-know basis."

He referred further inquiries back to Farrell, who suggested talking to the Financial Aid, Bursar's and Admissions offices.

The Bursar's office did not return phone calls, and representatives of the Financial Aid and Admissions offices said they were not familiar with the entire system.

Farrell finally directed inquiries to Mary Salgado, an applications systems analyst in the Registrar's Office, who said she was familiar only with the registrar's portion of the system - just one-fourth of the entire SIS.

Salgado said SIS is a secure system that "few" people have access to. She said the system is updated daily to ensure the right people have access to information they need.

Salgado said, however, that she did not know how many people had access. She explained that people are given access only to information they need, and individual access is customized to allow them to view certain information screens on the system.

Permission to access the system is granted to faculty and staff through the Registrar's Office, and students are never granted access, Salgado said.

University spokeswoman Sharon Kha said yesterday that she knew little about SIS and referred questions back to Torregrossa and Saundra Taylor, vice president for student life and human resources.

Saundra Taylor's office referred questions to Michael Gottfredson, vice president for undergraduate education, who was not available. His secretary, however, said he was not familiar with SIS and was the wrong person to ask.

Being directed to someone who doesn't know anything was an improvement from last week, when Farrell, Liz Taylor, and Jean Johnson, assistant controller of student services, wouldn't say who was in charge of SIS.

Information about training was similarly vague.

Salgado said employees given access to SIS go through an initial training session, then receive more training as more access is granted, but she would not explain what that training includes.

The Center for Computing and Information Technology said Mari Jo Widger, a senior instructional specialist in the Registrar's Office, is responsible for SIS training, but she said she was not authorized to answer questions.

Kha, university attorney Michael Proctor, Taylor and other university officials could not explain how employees are trained to ensure that sensitive information does not fall into the wrong hands, or whether they receive specific training regarding the Family Educational Rights and Privacy Act, which prohibits the release of most student information, such as Social Security numbers and grades.

FERPA violations last year prompted UA officials to investigate the illegal release of basketball player Miles Simon's grades to The Kansas City Star.

In that incident, someone with access to Simon's information leaked part of his academic record to The Star. The information became part of an October article that implied the UA made exceptions for Simon to keep him eligible to participate in athletics.

The Star's report included Simon's GPA, as well as information that he was academically suspended during parts of 1996 after earning a D-minus average one semester.

In October, Proctor said the university was trying to determine what data was released and who had access to it. Whoever released Simon's transcript violated FERPA, he said.

Proctor said he has hosted detailed FERPA training seminars for employees with SIS access, but only after they have been given advanced system access. He said he was unfamiliar with FERPA training for employees who are given initial access to SIS.

The Information Technologies Department at Loyola University in Chicago requires its employees to sign data confidentiality statements, and the university is developing a new student information system that will generate and assign unique personal identification numbers, according to a 1996 report by the university's Security Awareness and Ethics Committee.