Conflict of Interest and Commitment and Identity Theft Prevention Plan: Difference between pages

From Appalachian State University Policy Manual
(Difference between pages)
imported>Deaskc
 
>Deaskc
 
Line 1: Line 1:
Policy 604.6
Policy 105.5
 
== Introduction ==
== Introduction ==
1.1 The Code of The University of North Carolina affirms that the basic mission of the faculty is "the transmission and advancement of knowledge and understanding". Faculty employment at Appalachian State University entails the core responsibilities of teaching, scholarly research and publication, and other professional service to the institution and to society.  Faculty and non-faculty EPA employees (Covered Employees, as more fully defined below) pursue their specialized professional interests in other contexts, collateral to their immediate University employment. These activities demonstrate active participation in a profession and are encouraged, provided they do not conflict or interfere with the timely and effective performance of the individual's primary university duties or University policies. 
=== Program Adoption ===
 
1.1.1 As a best practice and using as a guide the Federal Trade Commission's Red Flags Rule (16 CFR Part 681, implementing Section 114 of the Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159) and North Carolina General Statutes, Chapter 75, Article 2A, Appalachian State University (the "University") has developed an Identity Theft Prevention Program (the "Program") described below. This Program was developed with oversight and approval of the Board of Trustees of Appalachian State University (the "Board"). After consideration of the size and complexity of the Universitys operations and account systems, and the nature and scope of the Universitys activities, the Board determined that this Program was appropriate for the University, and approved it on September 24, 2010 (the "Effective Date").  The purpose of this Program is to detect, prevent and mitigate identity theft in connection with any covered account. This Program envisions the implementation of policies and procedures subject to the Chancellor's approval in order to achieve these goals.
1.2 As relationships between Covered Employees and private industry, federal and state governments, and nonprofit agencies have grown in number and scope, there has been a corresponding increase in concern about Conflicts of Interest and Commitment. This Policy provides principles and corresponding procedures to identify, address, and manage actual potential conflicts that  would detract from or interfere with a Covered Employee’s dedication of unbiased primary professional loyalty, time and energy to University teaching, scholarship, and service.
 
1.3 This Policy is also intended to comply with state and federal laws and regulations directed at conflicts of interest and commitment. North Carolina law prohibits state employees from directly or indirectly entering into or otherwise participating in any business transaction involving public funds (regardless of source of funds) with any firm, corporation, partnership, person or association which had a financial association with that employee in the preceding two years. North Carolina law explicitly prohibits self-dealing (using one's University position to gain an unfair personal business advantage), misuse of confidential University information for personal gain, and having any personal interest in supplying any goods to the State.  Federal regulations issued by the National Science Foundation and Public Health Service (“PHS”) establish requirements for University research funded by those agencies.  
 
1.4. Activities undertaken by University faculty, staff, students, and Covered Individuals (as defined below) in furtherance of the University mission must be conducted in an ethical and transparent manner consistent with federal and state law and University policy. Covered Persons (as defined below) are expected to avoid conflicts of interest and commitment that have the potential to directly and significantly (1) affect the interests of the University; (2) compromise objectivity in carrying out University Employment Responsibilities and PHS responsibilities; or (3) otherwise compromise the performance of University Employment Responsibilities. This Policy requires: an annual or, if needed, more frequent, disclosure of outside interests; and a management process which supplements other University policies such as the External Professional Activities of Faculty and Other Professional Staff policy.


== Scope ==
== Scope ==
2.1 Each Covered Employee and Covered Individual, as these terms are defined below, is required to comply with this policy.
2.1 All University personnel whose employment duties require or allow access to identifying information of other employees or students are responsible for implementing this Program.


== Definitions  ==
== Definitions  ==


=== Conflict of Interest (“COI”) ===
=== "Covered Account"  ===  
:relates to situations in which financial or other personal considerations, circumstances, or relationships may compromise, involve the potential for compromising, or have the appearance of compromising a Covered Employee’s objectivity in fulfilling the Covered Employee’s University duties or responsibilities, including research, service and teaching activities and administrative duties.
:any account that constitutes a continuing financial relationship or is designed to permit multiple payments or transactions between the University and a person for a service, such as extension of credit, debit cards, Perkins Loans, Federal Family Education Loan Program (FFELP), institutional loans, accounts covered by the Health Insurance Portability and Accountability Act (HIPAA), deposit accounts, scholarship accounts, student accounts, and tuition payment plans.  


=== COI Coordinator ===
:any other account that the University offers or maintains for which there is a reasonably foreseeable risk to holders of the account or to the University from identity theft, such as use of consumer reports for employee background checks, credit applications and institutional debit card applications. This may include operations of utilities (e.g., New River Light & Power Company), clinical and research activities, and public service activities.
:is the General Counsel or the General Counsel’s designee.
=== Conflict of Commitment ===
:relates to a Covered Employee’s distribution of time and effort between obligations to University employment and participation in other activities outside of University employment. A conflict of commitment occurs when the pursuit of such outside activities involves an investment of time or is conducted at a time that interferes with the employee’s fulfillment of University Employment Responsibilities.
=== Covered Employee (also referred to as “Covered Person”) ===
:is defined as any faculty or EPA non-faculty employee of the University of North Carolina or a Constituent Institution, an affiliated entity, or other agency or unit of the University of North Carolina.
=== Covered Individual (also referred to as “Covered Person”) ===
:includes any person who is a Principal Investigator or Project Director of any Public Health Service-supported grant received by the University, and any person who is designated by a Principal Investigator or Project Director of any Public Health Service-supported grant as being responsible for the design, conduct, or reporting of the Public Health Service-funded research, or who is listed as Senior/Key Personnel on any grant application or report submitted to the Public Health Service.  Covered Individuals may include any subcontractor, collaborator, student, or consultant who is responsible for any portion of the design, conduct, or reporting of Public Health Service-funded research performed under a grant to the University, regardless of whether that individual is compensated for work or is an employee of the University
=== Department ===
:means an academic department or any other administrative unit designated by the Chancellor for the purposes of implementing this policy.
=== Designated University Official (“DUO”) ===
:means the Dean of the Covered Person’s college or, for any Covered Person not assigned to a position in any college, the appropriate unit head.
=== External Professional Activities for Pay ===
:are any Covered Employee activities that 1) are not included within one's University Employment Responsibilities; 2) are performed for any entity, public or private, other than the University employer; 3) are undertaken for compensation; and 4) are based upon the professional knowledge, experience and abilities of the Covered Employee.
=== Executive Position ===
:refers to any position that includes responsibilities for a material segment of the operation or management of a business, including Board membership.
=== Financial Interest ===
:is defined as:
#Payment for services to the Covered Person not including institutional salary of Covered Employees;
#Equity or other ownership in a publicly or non-publicly traded entity (e.g., stock, stock options, or other ownership interest); or
#Intellectual property rights and interests in receipt of income related to such rights, and interest, held by the Covered Person or members of the Covered Person’s  Immediate Family.
:Income from investment vehicles, such as mutual funds or retirement accounts, in which the Covered Person or Immediate Family member do not directly control the investment decisions; intellectual property rights assigned to the Institution; and agreements to share in royalties related to such rights are excluded from the definition of Financial Interest.
=== Immediate Family ===
:of a Covered Person includes the Covered Person’s spouse and dependent children.
=== Public Health Service (PHS) ===
:means the Public Health Service of the U.S. Department of Health and Human Services, and any components of the PHS to which the authority involved may be delegated, including the National Institutes of Health (NIH).
=== PHS Responsibilities ===
:refer to a Covered Individual’s responsibilities for a PHS proposal or grant.
=== PHS Financial Conflict of Interest (also referred to as “PHS FCOI”) ===
:means any PHS Significant Financial Interest that the University determines is related to a PHS-funded research project and could directly and significantly affect the design, conduct, or reporting of the PHS-funded research.
=== PHS Significant Financial Interest ===
:is defined as follows:
#A Financial Interest consisting of one or more of the following interests of the Covered Individual (and those of the Covered Individual’s Immediate Family) that reasonably appears to be related to the Covered Individual’s University Employment Responsibilities or PHS Responsibilities:
##With regard to any publicly traded entity, a PHS Significant Financial Interest exists if the value of any remuneration received by the Covered Individual or Immediate Family from the entity in the twelve months preceding the disclosure and the value of any equity interest held by the Covered Individual or Immediate Family in the entity as of the date of disclosure, when aggregated, exceeds $5,000. For purposes of this definition, remuneration includes salary and any payment for services not otherwise identified as salary (e.g., consulting fees, honoraria, paid authorship); equity interest includes any stock, stock option, or other ownership interest, as determined through reference to public prices or other reasonable measures of fair market value;
##With regard to any non-publicly traded entity, a PHS Significant Financial Interest exists if the value of any remuneration received by the Covered Individual or Immediate Family from the entity in the twelve months preceding the disclosure, when aggregated, exceeds $5,000, or when the Covered Individual or Immediate Family holds any equity interest (e.g., stock, stock option, or other ownership interest) in the entity; and
##A PHS Significant Financial Interest exists with respect to any intellectual property rights and interests (e.g., patents, copyrights), in receipt of income related to such rights and interests by the Covered Individual or Immediate Family.
#A PHS Significant Financial Interest also exists upon the occurrence of any reimbursed or sponsored travel (i.e., any travel which is paid on behalf of the Covered Individual and not reimbursed by the Covered Individual regardless of whether the exact monetary value is readily determinable) related to the Covered Individual’s University Employment Responsibilities.
#The term PHS Significant Financial Interest does not include the following types of financial interests:
##salary, royalties, or other remuneration paid by the University to the Covered Individual if the Covered Individual is currently employed or otherwise appointed by the University, including intellectual property rights assigned to the University and agreements to share in royalties related to such rights;
##income from investment vehicles, such as mutual funds and retirement accounts, as long as neither the Covered Individual nor any member of the Covered Individual’s  Immediate Family directly controls the investment decisions made in these vehicles;
##income from seminars, lectures, or teaching engagements sponsored by a federal, State, or local government agency, an institution of higher education as defined at 20 U.S.C. 1001(a), an academic teaching hospital, a medical center, or a research institute that is affiliated with an institution of higher education; 
##income from service on advisory committees or review panels for a federal, State, or local government agency, an institution of higher education as defined at 20U.S.C. 1001(a), an academic teaching hospital, a medical center, or a research institute that is affiliated with an institution of higher education; or
##travel that is reimbursed or sponsored by a Federal, state, or local government agency, an institution of higher education as defined at 20 U.S.C. 1001(a), an academic teaching hospital, a medical center, or a research institute of higher education that is affiliated with an institution of higher education.
=== Reporting Form ===
:means Conflict of Interest/Commitment Reporting Form.
=== Senior/Key Personnel ===
:means the Project Director or Principal Investigator and any other person identified as senior/key personnel by the University in a grant application, progress report, or any other report submitted to the PHS by the University.
=== Technology ===
:means any process, method, product, compound, drug, device, or any diagnostic, medical, or surgical procedure developed using University time, facilities, equipment, or funds, whether intended for commercial use or not.
=== University Employment Responsibilities ===
:include Primary Duties and Secondary Duties. Primary Duties consist of assigned teaching, scholarship, research, institutional service requirements, administrative duties and other assigned employment duties. Secondary Duties may include professional affiliations and activities traditionally undertaken by Covered Employees outside of the immediate University employment context. Secondary Duties may or may not entail the receipt of honoraria, remuneration or the reimbursement of expenses, include membership in and service to professional associations and learned societies; membership on professional review or advisory panels; presentation of lectures, papers, concerts or exhibits; participation in seminars and conferences; reviewing or editing scholarly publications and books without receipt of compensation; and service to accreditation bodies.
=== Significant Financial Interest ===
:means anything of monetary value, including but not limited to, salary or other payments for services (e.g., consulting fees or honoraria); equity interests (e.g., stocks, stock options or other ownership interests); and intellectual property rights (e.g., patents, copyrights and royalties from such rights). The term does not include:
#Salary, royalties, or other remuneration from the University;
#Income from seminars, lectures, or teaching engagements sponsored by public or nonprofit entities;
#Income from service on advisory committees or review panels for public or nonprofit entities;
#An equity interest that when aggregated for the Covered Person and that individual's spouse and dependent children, meets both of the following tests: Does not exceed $10,000 in value as determined through reference to public prices or other reasonable measures of fair market value, and does not represent more than a five percent ownership interest in any single entity; or
#Salary, royalties or other payments, including consulting fees, that when aggregated for the Covered Person and Immediate Family over the next twelve months, are not expected to exceed $10,000.


== Policy and Procedure Statements  ==
=== Identifying Information ===
=== Conflicts of Interest ===  
:means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to:
4.1.1 Conflicts of interest refer to situations in which financial or other personal considerations, circumstances, or relationships may compromise, may involve the potential for compromising, or may have the appearance of compromising a Covered Person’s objectivity in fulfilling University Employment Responsibilities or PHS Responsibilities. Covered Persons may have a conflict of interest when they, or any member of their Immediate Families, have a personal interest in an activity that may affect their decision making with respect to their University Employment Responsibilities or PHS Responsibilities.  While a Conflict of Interest may result from nonfinancial interests or considerations, the overwhelming majority of Conflicts of Interest result from a Financial Interest of a Covered Person who is in a position to make a supervisory, academic, research, or administrative decision which may be compromised because of potential financial gain from a Financial Interest.  The bias that such conflicts may impart can affect many University duties, including decisions about personnel, the purchase of equipment and other supplies, the selection of instructional materials for classroom use, the collection, analysis and interpretation of data, the sharing of research results, the choice of research protocols, the use of statistical methods and the mentoring and judgment of student work.


4.1.2 Activities that may involve Conflicts of Interest fall under four general categories.  Each category includes examples that are provided for illustrative purposes, but do not include all possible situations.
#name
#address
#telephone number
#social security number
#date of birth
#government-issued driver's license or identification number
#alien registration number
#government passport number
#employer or taxpayer identification number
#individual identification number
#computer's Internet Protocol address
#bank or other financial account routing code


4.1.3 Category 1: Allowable activities requiring disclosure.  Category 1 includes activities external to University employment which may present the appearance of a technical conflict, but have little or no potential for affecting the objectivity of the Covered Employee’s performance of University Employment Responsibilities. At most, some such situations could prompt questions about Conflicts of Commitment.
=== Identity Theft ===
#A Covered Employee receiving royalties from the publication of books or for the licensure of patented inventions subject to the Appalachian State University and UNC Patent and Copyright Policies.
:means a fraud committed or attempted using the identifying information of another person without authority [16 CFR 603.2(a)].
#A Covered Employee receiving compensation in the form of honoraria or expense reimbursement, in connection with service to professional associations, service on review panels, presentation of scholarly works and participation in accreditation reviews. Covered Employees must comply with the External Professional Activities of Faculty and Other Professional Staff Policy.


4.1.4 Category 2: Activities requiring disclosure for further administrative review and analysis.  Category 2 includes activities that suggest a possibility of conflicting interests that can impair objectivity, but disclosure and resulting analysis of relationships may render the activity permissible and may result in the establishment of an approved management plan. 
=== Program Administrator ===
#A Covered Employee requiring students to purchase the textbook or related instructional materials authored or compiled by the employee or members of the employee’s Immediate Family, which produces compensation for the employee or family member.
:means the individual designated with primary responsibility for oversight of this Program.
#A Covered Employee receiving compensation or gratuities from any individual or entity doing business with the University. Under North Carolina state law, no university employee may seek or receive any gift, reward, or promise of reward for recommending, influencing, or attempting to influence the award of a contract by the employer.
#A Covered Person serving on the board of directors or scientific advisory board of an enterprise that provides financial support for University research and the employee or an Immediate Family member may receive such financial support.
#A Covered Person or  an Immediate Family Member having an equity or ownership interest in a publicly or non-publicly-traded entity or enterprise doing business with the University or soliciting business from the University.
#A  Covered Person accepting support for University research under conditions that require research results to be held confidential, unpublished, or delayed in publication. Research conducted by faculty or students under any form of sponsorship must maintain the University's open teaching and research philosophy and must adhere to a policy that prohibits secrecy in research. Such conditions on publication must be in compliance with The UNC Policy Manual, 500.1 and 500.2, and with the University Intellectual Property Transfer policy.  


4.1.5 Category 3: Activities or relationships that are generally not allowable or permitted unless an approved Conflict of Interest Management Plan is in place.  Activities in Category 3 generally are not permissible because they involve actual or potential financial conflicts of interest or present obvious opportunities or inducements to favor personal interests over institutional interests.  Before proceeding with such an activity, the Covered Employee must demonstrate that his or her objectivity would not be affected and University interests would not be damaged.  An approved Conflict of Interest Management Plan is required for these types of activities.
=== Red Flag ===
#A Covered Person participating in University research involving a technology owned by or contractually obligated to (by license or an option to license, or otherwise) the Covered Person or entity in which the individual or an  Immediate Family member has a consulting relationship, has an equity or ownership interest, or holds an Executive Position.
:means a pattern, practice, alert or specific activity that indicates the possible existence of identity theft.
#A Covered Person participating in University research which is funded by a grant or contract from an enterprise or entity in which the Covered Employee or an  Immediate Family member has an equity or ownership interest.
#A Covered Person assigning students, post-doctoral fellows or other trainees to University research projects sponsored by an enterprise or entity in which the Covered Employee  or an  Immediate Family member has an equity or ownership interest.


4.1.6 Category 4: Activities that are not allowable under any circumstances.
=== Service Provider ===
#A Covered Person making referrals of University business to an external enterprise in which the individual or an Immediate Family member has a financial interest.
:means a person or entity that provides a service directly to the University.
#A Covered Person associating his or her own name with the University in such a way as to profit financially by trading on the reputation or goodwill of the University.
#A Covered Employee making unauthorized use of privileged information acquired in connection with the Covered Employee’s University Employment Responsibilities.  
#A Covered Employee signing agreements that assign University patent and other intellectual property rights to third parties without prior University approval.
#Any activity otherwise prohibited by law or University policy


=== Conflicts of Commitment ===  
== Policy and Procedure Statements  ==
4.2.1 Conflict of Commitment relates to an individual's distribution of time and effort between obligations to University employment and participation in other activities outside of University employment. The latter may include such generally encouraged extensions of professional expertise as professional consulting (i.e., External Professional Activities for Pay). Such activities promote professional development and enrich the individual's contributions to the institution, to the profession, and to society. However, a conflict of commitment occurs when the pursuit of such outside activities involves an investment of time or is conducted at a time that interferes with the employee’s fulfillment of University Employment Responsibilities.
 
4.2.2. Although full-time faculty and other non-faculty EPA employment is not amenable to precise, time-clock analysis and monitoring, administrators at the department and other unit levels regularly evaluate the work of employees within their units. The formal occasions for determining whether an individual is devoting sufficient time and effort to University employment include regular reviews of performance in connection with annual salary decisions and scheduled reviews incident to promotion, reappointment or tenure decisions. In addition, complaints from students, colleagues, or administrators about possible failures to meet assigned responsibilities may arise and require investigation. The issue, in each case, is whether the employee is meeting the requirements of the job. Evidence that a Covered Employee is not meeting full-time responsibilities to the University may result in employment discipline up to and including dismissal.
4.2.3 The University policy on External Professional Activities of Faculty and Other Professional Staff requires that a University employee who wishes to engage in an External Professional Activity for Pay must make a full disclosure, in advance, of the planned outside involvement and must provide satisfactory assurances that such activity will not interfere with University employment obligations by completing the “Notice of Intent to Engage In External Professional Activity for Pay”.  A person engaged in External Professional Activities for Pay may not use University Resources in the course and conduct of externally compensated activities.  Under no circumstances may any employee use the services of another employee during University employment time to advance the externally compensated employee’s professional activities for pay.


4.2.4 In those instances when State-reimbursed travel, work time, or resources are used or when the activity can be construed as related to the Covered Employee’s University Employment Responsibilities on behalf of the State, the employee shall not receive any financial consideration, including an honorarium.  In these instances the employee may request that the honorarium be paid to the University. The honorarium may be retained by the employee only for activities performed outside of normal working hours, as defined by the institution, or while the employee is on earned paid or annual leave, and all expenses are the responsibility of the employee or a third party that is not a State entity.  Senior Academic and Administrative Officers are subject to further restrictions on the receipt of an honorarium and requirements that annual leave been taken pursuant to the [http://www.northcarolina.edu/policy/index.php?pg=vs&id=277 UNC Policy Manual, 300.2.2.2[R]].
=== Identification of Red Flags ===
4.1.1 In order to identify relevant red flags, the University considers the types of covered accounts it offers or maintains, the methods it provides to open its covered accounts, the methods it provides to access its covered accounts, and its previous experiences with identity theft. Red flags may be detected while implementing existing account opening and servicing procedures (example: individual identification, caller authentication, third party authorization, and address changes).


=== Public Health Service Rules, Requirements and Responsibilities ===
4.1.2 The University identifies the following as red flags in each of the listed categories:


4.3.1 The Public Health Service (PHS) and the U.S. Department of Health and Human Services issued revised regulations on the “Responsibility of Applicants for Promoting Objectivity in Research for which PHS Funding is Sought and Responsible Prospective Contractors” (commonly known as the Financial Conflict of Interest (FCOI) regulations) on August 25, 2011. These regulations, available at http://grants.nih.gov/grants/policy/coi, establish new standards and clarify previously issued standards to be followed by Institutions that apply for or receive research funding from PHS Awarding Components, including the National Institutes of Health (NIH), for grants, cooperative agreements, and research contracts. The primary goal of the new regulations is to promote objectivity by establishing standards that provide a reasonable expectation that the design, conduct, and reporting of research funded under PHS grants, cooperative agreements, and research contracts will be free from bias resulting from Investigator financial conflicts of interest.
#Notifications and warnings from consumer reporting agencies
##Report of fraud accompanying a credit report;
##Notice or report from a credit agency of a credit freeze on an applicant;
##Notice or report from a credit agency of an active duty alert for an applicant;
##Receipt of a notice of address discrepancy in response to a credit report request; and
##Indication from a credit report of activity that is inconsistent with an applicant's usual pattern or activity
#Suspicious documents
##Identification document or card that appears to be forged, altered or inauthentic;
##Identification document or card on which a person?s photograph or physical description is not consistent with the person presenting the document;
##Other document with information that is not consistent with existing individual information; and  
##Application that appears to have been altered or forged.
#Suspicious personal identifying information
##Identifying information that is inconsistent with other information the individual provides (example: inconsistent birth dates);
##Identifying information that is inconsistent with other sources of information (example: an address not matching an address on a loan application);
##Identifying information that is the same as information shown on other applications that were found to be fraudulent;
##Identifying information that is consistent with fraudulent activity (examples: an invalid phone number or fictitious billing address);
##Social security number that is the same as one given by another individual;
##An address or phone number that is the same as that of another person;
##A person fails to provide complete personal identifying information on an application when reminded to do so; and
##A person's identifying information is not consistent with the information that is on file for the individual.
#Suspicious covered account activity
##Change of address for an account followed by a request to change the individual's name;
##Payments stop on an otherwise consistently up-to-date account;
##Account used in a way that is not consistent with prior use;
##Mail sent to the individual is repeatedly returned as undeliverable;
##Notice to the University that an individual is not receiving mail sent by the University;
##Notice to the University that an account has unauthorized activity;
##Breach in the University's computer system security; and  
##Unauthorized access to or use of individual account information. 
#Alerts from others
##Notice to the University from an identity theft victim, law enforcement officer or other person that the University has opened or is maintaining a fraudulent account for a person engaged in identity theft.


4.3.2 Covered Individuals’ Responsibilities Under the PHS FCOI Regulation. Covered Individuals have the following responsibilities regarding disclosure of PHS Significant Financial Interests:
=== Detection of Red Flags ===


4.3.2.1 Disclosures of PHS Significant Financial Interests for Covered Individuals Applying for or Participating in PHS-Funded Research. In addition to the annual disclosures required under this policy, any Covered Individual applying for PHS-funded research grants must update his or her Reporting Form to disclose to the COI Coordinator or update as needed all PHS Significant Financial Interests at the time of application for the PHS-funded research grant.  Each Covered Individual participating in PHS-funded research must also update the Covered Individual’s Reporting Form within 30 days of discovering or acquiring (for example, through inheritance or marriage or participating in sponsored or reimbursed travel) a new PHS Significant Financial Interest.
==== Student Enrollment ====


4.3.2.2 Training. All Covered Individuals applying for PHS-funded research grants or participating in PHS-funded research are required to complete training provided by the COI Coordinator in PHS regulations to promote objectivity in research prior to participating in research related to any PHS-funded grant and at least every four years thereafter for so long as they continue to apply for PHS-funded grants or participate in PHS-funded research.  In addition, Covered Individuals must also complete such training whenever (a) the University revises this policy in a manner that affects the Covered Individuals; (b) the Covered Individual is new to the University; or (c) the University finds that the Covered Individual is not in compliance with this policy or any management plan developed under this policy.
4.2.1.1 In order to detect any of the red flags identified above associated with the enrollment of a student, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:


4.3.2.3 Disclosure of Sponsored or Reimbursed Travel. Covered Individuals must disclose to the COI Coordinator reimbursed or sponsored travel and report at a minimum the following information:
#Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
#The purpose of the trip;
#Verify the individual's identity at time of issuance of individual
#The identity of the sponsor and/or organizer of the trip;
#The destination; and
4.2.1.2 Identification card (example: review of driver's license or other government-issued photo identification).
#The duration of the trip
The COI Coordinator or DUO may require disclosure of additional information such as the monetary value of any such travel.


4.3.3 Institutional Responsibilities Under the PHS FCOI Regulation
==== New Customers or Clients ====


4.3.3.1 Subrecipients of PHS-Funded Research Grants: If the University carries out PHS-funded research through a subrecipient such as a subcontractor or a consortium, the Chief Research Officer (CRO) will ensure via written agreement that the subrecipient either follows this policy or a financial conflict of interest policy of the subrecipient’s employer.  If the subrecipient complies with its own employer’s financial conflict of interest policy, the University and the subrecipient must, prior to subrecipient’s performance of any PHS-funded work, enter into a written agreement (a) certifying that the subrecipient’s conflict of interest policy complies with the PHS regulations for promoting objectivity in research as codified at Title 42 of the Code of Federal Regulations, Part 50, Subpart F and (b) specifying that the subrecipient will report all PHS Financial Conflicts of Interest identified under its policy to the University prior to full execution of the written agreement and within 30 days following discovery or acquisition of a new PHS Significant Financial Interest in a manner sufficient to allow the University to provide complete and timely reports to the PHS.  Alternatively the University and the subrecipient may enter into a written agreement (a) acknowledging that the subrecipient’s employees who are responsible for the design, conduct, or reporting of the PHS-funded research are subject to this policy and (b) specifying that the subrecipient will submit disclosures of PHS Significant Financial Interests from the  subrecipient’s employees who are responsible for the design, conduct, or reporting of the PHS-funded research to the University at the point of application to PHS and within 30 days following discovery or acquisition of any new PHS Significant Financial Interest in a manner sufficient to allow the University to comply with its review, management, and reporting obligations to the PHS.
4.2.2.1 In order to detect any of the red flags identified above associated with service to a new customer or client, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:


4.3.3.2 Review of PHS Significant Financial Interests. In reviewing a Covered Individual’s PHS Significant Financial Interests the COI Coordinator will first determine whether any PHS Significant Financial Interest is related to the Covered Individual’s PHS-funded research.  The PHS Significant Financial Interest is related to a PHS-funded research project if the PHS Significant Financial Interest could be affected by the PHS-funded research or is in an entity whose financial interest could be affected by the PHS-funded research.  If the PHS Significant Financial Interest is determined to be related to PHS-funded research, then the COI Coordinator 1) determines whether the PHS Significant Financial Interest constitutes a PHS Financial Conflict of Interest and, if so, follows the procedures described in this policy to develop, document, and recommend an appropriate management plan to a Designated University Official (DUO).  The DUO monitors the Covered Individual’s compliance with the management plan on an ongoing basis until completion of the PHS-funded project.  For any new PHS-funded project, the review of all relevant disclosures of Financial Interests and implementation of any management plans must be complete prior to expenditure of any funds for the project.  For a Covered Individual who is new to the PHS-funded project or any Covered Individual who discloses a new PHS Significant Financial Interest after the start of the project, review of the disclosure of Financial Interests and implementation of the management plan, if any, must be complete within 60 days of disclosure. 
#Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
#Verify the individual's identity at time of issuance of individual


4.3.3.3 Reporting of PHS Financial Conflicts of Interest to the PHS.  For any PHS Financial Conflict of Interest identified and not eliminated, the DUO will provide the Office of Sponsored Programs with a report including sufficient information to enable the PHS awarding component to understand the nature and extent of the financial conflict and to assess the appropriateness of the University’s management plan, including all documentation of any management plan.  The Office of Sponsored Programs will file the initial report with PHS prior to any expenditure of funds.  After the initial report has been submitted, the Office of Sponsored Programs will submit to the PHS reports for each PHS Financial Conflict of Interest for the duration of each project (including funded or unfunded extensions) at the same time as the University submits the annual progress report, multi-year progress report (if applicable), or at the time of extension.  The annual reports 1) must address the status of each relevant PHS Financial Conflict of Interest, and any changes to the management plan and 2) must specify whether the PHS Financial Conflict of Interest is still being managed or explain why the PHS Financial Conflict of Interest no longer exists.  If a Covered Individual who is newly participating in a project is identified as having a PHS Financial Conflict of Interest, or if any Covered Individual participating in a PHS-funded project discloses a new PHS Significant Financial Interest that is determined to be a PHS Financial Conflict of Interest after the start of the project, a report of that PHS Financial Conflict of Interest, including documentation of its associated management plan, must be sent to the PHS awarding component within 60 days after the PHS Financial Conflict of Interest has been identified.
4.2.2.2 Identification card (example: review of driver's license or other government-issued photo identification).


4.3.3.4 Disclosure of PHS Financial Conflicts of Interest to the Public.
==== Existing Accounts ====
Prior to the expenditure of PHS funds, the University must ensure public accessibility and respond to requests for information concerning PHS Financial Conflicts of Interest associated with projects that are currently headed by Covered Individuals.  The COI Coordinator will respond in writing within five (5) business days following receipt of a request.  The information in the response must be updated at least annually, must be maintained for a period of three years from the last update, and must include the following data elements:
#Name of the Covered Individual;
#Title of the Covered Individual;
#Role of the Covered Individual with respect to the relevant research project;
#Name of the entity in which the significant financial interest is held;
#Nature of the PHS Financial Conflict of Interest; and
#Approximate dollar value of the significant financial interest (the following dollar ranges are permissible:  $0 to $4,999; $5,000 to $9,999; $10,000 to $19,999; $20,000 to $100,000 by increments of $20,000; and amounts above $100,000 by increments of $50,000), or a statement if the interest is one whose value cannot be readily determined through reference to public prices or other reasonable measures of fair market value.


4.3.3.5 PHS Financial Conflicts of Interest that were Not Timely Identified or Managed or For Which a Covered Individual Fails to Comply with a Management Plan.
4.2.3.1 In order to detect any of the red flags identified above for an existing covered account, University personnel shall take the following steps to monitor transactions on an account:
If the University identifies a PHS Significant Financial Interest that was not timely disclosed by a Covered Individual or was not previously reviewed by the University during an ongoing PHS-funded research project (such as, for instance, a PHS Significant Financial Interest that was not timely reviewed or reported by a subrecipient), the COI Coordinator must, within 60 days of such identification, determine whether a PHS Financial Conflict of Interest exists and, if so, recommend to the DUO  a management plan that specifies the actions that have been and will be taken to manage the PHS Financial Conflict of Interest.  In all such cases and in situations in which a Covered Individual has failed to comply with a management plan, the DUO must, within 120 days of the University’s determination of non-compliance, complete a retrospective review of the Covered Individual’s activities and the PHS-funded project to determine whether the PHS-funded research, or any portion thereof, conducted during the time period of noncompliance was biased in the design, conduct, or reporting of such research and document the retrospective review.  The documentation must include at a minimum:
#The project number;
#The project title;
#The Project Director or Principal Investigator (or contact Project Director or contact Principal Investigator if a multiple Project Director/Principal Investigator model is used);
#The name of the Covered Individual with the PHS Financial Conflict of Interest;
#The name of the entity with which the Covered Individual has a PHS Financial Conflict of Interest;
#The reason(s) for the retrospective review;
#The detailed methodology used for the retrospective review (e.g., methodology of the review process, composition of the review panel, documents reviewed);
#Findings of the review; and
#Conclusions of the review.


Based on the results of the retrospective review, if appropriate, the DUO will inform the Office of Sponsored Programs, which will update the previously submitted PHS Financial Conflict of Interest report, specifying actions that will be taken to manage the PHS Financial Conflict of Interest going forward.  If bias is found, the Office of Sponsored Programs must notify the PHS awarding component and submit a mitigation report to the PHS awarding component.  The mitigation report must include at a minimum
#Verify the identification of individuals if they request information (in person, via telephone, via facsimile, via email);
#the key elements documented in the retrospective review;
#Verify the validity of requests to change billing addresses by mail or email and provide the individual a reasonable means of promptly reporting incorrect billing address changes; and
#a description of the impact of the bias on the research project;  
#Verify changes in banking information given for billing and payment purposes.
#the University’s plan of action(s) to be taken to eliminate or mitigate the effect of the bias (e.g., impact on the research project); and
#the extent of harm done, including any qualitative or quantitative data to support any actual or future harm and analysis of whether the research project is salvageable.


4.3.3.6 Special Remedies for Specific PHS-funded Research Projects
==== Consumer ("Credit") Report Requests ====


If the Department of Health and Human Services determines that a PHS-funded project of clinical research whose purpose is to evaluate the safety or effectiveness of a drug, medical device, or treatment has been designed, conducted, or reported by a Covered Individual with a PHS Financial Conflict of Interest that was not managed or reported by the University as required by PHS regulations, the DUO  must require the Covered Individual to disclose the PHS Financial Conflict of Interest in each public presentation of the results of the research and to request an addendum to previously published presentations.
In order to detect any of the red flags identified above in regard to an employment or volunteer position for which a credit or background report is sought, University personnel shall take the following steps to assist in identifying address discrepancies:


=== Policy Distribution ===
#Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and
#In the event that notice of an address discrepancy is received, verify that the credit or background report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the University has reasonably confirmed is accurate.


4.4.1 This policy will be published in the University Policy Manual that is available on the website http://policy.appstate.edu/Policy_Manual.  Covered Employees are informed of the Policy and their responsibilities at the following times:  annually upon hire, when policy revisions affect the requirements of Covered Employees, when the Covered Employee applies for external funding, and when a Covered Employee is found not in compliance with this policy or a Conflict of Interest management plan. 
=== Response to Red Flags ===


4.4.2 Covered Individuals who are not Covered Employees are informed of this policy and their responsibilities by the Office of Sponsored Programs when a Principal Investigator/Project Director of any PHS proposal or grant identifies Senior/Key Personnel who are not Covered Employees.  
4.3.1 Once potentially fraudulent activity is detected, an employee must act promptly to protect individuals and the University from damages and loss. At a minimum, the employee must gather all related documentation, write a description of the situation, and present this information to the program administrator.


4.4.3 Forms will be distributed by the COI Coordinator each year, and by the Office of Sponsored Programs whenever an employee applies for external funding.
4.3.2 The program administrator will complete additional investigation if necessary to determine whether the attempted transaction was fraudulent or authentic.


=== Policy Implementation ===
4.3.3 If a transaction is determined to be fraudulent, appropriate actions must be taken immediately. Actions may include (1) canceling the transaction; (2) notifying and cooperating with appropriate law enforcement personnel; (3) determining the extent of liability of the University; and (4) notifying the individual upon whom fraud has been attempted or whose identifying information has been subjected to a security breach.


4.5.1 The Provost is responsible for overseeing the implementation of this policy in all units, including the process and mechanism for conflict disclosure, evaluation, and management.  The Provost designates the General Counsel as the Conflicts of Interest (COI) Coordinator.  The COI Coordinator will solicit, review and evaluate disclosures of financial interests from Covered Persons, and advise DUOs on development and implementation of plans to manage conflicts of interest.
=== Prevention and Mitigation of Identity Theft ===
 
4.5.2 The Chancellor will appoint a standing Conflicts of Interest and Commitment Council consisting of three members appointed by the Chancellor, at least one of whom shall be chosen from EPA non-faculty personnel and four faculty members from a pool jointly recommended by the chair of the Faculty Senate and the CRO. The Chancellor shall appoint the chair of the Council.


4.5.3 The Council will review policies, management plans and other Conflicts of Interest or Commitment matters upon request of any dean, vice chancellor or the Chancellor and make recommendations to the referring official.  Covered Persons directly affected by an existing or proposed management plan will be given notice and the opportunity to respond in person and in writing to the issues raised in the course of such management plan reviews. Any such written response will be appended to the Council's report for review by the referring official.
In the event University personnel detect any identified red flags, such personnel shall take one or more of the following steps to prevent and mitigate identity theft, depending on their determination of the degree of risk posed by the red flag:


4.5.4 Covered Persons have the right to appeal determinations of their Conflicts of Interests, requirements of a management plan, and determinations of noncompliance with this policy to the Faculty Grievance Hearing Committee pursuant to section [http://facultyhandbook.appstate.edu/ 4.11.3 of the Faculty Handbook].
#Continue to monitor a covered account for evidence of identity theft; 
#Contact the individual or applicant (for whom a credit or background report was run);
#Change any passwords or other security devices that permit access to covered accounts;
#Refuse to open a new covered account;
#Provide the individual with a new individual identification number;
#Notify the program administrator for determination of the appropriate step(s) to take;
#Notify appropriate law enforcement personnel;
#File or assist in filing a Suspicious Activity Report ("SAR") with the Financial Crimes Enforcement Network, United States Department of the Treasury; and/or
#Determine that no response is warranted under the particular circumstances.  


4.5.5 The Council may promulgate rules of procedure for its operations. When promulgated, these rules shall constitute the exclusive formal procedures for the adjudication of appeals herein described.
==== Protect Identifying Information ====


4.5.6 The primary device for monitoring compliance with this policy is the reporting form designed to reveal income sources, business relationships and activities that may suggest the existence or appearance of a Conflict of Interest or Commitment. Covered Persons must amend or supplement such disclosure forms in a timely manner, but in no event more than 30 days following notice, to reflect new developments after submission of the reporting form.
In order to further prevent the likelihood of identity theft occurring with respect to covered accounts, the University will take the following steps to protect individual identifying information:


4.5.7 The COI Coordinator will carefully document and maintain sufficient records of all transactions associated with this policy.
#Ensure that its website is secure or provide clear notice that the website is not secure;
#Ensure complete and secure destruction of paper documents and computer files containing individual account information when a decision has been made to no longer maintain such information;
#Ensure that office computers with access to covered account information are password protected;
#Ensure that laptops are password protected and encrypted;
#Avoid use of social security numbers;
#Ensure the security of the physical facility that contains covered account information;
#Ensure that transmission of information is limited and encrypted when necessary;
#Ensure computer virus protection is up to date; and
#Require and keep only the kinds of individual identifying information that is necessary for University purposes.


=== Procedures for Submission of Reporting Form ===
=== Additional Identity Theft Prevention Measures ===
#All Covered Persons, including part-time employees and employees on leave if the leave is funded at least partially from University sources, are required to complete and submit the Reporting Form to the COI Coordinator annually before October 1 each year on a schedule announced by the Provost. Covered Employees are encouraged to seek assistance from their respective Department Chairs or supervisors, Deans or Directors, or the Office of General Counsel with questions or special circumstances.
==== Hard Copy Distribution ====
#Updated forms must be submitted to the COI Coordinator  under the following circumstances:
Each employee and contractor performing work for the University will comply with the following procedures:
##prior to applying for external funding or participating in externally-funded research or other programs;
##when assuming new University Employment Responsibilities; 
##when external relationships change and give rise to a potential conflict of interest, eliminate a potential conflict previously disclosed, or result in an affirmative answer to any question previously answered in the negative on the Reporting Form.
#The Office of Sponsored Programs is responsible for informing the COI Coordinator and the Department Chair or supervisor of the need for new or updated Reporting Forms for Covered Persons submitting proposals for external funding.
#The Reporting Form contains information that may have a direct bearing on the individual's employment. The forms, therefore, will be maintained confidentially in a database with access limited to University employees having a need to know the disclosed information.
#Covered Individuals participating in any project funded by the PHS should be aware that, as a condition of such participation, the PHS will have access to the employee’s Reporting Form at any time during the project and for a period of three years after the submission of a final expenditures report for that project to the PHS.  Except as otherwise noted in this policy for PHS Significant Financial Interests that are identified as PHS Financial Conflicts of Interest, the information disclosed in the Reporting Form is available only to individuals duly charged with the responsibility for review and conflict management, and the information may be released only in accordance with and as required or allowed by North Carolina law or lawful court order.


=== Review and Approval of Conflict of Interest/Commitment Reporting Form ===
#File cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with identifying information will be locked when not in use.
#Storage rooms containing documents with identifying information and record retention areas will be locked at the end of each workday or when unsupervised.
#Desk workstations, work areas, printers and fax machines, and common shared work areas will be cleared of all documents containing identifying information when not in use.
#Whiteboards, dry-erase boards, writing tablets, and other writing surfaces in common shared work areas will be erased, removed, or shredded when not in use.
#When documents containing identifying information are discarded, they will be placed inside a locked shred bin or immediately shredded using a mechanical cross cut or Department of Defense-approved shredding device. Locked shred bins are labeled "Confidential paper shredding and recycling."


4.7.1 Each Department Chair or other supervisor of a Covered Employee is responsible for ensuring that the Covered Employee Department Chair or supervisor’s unit has submitted a completed Reporting Form to the COI Coordinator.  The Office of Sponsored Programs is responsible for informing the COI Coordinator and the Department Chair or supervisor if updated forms are not provided before a PHS proposal or NSF proposal is submitted.
=== Program Administration ===
==== Oversight ====
The responsibility for developing, implementing and updating this Program lies with the program administrator designated by the Chancellor. The program administrator shall be responsible for ensuring appropriate training of University staff on the Program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.


4.7.2 The COI Coordinator is responsible for the initial review and evaluation of the Reporting Forms following the provisions of this policy.  The COI Coordinator will consult with the Covered Person, and the Covered Person’s Department Chair or supervisor, Dean, Vice Chancellor or Chancellor, as appropriate, regarding any potential Conflicts of Interest or Conflicts of Commitment of Covered Persons.  
==== Staff Training ====
University employees responsible for implementing the Program shall be trained under the direction of the program administrator in the detection of red flags and the responsive steps to be taken when a red flag is detected.


4.7.3 The appropriate Dean or Vice Chancellor, or the Chancellor, may at any time request that the COI Coordinator perform a de novo review of any Reporting Form and related circumstances.  Following the review, the COI Coordinator will provide a written report to the referring official.  
==== Reports ====
Appropriate staff shall report to the program administrator at least annually on compliance with this Program. The report shall address matters such as the effectiveness of the policies and procedures of the University in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and the University's response; and recommendations for material changes to the Program.


4.7.4 A Conflict of Interest exists when the DUO determines that the Covered Person’s personal considerations, Financial Interests or commitments could directly and significantly affect the Covered Person’s performance of University Employment Responsibilities or PHS Responsibilities.
==== Service Provider Arrangements ====
In the event the University engages a service provider to perform an activity in connection with one or more covered accounts, the University will take the following steps to ensure the service provider performs its obligations in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft, including the following:


=== Identification and Management of Conflicts of Interest/Commitment ===
#Require, by signed contract, that service providers have such policies and procedures in place; and
#Once a Conflict of Interest is identified, COI Coordinator coordinates with the Covered Person’s Department Chair or supervisor to collect all relevant information necessary to make an informed judgment on the matter and shares this information with the Covered Person’s DUO for a final determination.
#Require, by signed contract, that service providers review the University's Program and report any red flags to the program administrator.  
#The DUO may conclude:
##a conflict appears to exist, but the nature and degree of conflict are not significant and do not warrant action beyond the initial disclosure and documentation;
##a conflict of interest exists that may be mitigated through a management plan; or
##a conflict of interest exists and the activities are not allowable under any circumstances.
#The DUO refers identified Conflicts of Interest/Commitment that may be allowable to the Conflict of Interest/Commitment Council for recommendations on whether a conflict of interest management plan can mitigate the conflict, and if applicable, the elements required in a conflict of interest management plan.
#With recommendations from the Conflicts of Interest and Commitment Council, the DUO is responsible for drafting, approving, and implementing any Conflict of Interest management plan. 
#Management plans may include, but are not limited to:
##Requiring public disclosure of financial interests.
##Requiring that the research or other activity be monitored by neutral, independent reviewers.
##Requiring modification of the research plan or work plan.
##Requiring that an individual with a conflicting interest be disqualified from participation in a particular project or activity or specified parts of the project or activity.
##Requiring divestiture or severance of significant financial or other interests which create conflict with the individual's University Employment Responsibilities or PHS responsibilities.
#Documentation of the management plan must, include at a minimum, the following information:
##The name of the Covered Person who has the conflict of interest.
##The name of the entity with which the Covered Person has an interest that may conflict with University interests.
##The nature of the conflict of interest (e.g., equity interest, consulting fee, travel reimbursement, honorarium)
##The value of the financial interest or a statement that the interest is one whose value cannot be readily determined through reasonable measures of fair market value.  The value may be reported as falling within one of the following ranges:  $0 to $4,999; $5,000 to $9,999; $10,000 to $19,999; $20,000 to $100,000 by increments of $20,000; and amounts above $100,000 by increments of $50,000.
##A description of the key elements of the management plan including
###The conditions of the management plan
###Confirmation of the Covered Person’s agreement to the management plan
###How the management plan will be monitored to ensure compliance by the Covered Person
###Other information as needed
##If applicable, the project number(s) of any federally funded projects that the DUO feels are related to the conflict
##If applicable, the title of each such project
##If applicable, the name(s) of the Principal Investigator(s) or Project Director(s) on any such project(s)
##If applicable, the following additional information about the management plan:
###A description of how the financial interest relates to any federally funded project and the basis of the decision that the financial interest conflicts with University interests in the project
###The role and principal duties of the Covered Person in each such project
###A description of how the management plan is designed to safeguard objectivity in the research project(s)
#The COI Coordinator reports all identified Conflict of Interests and associated Management Plans to the Provost, CRO and Director of Sponsored Programs if the conflict involves a grant or contract.  The Director of Research Protections has access to all disclosures and management plans which involve a protocol under review by the Institutional Review Board, Institutional Animal Care and Use Committee, and Institutional Biosafety Council and these may be shared confidentially with the body reviewing protocols.
#The Office of Sponsored Programs is responsible for sending initial, annual, and revised Financial Conflicts of Interest reports with all elements required by the regulations to the PHS and its subrecipients, and external sponsors, if applicable.


=== Policy Breaches and Noncompliance ===
==== Program Updates ====
The program administrator shall review and update this Program at least annually to reflect changes in risks to individuals and the University from identity theft. In doing so, the program administrator shall consider the University's experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the University's business arrangements with other entities.


4.9.1 As employees with a primary commitment to the University, it is the responsibility of each Covered Person to ensure that a conflict of interest or commitment (or the reasonable perception thereof) does not occur or is managed appropriately.  The appropriate funding agency (or agencies) sponsoring the activity will be notified in the event that any employee has a conflict of interest that involves a project funded by the agency.
== Additional References ==
This Program incorporates by reference the following policies and procedures:


4.9.2 The Provost or the Provost’s designee will review all reports of breaches of this policy, and may refer such reports to the Conflicts of Interest and Commitment Council for review and recommendations. The University may take appropriate disciplinary or other action in accordance with University policies when a Covered Person does not (a) report or resolve an identified conflict (or appearance thereof); (b) comply with the conflict evaluation process (by refusal to respond, by responding knowingly with incomplete or inaccurate information, or otherwise); (c) remedy conflicts; or (d) comply with a prescribed management plan. Retaliation against any person who reports a  violation of this policy or who participates in an investigation of an alleged violation of this policy is prohibited, and may be the basis for discipline up to and including dismissal.
#[http://support.appstate.edu/about/computer-use-policy Policy on the Use of Computers and Data Communication]
#[http://www.nss.appstate.edu/standards/open-servers-vlan-policy Computer Systems Security Policy]
#[http://www.nss.appstate.edu/standards/remote-access-policy University Remote Access Policy]
#[http://www.nss.appstate.edu/standards/trusted-access-policy Trusted Access Policy]
#[http://www.nss.appstate.edu/standards/risk-assessment-policy Risk Assessment Policy]
#[http://www.nss.appstate.edu/standards/vpn-policy Virtual Private Network (VPN) Policy]
#[http://www.nss.appstate.edu/standards/wireless-networking-policy Wireless Networking Policy]
#[http://www.nss.appstate.edu/standards/wireless-trusted-network-policy Wireless to Trusted Network Policy]
#[https://password.appstate.edu/pswdchgform/Confidentiality_Policy.aspx Confidentiality Statement]


4.9.3 If a breach of this policy involves a sponsored program, the CRO will investigate whether the Covered Person’s failure to comply with this policy has biased the design, conduct of, or reporting on the  program.  If bias is found, the CRO will take appropriate action to address the matter within the University and promptly notify the awarding agency of corrective action taken or to be taken.
== Authority ==


== Additional References ==
16 CFR Part 681
Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159


:[http://policy.appstate.edu/images/1/14/20120824_COI_C_form_fillable.pdf Conflicts of Interest and Commitment Reporting Form - Faculty/Staff]
North Carolina General Statutes, Chapter 75, Article 2A
:[http://policy.appstate.edu/File:COI_Addendum_for_PHS_investigators.pdf Conflicts of Interest and Commitment Reporting Form - PHS Investigators]
:[http://policy.appstate.edu/Intellectual_Property_Transfer Intellectual Property Transfer Policy]
:[http://policy.appstate.edu/External_Professional_Activities_of_Faculty_and_Other_Professional_Staff External Professional Activities of Faculty and Other Professional Staff Policy]


== Authority ==
== Contact Information ==
:[http://grants.nih.gov/grants/compliance/42_cfr_50_subpart_f.htm 42 CFR Part 50]
:[http://www.ncleg.net/gascripts/statutes/StatutesTOC.pl?Chapter=0138A N.C.G.S. 14-234; N.C.G.S. Chapter 138A]
:[http://intranet.northcarolina.edu/docs/legal/policymanual/300.2.2.1%5BR%5D.pdf The UNC Policy Manual, 300.2.2, 300.2.2 G, and 300.2.2.1R]


== Contact Information ==
:Office of General Counsel--828-262-2751
:Office of Sponsored Programs--828.262.2130


== Effective Date ==
== Effective Date ==
:November 9, 2012


== Revision Dates ==
== Revision Dates ==
[[Category:Contents]]
[[Category:Human Resources]]
[[Category:Conflicts of Interest and Commitment]]

Revision as of 14:10, 24 May 2012

Policy 105.5

Introduction

Program Adoption

1.1.1 As a best practice and using as a guide the Federal Trade Commission's Red Flags Rule (16 CFR Part 681, implementing Section 114 of the Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159) and North Carolina General Statutes, Chapter 75, Article 2A, Appalachian State University (the "University") has developed an Identity Theft Prevention Program (the "Program") described below. This Program was developed with oversight and approval of the Board of Trustees of Appalachian State University (the "Board"). After consideration of the size and complexity of the Universitys operations and account systems, and the nature and scope of the Universitys activities, the Board determined that this Program was appropriate for the University, and approved it on September 24, 2010 (the "Effective Date"). The purpose of this Program is to detect, prevent and mitigate identity theft in connection with any covered account. This Program envisions the implementation of policies and procedures subject to the Chancellor's approval in order to achieve these goals.

Scope

2.1 All University personnel whose employment duties require or allow access to identifying information of other employees or students are responsible for implementing this Program.

Definitions

"Covered Account"

any account that constitutes a continuing financial relationship or is designed to permit multiple payments or transactions between the University and a person for a service, such as extension of credit, debit cards, Perkins Loans, Federal Family Education Loan Program (FFELP), institutional loans, accounts covered by the Health Insurance Portability and Accountability Act (HIPAA), deposit accounts, scholarship accounts, student accounts, and tuition payment plans.
any other account that the University offers or maintains for which there is a reasonably foreseeable risk to holders of the account or to the University from identity theft, such as use of consumer reports for employee background checks, credit applications and institutional debit card applications. This may include operations of utilities (e.g., New River Light & Power Company), clinical and research activities, and public service activities.

Identifying Information

means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to:
  1. name
  2. address
  3. telephone number
  4. social security number
  5. date of birth
  6. government-issued driver's license or identification number
  7. alien registration number
  8. government passport number
  9. employer or taxpayer identification number
  10. individual identification number
  11. computer's Internet Protocol address
  12. bank or other financial account routing code

Identity Theft

means a fraud committed or attempted using the identifying information of another person without authority [16 CFR 603.2(a)].

Program Administrator

means the individual designated with primary responsibility for oversight of this Program.

Red Flag

means a pattern, practice, alert or specific activity that indicates the possible existence of identity theft.

Service Provider

means a person or entity that provides a service directly to the University.

Policy and Procedure Statements

Identification of Red Flags

4.1.1 In order to identify relevant red flags, the University considers the types of covered accounts it offers or maintains, the methods it provides to open its covered accounts, the methods it provides to access its covered accounts, and its previous experiences with identity theft. Red flags may be detected while implementing existing account opening and servicing procedures (example: individual identification, caller authentication, third party authorization, and address changes).

4.1.2 The University identifies the following as red flags in each of the listed categories:

  1. Notifications and warnings from consumer reporting agencies
    1. Report of fraud accompanying a credit report;
    2. Notice or report from a credit agency of a credit freeze on an applicant;
    3. Notice or report from a credit agency of an active duty alert for an applicant;
    4. Receipt of a notice of address discrepancy in response to a credit report request; and
    5. Indication from a credit report of activity that is inconsistent with an applicant's usual pattern or activity
  2. Suspicious documents
    1. Identification document or card that appears to be forged, altered or inauthentic;
    2. Identification document or card on which a person?s photograph or physical description is not consistent with the person presenting the document;
    3. Other document with information that is not consistent with existing individual information; and
    4. Application that appears to have been altered or forged.
  3. Suspicious personal identifying information
    1. Identifying information that is inconsistent with other information the individual provides (example: inconsistent birth dates);
    2. Identifying information that is inconsistent with other sources of information (example: an address not matching an address on a loan application);
    3. Identifying information that is the same as information shown on other applications that were found to be fraudulent;
    4. Identifying information that is consistent with fraudulent activity (examples: an invalid phone number or fictitious billing address);
    5. Social security number that is the same as one given by another individual;
    6. An address or phone number that is the same as that of another person;
    7. A person fails to provide complete personal identifying information on an application when reminded to do so; and
    8. A person's identifying information is not consistent with the information that is on file for the individual.
  4. Suspicious covered account activity
    1. Change of address for an account followed by a request to change the individual's name;
    2. Payments stop on an otherwise consistently up-to-date account;
    3. Account used in a way that is not consistent with prior use;
    4. Mail sent to the individual is repeatedly returned as undeliverable;
    5. Notice to the University that an individual is not receiving mail sent by the University;
    6. Notice to the University that an account has unauthorized activity;
    7. Breach in the University's computer system security; and
    8. Unauthorized access to or use of individual account information.
  5. Alerts from others
    1. Notice to the University from an identity theft victim, law enforcement officer or other person that the University has opened or is maintaining a fraudulent account for a person engaged in identity theft.

Detection of Red Flags

Student Enrollment

4.2.1.1 In order to detect any of the red flags identified above associated with the enrollment of a student, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:

  1. Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
  2. Verify the individual's identity at time of issuance of individual

4.2.1.2 Identification card (example: review of driver's license or other government-issued photo identification).

New Customers or Clients

4.2.2.1 In order to detect any of the red flags identified above associated with service to a new customer or client, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:

  1. Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
  2. Verify the individual's identity at time of issuance of individual

4.2.2.2 Identification card (example: review of driver's license or other government-issued photo identification).

Existing Accounts

4.2.3.1 In order to detect any of the red flags identified above for an existing covered account, University personnel shall take the following steps to monitor transactions on an account:

  1. Verify the identification of individuals if they request information (in person, via telephone, via facsimile, via email);
  2. Verify the validity of requests to change billing addresses by mail or email and provide the individual a reasonable means of promptly reporting incorrect billing address changes; and
  3. Verify changes in banking information given for billing and payment purposes.

Consumer ("Credit") Report Requests

In order to detect any of the red flags identified above in regard to an employment or volunteer position for which a credit or background report is sought, University personnel shall take the following steps to assist in identifying address discrepancies:

  1. Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and
  2. In the event that notice of an address discrepancy is received, verify that the credit or background report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the University has reasonably confirmed is accurate.

Response to Red Flags

4.3.1 Once potentially fraudulent activity is detected, an employee must act promptly to protect individuals and the University from damages and loss. At a minimum, the employee must gather all related documentation, write a description of the situation, and present this information to the program administrator.

4.3.2 The program administrator will complete additional investigation if necessary to determine whether the attempted transaction was fraudulent or authentic.

4.3.3 If a transaction is determined to be fraudulent, appropriate actions must be taken immediately. Actions may include (1) canceling the transaction; (2) notifying and cooperating with appropriate law enforcement personnel; (3) determining the extent of liability of the University; and (4) notifying the individual upon whom fraud has been attempted or whose identifying information has been subjected to a security breach.

Prevention and Mitigation of Identity Theft

In the event University personnel detect any identified red flags, such personnel shall take one or more of the following steps to prevent and mitigate identity theft, depending on their determination of the degree of risk posed by the red flag:

  1. Continue to monitor a covered account for evidence of identity theft;
  2. Contact the individual or applicant (for whom a credit or background report was run);
  3. Change any passwords or other security devices that permit access to covered accounts;
  4. Refuse to open a new covered account;
  5. Provide the individual with a new individual identification number;
  6. Notify the program administrator for determination of the appropriate step(s) to take;
  7. Notify appropriate law enforcement personnel;
  8. File or assist in filing a Suspicious Activity Report ("SAR") with the Financial Crimes Enforcement Network, United States Department of the Treasury; and/or
  9. Determine that no response is warranted under the particular circumstances.

Protect Identifying Information

In order to further prevent the likelihood of identity theft occurring with respect to covered accounts, the University will take the following steps to protect individual identifying information:

  1. Ensure that its website is secure or provide clear notice that the website is not secure;
  2. Ensure complete and secure destruction of paper documents and computer files containing individual account information when a decision has been made to no longer maintain such information;
  3. Ensure that office computers with access to covered account information are password protected;
  4. Ensure that laptops are password protected and encrypted;
  5. Avoid use of social security numbers;
  6. Ensure the security of the physical facility that contains covered account information;
  7. Ensure that transmission of information is limited and encrypted when necessary;
  8. Ensure computer virus protection is up to date; and
  9. Require and keep only the kinds of individual identifying information that is necessary for University purposes.

Additional Identity Theft Prevention Measures

Hard Copy Distribution

Each employee and contractor performing work for the University will comply with the following procedures:

  1. File cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with identifying information will be locked when not in use.
  2. Storage rooms containing documents with identifying information and record retention areas will be locked at the end of each workday or when unsupervised.
  3. Desk workstations, work areas, printers and fax machines, and common shared work areas will be cleared of all documents containing identifying information when not in use.
  4. Whiteboards, dry-erase boards, writing tablets, and other writing surfaces in common shared work areas will be erased, removed, or shredded when not in use.
  5. When documents containing identifying information are discarded, they will be placed inside a locked shred bin or immediately shredded using a mechanical cross cut or Department of Defense-approved shredding device. Locked shred bins are labeled "Confidential paper shredding and recycling."

Program Administration

Oversight

The responsibility for developing, implementing and updating this Program lies with the program administrator designated by the Chancellor. The program administrator shall be responsible for ensuring appropriate training of University staff on the Program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.

Staff Training

University employees responsible for implementing the Program shall be trained under the direction of the program administrator in the detection of red flags and the responsive steps to be taken when a red flag is detected.

Reports

Appropriate staff shall report to the program administrator at least annually on compliance with this Program. The report shall address matters such as the effectiveness of the policies and procedures of the University in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and the University's response; and recommendations for material changes to the Program.

Service Provider Arrangements

In the event the University engages a service provider to perform an activity in connection with one or more covered accounts, the University will take the following steps to ensure the service provider performs its obligations in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft, including the following:

  1. Require, by signed contract, that service providers have such policies and procedures in place; and
  2. Require, by signed contract, that service providers review the University's Program and report any red flags to the program administrator.

Program Updates

The program administrator shall review and update this Program at least annually to reflect changes in risks to individuals and the University from identity theft. In doing so, the program administrator shall consider the University's experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the University's business arrangements with other entities.

Additional References

This Program incorporates by reference the following policies and procedures:

  1. Policy on the Use of Computers and Data Communication
  2. Computer Systems Security Policy
  3. University Remote Access Policy
  4. Trusted Access Policy
  5. Risk Assessment Policy
  6. Virtual Private Network (VPN) Policy
  7. Wireless Networking Policy
  8. Wireless to Trusted Network Policy
  9. Confidentiality Statement

Authority

16 CFR Part 681

Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159

North Carolina General Statutes, Chapter 75, Article 2A

Contact Information

Effective Date

Revision Dates

Retrieved from "https://policy.appstate.edu/index.php?title=Conflict_of_Interest_and_Commitment&oldid=12701"