PURPOSE OF THIS POLICY
Colorado State University collects personal information of a sensitive nature to facilitate and enable its business and academic functions. Unauthorized access to such information may have significant negative consequences, including exposing those associated with the university to the risk of identity theft, and adversely affecting the reputation of the University. In addition, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), Colorado House Bill 03-1175 (the “non-SSN” legislation), the Family Educational Rights and Privacy Act (FERPA), the Payment Card Industry Data Security Standard, and other legislation require various classes of information to be protected from unauthorized access. The University Policy on IT Security addresses security measures for protecting sensitive data. This policy addresses access to and use of certain sensitive information stored in paper or electronic form.
APPLICATION OF THIS POLICY
These policies encompass best practices that are in general to be applied comprehensively at the University, including third parties accessing University information. Units that own the record are responsible for implementing their aspects of this policy. All users who access sensitive digital information also must conform to this policy.
DEFINITIONS USED IN THIS POLICY
Sensitive personal information includes social security number information, personally identifiable health information, personally identifiable financial information including credit card information, personnel and student performance information, proprietary research and academic information, student and staff ID photos, and any other sensitive personal information that through disclosure may adversely affect an individual and/or the University.
Family Educational Rights and Privacy Act (FERPA): Federal law protecting students’ education records from disclosure by the University to anyone other than the student without the student’s consent, unless a specific exception applies.
RamCard: the official student and employee identification card issued by the University, including the official digital photo, the “RamCard ID Photo.”
It is Colorado State University's policy to collect and store the least amount of personally identifiable information required to fulfill its required duties and responsibilities, or to complete a particular transaction or as required by law. This policy applies to the collection and storage of all personally identifiable information, regardless of the source or medium.
For site administration functions, information (other than personal information linked to a particular individual) is collected for analysis and statistical purposes of website navigation. This information is used to help diagnose problems, assess what information is of most interest, determine technical design specifications, identify system performance or problem areas, and for other administrative functions. Such information is not subject to this policy but is covered by the IT Security Policy.
Students may choose whether or not to provide personal information to Colorado State University via the Internet. If a student chooses not to provide the personal information requested, the student may still visit most of Colorado State University's websites, but may be unable to access certain options, offers, and services.
The digital student identification picture, the RamCard ID photo, is considered personally identifiable information within the education record of the student. Student identification photos are provided digitally for use by course instructors and other CSU faculty and staff who have a legitimate educational purpose to view student education records. These photos are not “directory information” under the FERPA policy, and may not be released to anyone without permission of the student, except in accordance with this policy. They must be secured using the same safeguards as other private and sensitive information.
Employees also have a reasonable expectation of privacy with respect to their RamCard ID photos.
- De Minimis Access: The amount of sensitive personal information collected and stored shall be the minimum amount required for the efficient and effective conduct of business and academic functions. Access to sensitive personal information shall be limited to only those needing access for legitimate business or academic purposes. Periodically, individual access shall be reviewed to be in conformance with this policy.
- Units are responsible for ensuring that all of their paper, non-paper and electronic records containing sensitive personal information are secured as required under the CSU IT Security Policy and protected from unauthorized access.
- Periodically, units shall review their policies, operations, forms, archives and other associated functions to ensure they are in conformance with this policy.
- Reasonable and prudent efforts shall be made to isolate and protect sensitive personal information in physical form from unauthorized access, for example in locked filing cabinets, behind locked doors, suitable IT security measures, etc.
- Social security numbers (SSNs) shall not be used as the primary numeric identifier for individuals. This particular policy applies to all forms of information, both electronic and non-electronic, including identification cards. See the University Policy on Social Security Numbers.
- RamCard ID Photos:
- Access to and use of official RamCard ID photos are permitted for legitimate educational and business purposes only. Access or use for personal reasons, and any unauthorized access or use, or redistribution, is not permitted.
- Direct access to the University’s electronic systems that store digital ID photos must be pre-approved in writing by the Vice President for Information Technology, who shall constitute a small, ad hoc committee to review such requests. Requests must be made to the Advisory Committee for Administrative Applications (ACAdA) using the application for such access provided in Appendix A. Considerations for approval will include the business need for access, especially inherent benefits, commitment to complying with these policy provisions, including the quality of the protections to be implemented to ensure IT security and privacy and proper data disposal, and the effort involved granting access and in implementing such protections.
- Before access or use, departments are required to provide relevant employees a copy of this policy and ensure they understand these provisions to ensure protection of the privacy of students and employees.
- Access and use shall be controlled via an approved login and password as specified in the CSU IT Security Policy.
- Files containing digital ID photos shall not be copied or shared in any manner except as specifically authorized herein in advance.
- Viewing digital photographs shall be done in a manner that is discreet, reasonably viewable only by authorized personnel.
COMPLIANCE WITH THIS POLICY
Abuse or misuse of RamCard ID photos shall be reported to the Office of the Vice President for Information Technology. Violation of this policy may result in revocation of access without notice, and may be subject to disciplinary consequences, and/or legal action.
The Information Technology Executive Committee (ITEC) is responsible for this policy, including initiating modifications and changes as necessary to remain current with technological and legal requirements.
CSU Privacy Statement and Related Information
CSU Policy on Information Technology Security
CSU Policy on Social Security Numbers
Version 1.0 Approved by ITEC: July 8, 2004
Version 1.1 Approved by ITEC: July 21, 2005
Version 2.0 Approved by ITEC: May 10, 2017 (by Rick Miranda, Provost/Executive Vice President)