Policies of Colorado State University
|Policy Title: Information Collection and Personal Records Privacy||Category: Information Technology|
|Owner: Vice President for Information Technology||Policy ID#: 4-1018-007|
Division of Information Technology
Original Effective Date: 7/21/2005
Last Revision: 2/10/2019
Supersedes Policy ID#: 4-1018-001
PURPOSE OF THIS POLICY
Colorado State University collects personal information to facilitate and enable its business and academic functions. Unauthorized access to such information may have significant negative consequences, including exposing those associated with the university to risk of identity theft, and adversely affecting the reputation of the University. In addition, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), Colorado House Bill 03-1175 (the “non-SSN” legislation), Colorado House Bill 18-1128 (the consumer data privacy legislation), the Family Educational Rights and Privacy Act (FERPA), the Payment Card Industry Data Security Standard (PCIDSS), the European Union’s General Data Protection Regulation (GDPR), and other regulations require various classes of information to be protected from unauthorized access, and treated with the utmost circumspection. The University Policy on IT Security addresses security measures for protecting personally identifiable information. This policy addresses access to and use of certain personally identifiable information stored in paper or electronic form.
APPLICATION OF THIS POLICY
This policy encompasses best practices that are in general to be applied comprehensively at the University, including third parties accessing University information. Each unit which owns or is responsible for any electronic information is responsible for implementing this policy. All users who access personally identifiable information must also conform to this policy.
DEFINITIONS USED IN THIS POLICY
Personally Identifiable Information (PII): Information excluding directory information that, if disclosed alone or in combination with other available information, would make it possible to identify an individual to whom the information pertains. This includes items such as a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver's license or identification card number; a government passport number; biometric data, such as defined in C.R.S. § 24-73-103(1)(a); an employer, student, or military identification number; a financial transaction device as defined in C.R.S. § 18-5-701(3); grades, financial/account information; CSU ID photo; class and work schedules; residency status; class rank; age; birth date and place of birth; and all such sensitive personal information as defined further herein.
Sensitive personal information: Includes social security numbers, personally identifiable health information, personally identifiable financial information including credit card information, driver’s license information, personal employment and student performance information; proprietary research and academic information, third-party proprietary information, FERPA-protected non-directory information and any other information that through disclosure would adversely affect an individual or besmirch the reputation of the University.
Family Educational Rights and Privacy Act (FERPA): Federal law protecting students’ education records from disclosure by the University to anyone other than the student without the student’s consent, unless a specific exception applies.
RamCard: the official student and employee identification card issued by the University, including the official digital photo, the “RamCard ID Photo.”
It is Colorado State University's policy to collect and store the least amount of personally identifying information required to fulfill its required duties and responsibilities, or to complete a particular transaction, or as required by law. This policy applies to the collection and storage of all personally identifiable information, regardless of the source or medium.
For website administration functions, information (other than personally identifiable information linked to a particular individual) is collected for analysis and statistical purposes or to support and facilitate navigation. This information is used to help diagnose problems, assess what information is of most interest, determine technical design specifications, identify system performance or problem areas, to maintain a connection as one browses across web pages and web services, and for other administrative functions. Similar information is also maintained on network logs, which we are required to maintain for law enforcement purposes. However, logging information of these types are maintained in highly secure environments, data are disposed of as allowable under our operational and legal responsibilities, and such data are strictly protected and never shared with anyone outside of CSU. Logging information is not subject to this policy but is covered under the IT Security Policy.
Students may choose whether or not to provide personally identifiable information to Colorado State University via the Internet. If a student chooses not to provide the personally identifiable information requested, the student may still visit most of Colorado State University's websites, but may be unable to access certain options, offers, and services. In certain extreme cases, the student may not be able to enroll at CSU.
The digital student identification picture, the RamCard ID photo, is considered sensitive personally identifiable information within the education record of the student. Student identification photos are provided digitally for use by course instructors and other CSU faculty and staff who have a legitimate educational purpose to view student education records. These photos are not “directory information” under the CSU FERPA policy, and may not be released to anyone without permission of the student, except in accordance with this policy. They must be secured using the same safeguards as other private and sensitive information.
Employees also have a reasonable expectation of privacy with respect to their RamCard ID photos.
- Principle of Least Privilege: The amount of personally identifiable information collected and stored shall be the minimum amount required for the efficient and effective conduct of business and academic functions. Access to sensitive personally information shall be limited to only those needing access for legitimate business or academic purposes, and only to the minimum amount required for business purposes. Periodically, individual access may be reviewed to be in conformance with this policy.
- Units are responsible for ensuring that all of their paper, non-paper and electronic records containing personally identifiable information are secured as required under the CSU IT Security Policy and protected from unauthorized access.
- Periodically, units shall review their policies, operations, forms, archives and other associated functions to ensure they are in conformance with this policy.
- Reasonable and prudent efforts shall be made to isolate and protect personally identifiable information in physical form from unauthorized access, for example in locked filing cabinets, behind locked doors, suitable IT security measures, etc.
- Social security numbers (SSNs) shall not be used as the primary numeric identifier for individuals. This particular policy applies to all forms of information, both electronic and non-electronic, including identification cards. See the University Policy on Social Security Numbers.
- RamCard ID Photos:
- Access to and use of official RamCard ID photos are permitted for legitimate educational and business purposes only. Access or use for personal reasons, and any unauthorized access or use, or redistribution, is not permitted.
- Direct access to the University’s electronic systems that store digital ID photos must be pre-approved in writing by the Vice President for Information Technology, who shall constitute a small, ad hoc committee to review such requests. Requests must be made to the Advisory Committee for Administrative Applications (ACAdA) using the application for such access provided by the Information Systems Department. Considerations for approval shall include the business need for access, especially inherent benefits, a commitment to complying with these policy provisions, including the quality of the protections to be implemented to ensure IT security and privacy, and proper data disposal, and the effort involved in granting access and in implementing such protections.
- Before access or use, departments are required to provide relevant employees a copy of this policy and ensure they understand these provisions to ensure protection of the privacy of students and employees.
- Access and use shall be controlled via an approved login and password as specified in the CSU IT Security Policy.
- Files containing digital ID photos shall not be copied or shared in any manner except as specifically authorized herein in advance.
- Viewing digital photographs shall be done in a manner that is discreet, reasonably viewable only by authorized personnel.
- Disposal of Records: All records containing personally identifiable information held by the University, any department or unit of the University, or any person or entity acting for the University must be properly disposed of when the applicable retention period has ended and the record is no longer needed, in accordance with the CSU Policy on Records Retention. As used herein, “disposed of” includes rendering the personally identifiable information in the record unreadable or indecipherable by any means whatsoever.
COMPLIANCE WITH THIS POLICY
Abuse or misuse of personally identifiable information shall be reported to the Office of the Vice President for Information Technology. Violation of this policy may result in revocation of access without notice, and violators may be subject to disciplinary consequences, and/or legal action. Criminal liability can also arise for violations of applicable laws.
The Information Technology Executive Committee (ITEC) is responsible for this policy, including initiating modifications and changes as necessary to remain current with technological and legal requirements.
Colorado House Bill 03-1175
Approved by ITEC: July 8, 2004
Approved by ITEC: July 21, 2005
Approved by ITEC: May 10, 2017 (by Rick Miranda, Provost/Executive Vice President)
Approved by Lynn Johnson, Vice President for University Operations February 10, 2019