|Responsible Executive:||Finance and Administration|
|Approving Official:||Vice President for Finance and Administration|
|Effective Date:||February 23, 2016|
|Last Revision Date:||Superceded the Primary Identifier Policy|
Florida State University (FSU) takes seriously its obligation to respect and protect the privacy of its students, alumni, faculty and staff, and to safeguard the confidentiality of information important to FSU's mission and vision. This commitment is in accordance with legislated or contractual obligations concerning the use and control of protected or private information. As the custodian of protected and private information, FSU recognizes the importance of safeguarding information resources from loss, misuse, unauthorized access or modification.
This policy is not intended to replace or supersede provisions for protected or private information that are dictated by legislation or contractual provisions.
- FSU-owned computing systems, telecommunication systems, and network assets
- Personally owned computing/storage devices and telecommunication devices
- Computing, storage, telecommunications, or network services procured from third-party vendors including cloud and colocation services.
University units who maintain physical locations or conduct services outside of the United States of America are also responsible for meeting applicable local, national, or regional privacy rules or regulations for those sites.
C. INFORMATION CLASSIFICATION AND DEFINITIONS
For the purpose of this policy, information will be classified as follows:
The Protected classification encompasses information deemed confidential under federal or state law or rules, FSU contractual obligations, or privacy considerations such as the combination of names with respective Social Security Numbers.
The Private classification encompasses information for which the unauthorized disclosure may have moderate adverse effects on the university's reputation, resources, services, or individuals.
The Public classification encompasses information for which disclosure to the public poses negligible or no risk to the FSU's reputation, resources, services, or individuals. This is the default classification, and should be assumed when there is no information indicating that information should be classified as private or protected. In addition, certain legislation may specify select information as public.
Data/Information Custodian – the person or team that has operational responsibility for the physical and electronic security of information. Data custodians for electronic data normally include programmers, database administrators, and system administrators.
Data Owner – the head of a unit - dean, director, department head - who is ultimately responsible for that unit’s data resources.
Data Manager – the unit employee(s) the data owner has delegated as operational oversite for the unit’s data resources.
“Personal identifiable information (PII)” means any information relating to an individual or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly – in particular, by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
“Education record” are those records that contain information directly related to a student and which are maintained by an educational agency or institution or by a party acting for the agency or institution. See 34 CFR Section 99.3 for a complete definition of “education records” and a list of records that are not included in the definition.
“Protected Health Information (PHI)” refers to demographic information, medical history, test and laboratory results, insurance information and other information that is collected by a health care professional to identify an individual and determine what type of care that individual should receive.
“Data Trustee” FSU’s executive structure correlates directly with the major categories of university data, thus the following are Data Trustees for their respective area of responsibility:
- Executive Vice President for Academic Affairs and Provost
- Vice President for Finance and Administration
- Vice President for Student Affairs
- Associate Vice President for Governmental Relations
- Vice President for Research
- Vice President for University Advancement
“Unit Privacy Coordinator” refers to the university unit employee(s) designated by the dean, director, or department head and who is responsible for working with data owners, data managers, information technology staff, and users to coordinate the functions of a unit privacy program.
“University Unit” refers to a school or college and any departments or divisions which are a subdivision of a college or school; centers, facilities, labs, libraries, or program within a college or school, or as an independent entity; offices; associations; and administrative units.
D. INFORMATION PRIVACY PRINCIPLES
Protected or private information must be safeguarded to maintain the privacy level matching its classification.
- Protected or Private information must be safeguarded.
- Employ the FSU approved terms and conditions when processing protected or private information with third-party entities.
- Collect only protected or private information needed to support a business process.
- Keep protected and private information no longer than required by law or business need.
Disciplinary action for violating this policy could be taken under the FSU's current Standards for Disciplinary Action for violation of provision of FSU Policy
Unit Privacy Coordinator
Each University unit bears the responsibility to identify and classify the unit’s information and to ensure the following standards are followed for information classified as protected or private.
Each University unit shall designate a Privacy Coordinator who will manage the unit’s privacy program. Functions of the program will include the following:
- Maintaining the information identification and classification documentation of unit protected or private information assets.
- Assessing the unit’s electronic and physical controls for information classified as protected or private to ensure they meet legislated or contracted requirements.
- Ensuring unit staff are trained on this policy, and specific legislated or contracted privacy requirements.
- Ensuring each unit staff member who handles protected or private information sign an Employee Statement of Understanding Regarding Confidentiality.
- Work with legal resources to ensure contracts or agreements contain terms to stipulate adherence to FSU policy, legislation, or contractual safeguarding provisions when protected or private information is processed, transmitted, or stored by a third-party vendor.
FSU will make available to Unit Privacy Coordinators and the university in general standardized information privacy training. This training will provide appropriate privacy training for all Faculty, Staff and students.
B. ACCESS AND USE
Authorized Users of Protected or Private Information
Access to FSU information classified as protected or private requires appropriate authorization:
- It is the responsibility of the designated trustee or data owner to authorize access to protected or private information to users or entities as required for them to perform their assigned job duties, to complete a business process, or by contractual obligation.
- For an individual not employed by FSU or third parties who are authorized to view protected or private information as part of a regulatory, academic, or business function, the sharing FSU unit must have a signed Employee Statement of Understanding Regarding Confidentiality on file for individuals or FSU data sharing terms and conditions for third parties. Additionally, background checks may be required prior to granting access to FSU protected or private information.
- The individual whose protected or private information is produced or displayed is authorized to access that information unless restricted by legal or contractual obligations.
- Legal or regulatory requirements may impact who is authorized to view FSU protected or private information access.
Confidentiality Statement and Privacy Training
Signed Employee Statement of Understanding Regarding Confidentiality and training are required for FSU personnel with authorization to access or process protected or private information:
- Each FSU position requiring access to protected or private information must be reflected in the position description.
- For each person requiring access to protected or private information, signed Employee Statement of Understanding Regarding Confidentiality must be maintained on file unit and be available for audit. This information may be stored in a digital or paper format.
- Employees designated as having access to select protected information (e.g., HIPAA) may be required to sign agreements acknowledging special confidentiality controls necessary to meet specific legal or contractual privacy requirements. These agreements are in addition to a signed FSU Employee Statement of Understanding Regarding Confidentiality document.
- Each unit must train its employees on the requirements to safeguard protected or private information. This training should occur prior to employee access of protected or private information or as required by legislation or contractual obligation.
- As verification of participation, each University unit must maintain rosters of participants in online or in-person privacy training in an electronic or paper format.
Approved Transfer of Protected or Private Information
The following actions involving protected or private information must be authorized by the responsible Dean, Director, Department Head, or designee and related approval documentation maintained on file at the unit’s central office:
- Transferring protected information between FSU computing resources and third-party vendors or service providers.
- Any transfer of protected information to portable storage, portable computing devices such as laptop computers, tablets or smartphones.
- Allowing system and network administrators to access protected information to perform an approved action to mitigate a system problem or as part of an incident response to a privacy breach investigation.
The General Counsel’s Office maintains guidelines for a response to a legal demand including a valid subpoena, warrant, legal order, to meet a legal or contractual order for the transfer of protected information. These guidelines will govern a response, reply, or appearance to a legal demand.
Third-party Access to Protected or Private Information
FSU may choose to contract with a third-party for the collection, storage, or processing of information, including protected or private information. The third-party may offer services in the form of hosting, outsourcing, or private/public cloud computing services.
FSU provides a terms and conditions document containing privacy and security provisions for information sharing agreements involving protected or private information.
Terms and Conditions document: Suggested Contractual Provisions for the External Sharing of FSU Information Classified as Protected or Private.
A third-party contractor should also be contractually obligated to process protected or private information only within the scope of the contract and the directions of FSU. Processing of protected or private information may not be undertaken for any other purpose.
Physical Security Access Restrictions
Offices and storage facilities that maintain protected or private information locally must:
- Ensure that all protected or private information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
- Computer workstations processing, transmitting, or storing protected or private information must be secured by locked rooms when the workspace is unoccupied.
- Any protected or private information should be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the work day if the room cannot be secured.
- File cabinets containing protected or private information must be kept closed and locked when not in use or when not attended.
- Keys used for access to resources holding protected or private information must not be left at an unattended desk.
- Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
- Printouts containing protected or private information should be immediately removed from the printer in unsecured areas.
- Upon disposal, documents containing protected or private information should be shredded or placed in the lock confidential disposal bins. Electronic media containing protected or private information that is no longer needed should be physically destroyed (e.g., shred, degauss) or wiped by electronic methods to render the information unreadable and unrecoverable as stipulated in National Institute of Standards and Technology-Special Publication 800-88 Revision 1 Guidelines for Media Sanitization.
- Whiteboards containing protected or private information should be erased unless they are in secured areas. In addition, whiteboards with protected or private information should not be facing external windows unless blinds are drawn down to prevent unauthorized viewing of content.
- Portable computing devices containing protected or private information such as laptops, phones, tablets, CDROMs, DVDs, USB flash drives should be secured in locked rooms, file cabinets, or locked drawers after normal work hours.
Additional physical privacy controls may also be required by law or contractual obligation for specific information items.
Protected or Private Information Use in Social Media
It is important to recognize that the same laws, policies, rules of conduct and etiquette that apply to all other activities at or concerning FSU govern the use of social media. Because of the powerful ability of social media to broadcast information worldwide, faculty and staff should safeguard all protected or private information – only posting what you have permission to post by law, policy or explicitly.
Faculty, including Professors, Instructors, Adjuncts, and Teaching Assistants, who use social media in courses should consider student privacy carefully, including compliance with the Family Educational Rights and Privacy Act (FERPA). Most information that identifies a student and is maintained by FSU, or by a FSU educator or agent of FSU, is protected under FERPA. This protection extends to postings of any information item considered to be part of a student’s education record on social media course accounts. A signed FERPA release for a specific activity must be retained by the campus entity to publicly post information considered a protected education record.
Protected or Private Information Use in Photography and Videography
Certain photos and videos of students are “educational records” under FERPA, and cannot be shared publicly without the written consent of the student. Consent is particularly important where:
- Photos or videos prominently show one or a few students.
- Photos or video images are part of FSU’s official functions and/or depict students in their educational or academic environment.
Class recordings may raise privacy concerns due to FERPA regulations. In cases where class-recording videos are made accessible only to the students and instructors in the class and academic administrators, students should be informed of the video recording in advance. Within a class or even outside of the classroom, if a student or students are identifiable in a photograph or video, FERPA may apply and require that permission be obtained before the photo or video is shared publicly.
Facial recognition technology (FRT) allows for the identification and the verification of a person’s identity. It combines biometric systems properties using video or photography with a computer application to associate identity to individually distinctive features of the body. Use of FRT by University units must be reviewed by the Director of Information Security and Privacy Office.
Any information obtained through the use of automated photo license plate reading devices shall not be used for any purpose other than to identify a license plate number, to verify campus parking eligibility of the vehicle, and to facilitate the serving of notices of parking violations and notices of delinquent parking citations. This information will not be retained beyond its useful need with exceptions specified by legal requirements.
Student use of electronic devices, including wearable computing devices, capable of photography, audio, or video recording of events are prohibited during certain classroom functions, research activities, or supporting business processes involving information classified as protected or private. Examples of prohibited uses include academic functions such as examinations, unapproved use in healthcare functions covered by HIPAA, and research functions where contractual or legal rules restrict information sharing.
Use of Biometric Technologies
University units implementing biometric technologies must ensure they meet any relevant privacy and biometric laws and regulations as they may relate to the acquisition and retention of biometric information. In addition, the university unit must ensure that its use meets a defined business need with auditable procedures to secure the biometric information and privacy of the enrollees.
Online Collection of Protected and Private Information
Prospective students, current students, faculty, staff, and interested parties residing outside of the United States and providing protected or private information electronically to FSU understand this information will be transferred to the U.S. where it will be processed and stored under U.S. privacy standards or by applicable framework agreements.
C. STANDARDS FOR SPECIFIC INFORMATION TYPES
FSU faculty, staff, and contracted business partners must ensure the safekeeping of public records that have archival, administrative, or legal value. The FSU records management policy OP-F-3 contains specific responsibilities for the retention, storage, disposal, and archival of FSU records. Archived information classified as protected or private information must be maintained with the same safeguarding controls, such as encryption, that are legislated or contracted for production systems. It is also the responsibility of each person processing a public records request to ensure exempt or confidential information under Chapter 119, Florida Statutes, is redacted prior to public release unless publication is approved by the President, Provost, or designated senior administrative staff.
Student Education Records
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. Florida Statute 1002.22 requires FSU to protect student education records in accordance with FERPA.
- The disclosure of education records maintained by an educational institution.
- Access to these records.
FSU has defined certain components of a student’s education record as “Directory Information.” “Directory Information” means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. These items are classified as Public information unless a student has filed a "Request to Prevent Release or Publication of Directory Information" form, which places a privacy hold on the student's account including “Directory Information”. (More information here) The Office of the Registrar maintains the current listing of items classified as “Directory” information at FSU.
Social Security Numbers
FSU collects and stores Social Security Numbers (SSNs) as permitted by law. University units and their employees are only permitted to collect or store SSNs when necessary to meet a state or federal requirement or the unit has obtained written approval from the President, Provost, Vice President, General Counsel, Director of Information Security and Privacy, or designated approver to meet an official business process.
FSU requires all entities maintain privacy controls over SSNs to meet legal, contractual, or good privacy practice requirements including:
- FSU EMPLID’s are to be used instead of SSNs for routine university business.
- Collection, storage, or processing of SSNs is restricted to FSU automated systems that serve the Enterprise Resource Planning (ERP) student, financial, and human resource systems.
- SSNs must not be stored on FSU-owned, personal computing devices, or transferred to vendor storage services including cloud computing resources, unless appropriate management approval and execution of an information sharing agreement is granted for mission-critical FSU business activities.
- Any approved storage of SSNs on FSU-owned portable storage devices or mobile computing devices must be encrypted to maintain the privacy of the information. The encryption solution should meet Federal Information Processing Standard (FIPS) 140-2 standards.
- SSNs or partial SSNs should never be displayed in areas such as public locations where it is not possible to restrict access to only those approved to view SSNs.
- Any approved business process requiring the transfer of electronic documents containing SSNs over internal FSU network, Internet, or a wireless carrier’s network requires the encryption of the transferred documents between the users computing device and FSU information processing equipment.
- Any required mailing of paper documents containing SSNs must be done in a manner that reduces the risk of displaying SSNs before the document is opened.
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
The HIPAA Privacy Rule (45 CFR Part 160 and 164) provides protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information.
Protected health information includes:
Patient health information (PHI) created or received by a health care provider or health plan that includes health information or health care payment information plus information that personally identifies the individual patient or plan member.
Personal identifiers include:
A patient's name and email, web site and home addresses; identifying numbers (including Social Security, medical records, insurance numbers, biomedical devices, vehicle identifiers and license numbers); full facial photos, other biometric identifiers; and dates (such as birth date, dates of admission and discharge, death).
Each FSU entity designated as a HIPAA “Covered Entity” or “Business Associate” as defined by the US Department of Health and Human Services (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html) will appoint a HIPAA Privacy Officer. The Privacy Officer is the entity’s administrative resource for implementation and compliance with the current requirements of the HIPAA Privacy Rule.
Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLB)
FSU generates, receives and stores many financial documents and records classified as protected. This includes, but is not limited to, information about the awarding and issuance of loans to students, and the collection of payments from students, parents, patients and customers via check, money order, wire transfer, Automated Clearing House (ACH) and credit/debit card. GLB (Public Law 106-102) applies to any record handled or maintained by - or on behalf of - FSU or its affiliates that contains protected financial information about a student or other third-party who has a relationship with FSU.
GLB safeguarding provisions pertain to any record containing protected financial information whether in paper, electronic or other form, which is handled or maintained by or on behalf of the FSU or its affiliates. For these purposes, the term protected financial information shall mean any information (i) a student or other third-party providers in order to obtain a financial service from FSU, (ii) about a student or other third-party resulting from any transaction with FSU involving a financial service, or (iii) otherwise obtained about a student or other third-party in connection with providing a financial service to that person. In particular, safeguarding provisions of this policy and the FSU’s security policy (i) ensure the security and confidentiality of covered records, (ii) protect against any anticipated threats or hazards to the security of such records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.
All FSU contracts with providers who are responsible for processing, transferring, or storing GLB-protected FSU information will be required, under the terms of the contract, to stipulate implemented safeguards that adhere to, and are in compliance with, the provisions of the Gramm-Leach-Bliley Act.
Branded Credit/Debit Card Transactions
FSU will collect and use information obtained from branded credit/debit card transactions (VISA, MasterCard, American Express, and Discover) only for business purposes upon approval by the FSU Controller’s Office. The credit card information will be safeguarded in a confidential manner as defined in FSU 4-OP-D-2-G Payment Cards Policy and as specified in the merchant agreements as contractual obligations. Such obligations include compliance with the Payment Card Industry – Data Security Standard (PCI DSS).
Electronic Communications / E-Mail
Confidentiality and privacy cannot be guaranteed through electronic communications because of the nature of the medium and the FSU's accountability as a public institution. FSU supports a climate of trust and respect and does not ordinarily read, monitor, or screen instant messaging, voice mail, or electronic mail services provided by FSU.
The President, Provost, or their designee may authorize access to faculty, staff, or student instant messaging archives, voice mail, or email in a number of circumstances including, but not limited to:
- Situations involving the health or safety of people or property.
- Possible violations of FSU codes of conduct, regulations, or policies.
- Possible violations of state or federal laws; subpoenas and court orders.
- Other legal responsibilities or obligations of FSU.
- The need to locate information required for FSU business purposes.
E-mails containing information classified as protected should use encryption or password protect the document as an attachment.
University units conducting research must be aware of appropriate privacy restrictions for information transmitted, stored, or processed as part of research projects. Research projects are also a required component of a University unit’s yearly data classification, risk assessment, and risk mitigation planning.
Legal privacy restrictions include, but are not limited to, the Health Insurance Portability and Accountability Act (HIPAA), International Traffic in Arms Regulations (ITAR), The Belmont Report (1979) and 2.1 Code of Federal Regulations Title 45 Part 46: The Common Rule concerning the protection of human subjects, other federal or state legal requirements, and contractual research information privacy restrictions. In addition, University units must protect the privacy of protected or private research information with appropriate information privacy and security controls such as those published by the National Institute of Standards and Technology (NIST), ISO, or Federal Information Security Management Act (FISMA). Required information privacy and security controls extend to any device used to transmit, store or process protected or private research information.
D. Privacy Violations and Incident Reporting
Privacy violations occur when a FSU student, staff, contractor or faculty member violates this policy, specific legal privacy requirements, or contractual obligations. For the purpose of this policy there are there are three primary classifications of privacy violations at FSU:
- Incidental disclosure which occurs when an unauthorized party overhears or sees protected or private information during a permitted use or disclosure in a work space.
- Accidental disclosure occurs when privacy control weaknesses allow unauthorized access to protected or private information. Privacy control weaknesses include human error or a fault in privacy control procedures that leads to a loss of ability to limit access to protected or private information to only authorized users.
- Intentional disclosure occurs when privacy controls are overridden to allow unauthorized access or disclosure of protected or private information. This can be done with or without malicious intent.
It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed incidents to their supervisor or contract administrator including accidental incidents. If the supervisor or contract administrator is unavailable or if there is a potential conflict of interest, the report should be directed to the Dean, Director, Department Head, Director of Information Security and Privacy, or through the FSU Hotline. The Dean, Director, Department Head, or Inspector General must inform the Director of Information Security and Privacy of any suspected or confirmed privacy breaches within 24 hours. Refer to the FSU Incident Response Guidelines for further incident handling procedures.
III. LEGAL SUPPORT, JUSTIFICATION, AND REVIEW OF THIS POLICY
The Florida Constitution, Article IX, Section 7 provides that the Florida Board of Governors (BOG) shall establish the powers and duties of the individual boards of trustees (BOT), which are charged with governing the university. The BOG has enacted BOG Regulation 1.001 providing the individual Boards of Trustees with specific authorities with which to govern the universities. The FSU BOT has, in turn, delegated theses governance functions by Resolution to the President of the University. Establishing a procedure of information privacy is within the President’s authority.
The University President shall be responsible for review of the provision of this policy and for making any necessary revisions every seven years.
BOG Regulation 3.0075 Security of Data and Related Information Technology Resources
Chapter 119, Florida Statutes - Public Records, Sections 1002.21, 1002.22, 1004.22(2), 1006.52, 1012.91
Chapter 257, Florida Statutes - Public Libraries and State Archives
Chapter 119.072, Florida Statutes - SSN Exemption from Public Disclosure.
Chapter, 1B-24, 1B-26.003 and Florida Administrative Code
Chapter 501.171, Florida Statutes – Florida Information Protection Act 2014 (FIPA)
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
The Americans with Disabilities Act (ADA)
Privacy Act of 1974, as amended
15 U.S.C. 6801, implemented by 16 CFR Part 314, The Gramm-Leach-Bliley Act (GLB Act)
The Federal Trade Commission (FTC) Rule on "Standards for Safeguarding Customer Information"
Payment Card Industry Data Security Standard (PCI DSS)
4-OP-C-13 Policy Against Fraudulent, Unethical and Other Dishonest Acts