Responsible Executive: Finance and Administration
Approving Official: Vice President for Finance and Administration
Effective Date: March 1, 2024
Revision History: No revisions at this time.
- INTRODUCTION
PURPOSE
Florida State University (FSU) recognizes and values the privacy of university community members and its guests.
In principle, FSU will:
- collect, store, and use the minimum amount of personal information necessary for its legitimate business purposes and comply with regulatory obligations.
- take reasonable steps to ensure the personal information managed is accurate and up to date.
- limit access to personal information in our possession to only those who need it for a legitimate business purpose.
- protect personal information through appropriate information security controls tailored to the sensitivity of the data.
- provide reasonable communication with our students, faculty, employees, suppliers, partners and others about how we use personal information.
- provide opportunities to control personal information, as permitted by applicable laws.
- implement Privacy by Design in our data management.
SCOPE
The scope of this policy applies to our practices for collecting and disseminating information related to FSU’s information systems. It is meant to provide an overview of our activities that requires the processing of personal information and our approach to protecting data privacy. Individual colleges, departments, units, clubs and other groups may have additional privacy policies for their activities related to their unique collection and processing of your personal information, but they may not conflict with this policy.
DEFINITIONS
Cookies - Short text files stored on a user’s device by a website. Cookies are normally used to provide a more personalized experience and to remember user profiles without the need of a specific login.
Data Subject - A natural person about whom FSU holds personal data and who can be identified, directly or indirectly, by reference to that personal data.
Privacy by Design - A framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices.
Personal Information - any information used to identify data subjects.
Sensitive Personal Information - Special categories of Data (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic data, biometric data, data concerning health and data concerning a natural person’s sex life or sexual orientation) for which applicable law provides enhanced protections.
- POLICY
OUR ACCOUNTABILITY
FSU strives to appropriately manage, secure, and protect confidential personal data entrusted to us.
WHEN AND HOW WE COLLECT INFORMATION
FSU collects Personal Information and Sensitive Personal Information in the following circumstances:
- Direct Digital Collection: When you directly provide it to FSU, such as when you sign up for a newsletter on our enterprise systems.
- Automated Processes: Through automated processes. This includes information you provide FSU through technology, such as through a cookie placed on your computer when you visit our enterprise systems.
- Other Sources: We receive or obtain information from other sources for legitimate, specific purposes (e.g., transcripts for admissions purposes).
FSU’s goal is to collect as little information as possible for legitimate purposes and delete information when it is no longer needed or no longer required by law to be retained.
OTHER WEBSITES AND COOKIES
Cookies help provide users with a good experience when browsing websites and allows for website improvements. By continuing to browse the site, you are agreeing to our use of cookies. FSU systems may contain links to other websites. Social media platforms and external websites use cookies or geolocation tracking technologies when a link is embedded in our enterprise systems. We do not have access to, or control of, any information collected through these links. We are not responsible for the privacy practices or the content of such external websites. The social media platforms are responsible for how they use your information. For specific data privacy controls on how these websites track users’ access, please visit the respective website.
DATA SHARING
FSU does not sell your personal information. FSU may, however, share your personal information in limited circumstances, such as with service providers that support teaching, learning, and FSU's mission. FSU contractually requires its service providers to keep your personal information secure. FSU service providers are not authorized to use or share your personal information for any purpose other than providing services on our behalf.
FSU may also share your personal information when required by law, or when we believe that sharing will help to protect the health, safety or property of FSU members and guests.
DATA PRIVACY REGULATIONS
In the context of our processing activities, FSU makes every effort to follow the latest data privacy protection laws concerning the university members and its guests. Concerns about data privacy should be directed to DataPrivacy@fsu.edu. Please note that when you make requests based on data privacy protection regulations, FSU may need to ask you for further personal information to be used for the purposes of responding to your request.
HOW INFORMATION IS SECURED
FSU recognizes the importance of maintaining the security of the information it collects and maintains and endeavors to protect information from unauthorized access and damage. FSU strives to ensure reasonable security measures are in place, including physical, administrative, and technical safeguards to protect your personal information. For more information, see FSU’s 4-OP-H-20 Information Technology Security and Information Assurance Policy.
INCIDENT REPORTING
It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.
Refer to the 4-OP-H-30 Health Information Portability and Accountability Act (HIPAA) Policy if a HIPAA security incident or breach is suspected or confirmed.
POLICY VIOLATIONS
Failure to comply with the requirements of this policy and supplemental policies and standards may result in reduced or revoked access to network and other IT resources.
Users who violate this policy may be subject to other penalties and disciplinary action, both within and outside FSU. Disciplinary action is governed under FSU 's standards for disciplinary action for violation of provisions of University policy.
Unauthorized or fraudulent use of university computing resources may result in criminal prosecution.
QUESTIONS ABOUT THIS POLICY
Any questions regarding the requirements of this Policy or supplemental IT standards should be referred to ISPO at 850-644-HELP or via the contact information at https://its.fsu.edu/.
RELATED POLICIES, STANDARDS AND DOCUMENTS
LEGAL SUPPORT, JUSTIFICATION, AND REVIEW OF THIS POLICY
SPECIFIC AUTHORITY
General Data Protection Regulation (GDPR)
Chapter 119, Florida Statutes - Public Records
BOG Regulation 3.0075 - Security of Data Related Information Technology Resources
Chapter 501.171, Florida Statutes – Security of Confidential Personal Information, Florida Information Protection Act 2014 (FIPA)
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Payment Card Industry Data Security Standard (PCI DSS)
Federal Information Security Modernization Act (FISMA)
Chapter 282.318, Florida Statutes - Information Technology Security Act
Florida Information Protection Act (FIPA) - Security of Confidential Personal Information
The Federal Trade Commission (FTC) Rule on "Standards for Safeguarding Customer Information"