Calstate.edu will undergo maintenance and be unavailable
Saturday, October 18 at 6 p.m. Pacific Time until Sunday, October 19 at 9 a.m. Pacific Time

Integrated CSU Administrative Manual

CSU POLICY

Section:   INFORMATION SECURITY POLICY

Section 8000 Policies

Policy Number:   8025.0

Policy Title: Privacy of Personal Information

Policy Effective Date: April 19, 2010

Last Revision Date:  
(see revision history)

POLICY OBJECTIVE

The CSU Information Security policy provides direction and support for protecting the privacy of personal information managed by the CSU and guidance for collecting and accessing personal information.

POLICY STATEMENT


100 Privacy of Personal Information

All users of campus information systems or network resources are advised to consider the open nature of information disseminated electronically and must not assume any degree of privacy or restricted access to information they create or store on campus systems.  The CSU is a public university and information stored on campus information systems may be subject to disclosure under state law.  No campus information system or network resource can absolutely ensure that unauthorized persons will not gain access to information or activities.  However, the CSU acknowledges its obligation to respect and protect private information about individuals stored on campus information systems and network resources.

 

200 Collection of Personal Information

To comply with state and federal laws and regulations, campuses may not collect personally identifiable information unless the need for it has been clearly established.

Where such information is collected:

  • The campus will use reasonable efforts to ensure that personally identifiable information is adequately protected from unauthorized disclosure.
  • The campus shall store personally identifiable information only when it is appropriate and relevant to the purpose for which it has been collected.

 

300 Access to Personal Information

Except as noted elsewhere in CSU policy, information about individuals stored on campus information systems may only be accessed by:

  • The individual to whom the stored information applies or his/her designated representative(s).
  • Authorized CSU employees with a valid CSU-related business need to access, modify, or disclose that information.
  • Appropriate legal authorities.

When appropriate, authorized CSU personnel following established campus procedures may access, modify, and/or disclose information about individuals stored on campus information systems or a user’s activities on campus information systems or network resources without consent from the individual. For example, CSU may take such actions for any of the following reasons:

  • To comply with applicable laws or regulations.
  • To comply with or enforce applicable CSU policy.
  • To ensure the confidentiality, integrity or availability of campus information.
  • To respond to valid legal requests or demands for access to campus information.

If CSU personnel accesses, modifies, and/or discloses information about an individual and/or his/her activities on campus information systems or network resources, staff will make every reasonable effort to respect information and communications that are privileged or otherwise protected from disclosure by CSU policy or applicable laws.

Campuses are advised to consult the CSU Records Access Manual to determine which records must be made available for public inspection under the California Public Records Act.

 

400 Access to Electronic Data Containing Personal Information

Individuals who access or store protected data must use due diligence to prevent unauthorized access and disclosure of such assets.

Browsing, altering, or accessing electronic messages or stored files in another user’s account, computer, or storage device is prohibited, even when such accounts or files are not password protected, unless specifically authorized by the user for CSU business reasons.  This prohibition does not affect:

  • Authorized access to shared files and/or resources based on assigned roles and responsibilities.
  • Authorized access by a network administrator, computer support technician, or departmental manager where such access is within the scope of that individual’s job duties.
  • Access to implicitly publicly accessible resources such as University websites.
  • Campus response to subpoenas or other court orders.
  • Campus response to a request pursuant to public record disclosure laws.

Benjamin F. Quillian
Executive Vice-Chancellor/Chief Financial Officer

Approved: April 19, 2010

APPLICABILITY AND AREAS OF RESPONSIBILITY

 

REVISION HISTORY

 

RESOURCES AND REFERENCE MATERIALS

Useful Guidelines:

 

Related Principles:

 

Sound Business Practices:

 

Laws, State Codes, Regulations and Mandates:

 

COGNIZANT OFFICE(S)

CO Manager:

Mr. William Perry
Chief Information Security Officer
CSU Office of the Chancellor
wperry@calstate.edu

Subject Expert:

Mr. William Perry
Chief Information Security Officer
CSU Office of the Chancellor
wperry@calstate.edu

Affinity Group:

 

Feedback/Questions/Comments