You and the university must comply with data protection and privacy requirements specified by federal and state laws, regulations, and industry standards. In some cases, there are additional requirements based on the data classification level of the data you are working with .
Digital Millennium Copyright Act (DMCA)
The Digital Millennium Copyright Act of 1998 (DMCA) and the Higher Education Opportunity Act (HEOA) of 2008 require that SPU manage a digital copyright compliance program that consists of four components:
- Annual disclosure/education and awareness
- A strategy for effectively combating the distribution of unauthorized copyrighted materials
- Provision of alternative sources for authorized copies of copyrighted materials
- Strategic plan review
More Information
Data Examples
The following data and activities are subject to digital copyright compliance regulations:
- Third-party content shared through social media sites, such as YouTube, or peer-to-peer (P2P) file sharing technology, such as BitTorrent
- Making copies of copyrighted works available or acquiring unauthorized copies of copyrighted works
Data Steward
DMCA Agent for Seattle Pacific University: CIS-DMCA@spu.edu
Family Educational Rights and Privacy Act (FERPA)
Student education records contain information directly related to a student and are maintained by Seattle Pacific University or by an educational agency or institution. The Family Educational Rights and Privacy Act (FERPA) governs release of, and access to, student education records.
More Information
- FERPA at SPU
- State Student Privacy Laws
- DOE Data Security Checklist.pdf
- DOE Integrated Data Systems and FERPA.pdf
Data Steward
University Registrar: sfs-info@spu.edu
General Data Protection Regulation (GDPR)
GDPR applies to all residents or person's currently in the European Union attending the University. GDPR defines three basic roles in data transactions: the data subject (the person the data is related to); the data controller (which dictates what is done with the data); and the data processor (which is processing that data). The University is a controller as it relates to its human resources or student data or when the university tracks website visitors who are accessing the websites from the EU. SPU could also be a data processor — for instance, if it has a partnership with another school in its study abroad program. GDPR also places strong emphasis on understanding and documenting what third-party vendors or cloud services providers have access to and what they do with data SPU shares with them.
The GDPR defines many rights for data subjects, including the right of access to data, the right to erasure (right to be forgotten), and rights to restrictions on data processing. For instance, data subjects have a right not to be subject to a decision based solely on automated processing
More Information
Data Stewards
GDPR Compliance: gdpr@spu.edu
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, includes provisions to protect personal financial information held by financial and higher education institutions.
Student Financial Services and departments that run their own student financial aid programs need to comply with GLBA.
More Information
Data Steward
Student Financial Services: sfs-info@spu.edu
Guidance on the Use of Financial Aid Information
Numerous federal laws govern access to, disclosure of, and use of student financial aid information, including, but not limited to: Section 444 of the General Education Provisions Act (commonly referred to as the Family Educational Rights and Privacy Act [FERPA]); the Higher Education Act of 1965, as amended (HEA); and the Privacy Act of 1974, as amended (Privacy Act). As the interplay of these various laws in different situations can be complex, in addition to a discussion, this document provides some questions and answers about possible situations in which student financial aid information may, or may not, be used for these purposes.
More Information
Data Stewards
Student Financial Services: sfs-info@spu.edu
Health Insurance Portability and Accountability Act (HIPAA)
Protected Health Information (PHI) is regulated by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA includes privacy and security rules that govern how PHI is collected, disclosed, and secured. The HIPAA privacy and security rules and requirements were developed to ensure data availability and integrity, while limiting access to PHI to only authorized people.
HIPAA privacy and security rules apply only to covered entities in their role as a health care provider, health plan, or health care clearinghouse. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records held by a covered entity in its role as an employer.
More Information
HIPAA data at SPU is highly restricted. Only the Health Services on campus clinic is authorized to store HIPAA protected information.
Data Steward
Health Services: healthservices@spu.edu
Payment Card Industry Data Security Standard (PCI-DSS)
Guidelines for handling credit card information are defined by the Payment Card Industry Data Security Standard (PCI-DSS). Departments are not allowed to store electronically cardholder data on any university system. This includes, but is not limited to, computers, servers, laptops, and flash drives. If transaction records are needed, use only the last 4 digits of the number of the card.
More Information
Data Steward
Office of Financial Affairs: budget@spu.edu
Protection of Human Subjects (Common Rule)
A human subject is a living individual about whom an investigator (whether faculty member, research scientist or associate, or student) conducting research obtains data through intervention or interaction with the individual or when identifiable private information is obtained. A human subject's personally identifiable data is sensitive if it would pose increased social/reputational, legal, employability, or insurability risk to the subject if disclosed. Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality is considered to be sensitive.
Sensitive Identifiable Human Subject Research falls under the Protection of Human Subjects (Common Rule) as defined by 45 CFR 46.101(b)(2), which distinguishes regulated research from a category of exempt research using the following language: "Information obtain is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects; and any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation."
More Information
- U.S. Department of Health & Human Services - Human Subjects
- U.S. Department of Health & Human Services - Common Rule
Data Steward
School Dean of Research Unit: https://spu.edu/university-leadership/deans-cabinet
Red Flags Rule for Identity Theft Prevention / FACTA
The Red Flags Rule requires businesses that loan customers money, accept payments, or use credit reports to have methods in place to detect and prevent identity theft. The university complies with this Federal Trade Commission requirement through SPU's Identity Theft Prevention Program.
More Information
Data Examples
These are examples of "red flags" that identify theft may have occured:
- A fraud or active duty alert is included with a consumer report
- Documents provided for identification appear to have been altered or forged
- Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor
- The Social Security number provided is the same as that submitted by other persons opening an account or other customers
- Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account
Data Steward
Chief Information Officer: cio@spu.edu
Social Security Number Privacy Act
While Social Security numbers are a type of Personally Identifiable Information (PII), the legal requirements of the Wash. Rev. Code § 19.255.010 , 42.56.590 for protecting them are much more stringent than for other PII.
Social Security numbers are unique, nine-digit numbers issued to U.S. citizens, permanent residents, and temporary (working) residents for taxation, Social Security benefits, and other purposes. Social Security numbers are a primary target for identity thieves. SPU has not used Social Security numbers as identifiers for students and employees since 2003.
More Information
- FTC: Identity Theft and Social Security Numbers
- FTC: Social Security Numbers in Commerce
- FTC: Protecting the Privacy of Social Security Numbers from Identity Theft
- Protecting Personal Information: A Guide for Business
- Homeland Security SSN Policy
Data Stewards
SSNs for University Employees: hr@spu.edu
SSNs for Students: sas-info@spu.edu
Sarbanes-Oxley Act (SOX)
While most of the provisions of SOX are limited to public companies, the National Association of College and Business Officers (NACUBO) have analyzed SOX and recommended that Universities follow certain provisions as best provisions, including SOX Section 406 regarding "Code of ethics for senior financial officers."
Additionally, recent amendments to SOX have made its whistle blower protections applicable to all organizations. Any employee who files a complaint, gives testimony, provides information or otherwise assists in an SEC, Congressional or law enforcement investigation is protected. Under SOX, an employee whistle blower may not be harmed or discriminated against in the terms and conditions of employment because of any lawful act done as a whistle blower.
More Information
Data Stewards
Office of Financial Affairs: budget@spu.edu
State Data Privacy Law
Many states have data privacy laws that protect state residents. Those laws apply to SPU with respect to those state residents while attending SPU as a student. For example, a student who is a legal resident of California is protected by the California Consumer Privacy Act while attending SPU.
Washington state also has data privacy regulations that impact how SPU handles sensitive data about students and employees. In particular, Washington is one of two states that have classified the Student ID number as regulated Personal Information which requires notification to an individual if exposed or miss-handles. Washington Rev. Code RCW 19.255.010 , 42.56.590 specifically govern the data privacy of Washington state residents.
More Information
Data Stewards
SSNs for University Employees: hr@spu.edu
SSNs for Students: sas-info@spu.edu