You and the university must comply with data protection and privacy requirements specified by federal and state laws, regulations, and industry standards. In some cases, there are additional requirements based on thedata classification levelof the data you are working with.
Student education records contain information directly related to a student and are maintained by Seattle Pacific University or by an educational agency or institution. TheFamily Educational Rights and Privacy Act (FERPA)governs release of, and access to, student education records.
GDPR applies to all residents or person's currently in the European Union attending the University. GDPR defines three basic roles in data transactions: the data subject (the person the data is related to); the data controller (which dictates what is done with the data); and the data processor (which is processing that data). The University is a controller as it relates to its human resources or student data or when the university tracks website visitors who are accessing the websites from the EU. SPU could also be a data processor — for instance, if it has a partnership with another school in its study abroad program. GDPR also places strong emphasis on understanding and documenting what third-party vendors or cloud services providers have access to and what they do with data SPU shares with them.
The GDPR defines many rights for data subjects, including the right of access to data, the right to erasure (right to be forgotten), and rights to restrictions on data processing. For instance, data subjects have a right not to be subject to a decision based solely on automated processing
TheGramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, includes provisions to protect personal financial information held by financial and higher education institutions.
Student Financial Services and departments that run their own student financial aid programs need to comply with GLBA.
Numerous federal laws govern access to, disclosure of, and use of student financial aid information, including, but not limited to: Section 444 of the General Education Provisions Act (commonly referred to as the Family Educational Rights and Privacy Act [FERPA]); the Higher Education Act of 1965, as amended (HEA); and the Privacy Act of 1974, as amended (Privacy Act). As the interplay of these various laws in different situations can be complex, in addition to a discussion, this document provides some questions and answers about possible situations in which student financial aid information may, or may not, be used for these purposes.
Health Insurance Portability and Accountability Act (HIPAA)
Protected Health Information (PHI) is regulated by theHealth Insurance Portability and Accountability Act (HIPAA). HIPAA includes privacy and security rules that govern how PHI is collected, disclosed, and secured. The HIPAA privacy and security rules and requirements were developed to ensure data availability and integrity, while limiting access to PHI to only authorized people.
HIPAA privacy and security rules apply only tocovered entitiesin their role as a health care provider, health plan, or health care clearinghouse. Protected health information excludes individually identifiable health information in education records covered by theFamily Educational Rights and Privacy Act (FERPA) and employment records held by a covered entity in its role as an employer.
HIPAA data at SPU is highly restricted. Only the Health Services on campus clinic is authorized to store HIPAA protected information.
Payment Card Industry Data Security Standard (PCI-DSS)
Guidelines for handling credit card information are defined by thePayment Card Industry Data Security Standard (PCI-DSS). Departments are not allowed to store electronically cardholder data on any university system. This includes, but is not limited to, computers, servers, laptops, and flash drives. If transaction records are needed, use only the last 4 digits of the number of the card.
A human subject is a living individual about whom an investigator (whether faculty member, research scientist or associate, or student) conducting research obtains data through intervention or interaction with the individual or when identifiable private information is obtained. A human subject's personally identifiable data is sensitive if it would pose increased social/reputational, legal, employability, or insurability risk to the subject if disclosed. Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality is considered to be sensitive.
Sensitive Identifiable Human Subject Research falls under theProtection of Human Subjects (Common Rule) as defined by45 CFR 46.101(b)(2), which distinguishes regulated research from a category of exempt research using the following language: "Information obtain is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects; and any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation."
Social Security numbers are unique, nine-digit numbers issued to U.S. citizens, permanent residents, and temporary (working) residents for taxation, Social Security benefits, and other purposes. Social Security numbers are a primary target for identity thieves. SPU has not used Social Security numbers as identifiers for students and employees since 2003.
While most of the provisions of SOX are limited to public companies, the National Association of College and Business Officers (NACUBO) have analyzed SOX and recommended that Universities follow certain provisions as best provisions, including SOX Section 406 regarding "Code of ethics for senior financial officers."
Additionally, recent amendments to SOX have made its whistle blower protections applicable to all organizations. Any employee who files a complaint, gives testimony, provides information or otherwise assists in an SEC, Congressional or law enforcement investigation is protected. Under SOX, an employee whistle blower may not be harmed or discriminated against in the terms and conditions of employment because of any lawful act done as a whistle blower.
Many states have data privacy laws that protect state residents. Those laws apply to SPU with respect to those state residents while attending SPU as a student. For example, a student who is a legal resident of California is protected by the California Consumer Privacy Act while attending SPU.
Washington state also has data privacy regulations that impact how SPU handles sensitive data about students and employees. In particular, Washington is one of two states that have classified the Student ID number as regulated Personal Information which requires notification to an individual if exposed or miss-handles. Washington Rev. Code RCW19.255, 42.56.590 specifically govern the data privacy of Washington state residents.