You and the university must comply with data protection and privacy requirements specified by federal and state laws, regulations, and industry standards. In some cases, there are additional requirements based on the data classification level of the data you are working with .

Digital Millennium Copyright Act (DMCA)

The  Digital Millennium Copyright Act of 1998 (DMCA)  and the  Higher Education Opportunity Act (HEOA) of 2008  require that  SPU  manage a digital copyright compliance program that consists of four components:

1. Annual disclosure/education and awareness
2. A strategy for effectively combating the distribution of unauthorized copyrighted materials
3. Provision of alternative sources for authorized copies of copyrighted materials
4. Strategic plan review

More Information

• SPU DMCA Copyright Compliance / Peer-to-Peer File Sharing

Data Examples

The following data and activities are subject to digital copyright compliance regulations:

• Third-party content shared through social media sites, such as YouTube, or peer-to-peer (P2P) file sharing technology, such as BitTorrent
• Making copies of copyrighted works available or acquiring unauthorized copies of copyrighted works

Data Steward

DMCA Agent for Seattle Pacific University:  CIS-DMCA@spu.edu

Family Educational Rights and Privacy Act (FERPA)

Student education records contain information directly related to a student and are maintained by Seattle Pacific University or by an educational agency or institution. The  Family Educational Rights and Privacy Act (FERPA)  governs release of, and access to, student education records.

More Information

• FERPA at SPU
• State Student Privacy Laws
• DOE Data Security Checklist.pdf
• DOE Integrated Data Systems and FERPA.pdf

Data Steward

University Registrar:  sfs-info@spu.edu

General Data Protection Regulation (GDPR)

GDPR applies to all residents or person's currently in the European Union attending the University.  GDPR defines three basic roles in data transactions: the data subject (the person the data is related to); the data controller (which dictates what is done with the data); and the data processor (which is processing that data). The University is a controller as it relates to its human resources or student data or when the university tracks website visitors who are accessing the websites from the EU. SPU could also be a data processor — for instance, if it has a partnership with another school in its study abroad program. GDPR also places strong emphasis on understanding and documenting what third-party vendors or cloud services providers have access to and what they do with data SPU shares with them.

The GDPR defines many rights for data subjects, including the right of access to data, the right to erasure (right to be forgotten), and rights to restrictions on data processing. For instance, data subjects have a right not to be subject to a decision based solely on automated processing

More Information

• AACRO on GDPR
• Educause on GDPR

Data Stewards

GDPR Compliance: gdpr@spu.edu

Gramm-Leach-Bliley Act (GLBA)

The  Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, includes provisions to protect personal financial information held by financial and higher education institutions.

Student Financial Services and departments that run their own student financial aid programs need to comply with GLBA.

More Information

• Federal Standards for Safeguarding Customer Information

Data Steward

Student Financial Services:  sfs-info@spu.edu

Guidance on the Use of Financial Aid Information

Numerous federal laws govern access to, disclosure of, and use of student financial aid information, including, but not limited to: Section 444 of the General Education Provisions Act (commonly referred to as the Family Educational Rights and Privacy Act [FERPA]); the Higher Education Act of 1965, as amended (HEA); and the Privacy Act of 1974, as amended (Privacy Act). As the interplay of these various laws in different situations can be complex, in addition to a discussion, this document provides some questions and answers about possible situations in which student financial aid information may, or may not, be used for these purposes.

More Information

• Guidance on the Use of Financial Aid Information

Data Stewards

Student Financial Services:  sfs-info@spu.edu

Health Insurance Portability and Accountability Act (HIPAA)

Protected Health Information (PHI) is regulated by the  Health Insurance Portability and Accountability Act (HIPAA). HIPAA includes privacy and security rules that govern how PHI is collected, disclosed, and secured. The HIPAA privacy and security rules and requirements were developed to ensure data availability and integrity, while limiting access to PHI to only authorized people.

HIPAA privacy and security rules apply only to  covered entities  in their role as a health care provider, health plan, or health care clearinghouse. Protected health information excludes individually identifiable health information in education records covered by the  Family Educational Rights and Privacy Act (FERPA) and employment records held by a covered entity in its role as an employer.

More Information

HIPAA data at SPU is highly restricted.  Only the Health Services on campus clinic is authorized to store HIPAA protected information.

Data Steward

Health Services:  healthservices@spu.edu

Payment Card Industry Data Security Standard (PCI-DSS)

Guidelines for handling credit card information are defined by the  Payment Card Industry Data Security Standard (PCI-DSS). Departments are not allowed to store electronically cardholder data on any university system. This includes, but is not limited to, computers, servers, laptops, and flash drives. If transaction records are needed, use only the last 4 digits of the number of the card.

More Information

• PCI-DSS Credit Card Handling
• PCI Security Standards Council

Data Steward

Office of Financial Affairs: budget@spu.edu

Protection of Human Subjects (Common Rule)

A human subject is a living individual about whom an investigator (whether faculty member, research scientist or associate, or student) conducting research obtains data through intervention or interaction with the individual or when identifiable private information is obtained. A human subject's personally identifiable data is sensitive if it would pose increased social/reputational, legal, employability, or insurability risk to the subject if disclosed. Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality is considered to be sensitive.

Sensitive Identifiable Human Subject Research falls under the  Protection of Human Subjects (Common Rule) as defined by  45 CFR 46.101(b)(2), which distinguishes regulated research from a category of exempt research using the following language: "Information obtain is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects; and any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation."

More Information

• U.S. Department of Health & Human Services - Human Subjects
• U.S. Department of Health & Human Services - Common Rule

Data Steward

School Dean of Research Unit: https://spu.edu/university-leadership/deans-cabinet

Red Flags Rule for Identity Theft Prevention / FACTA

The  Red Flags Rule requires businesses that loan customers money, accept payments, or use credit reports to have methods in place to detect and prevent  identity theft. The university complies with this Federal Trade Commission requirement through SPU's Identity Theft Prevention Program.

More Information

• Identity Theft Prevention Program - Red Flags Rule

Data Examples

These are examples of "red flags" that identify theft may have occured:

• A fraud or active duty alert is included with a consumer report
• Documents provided for identification appear to have been altered or forged
• Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor
• The Social Security number provided is the same as that submitted by other persons opening an account or other customers
• Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account

Data Steward

Chief Information Officer: cio@spu.edu

Social Security Number Privacy Act

While Social Security numbers are a type of Personally Identifiable Information (PII), the legal requirements of the Wash. Rev. Code §  19.255.010 ,  42.56.590  for protecting them are much more stringent than for other PII.

Social Security numbers are unique, nine-digit numbers issued to U.S. citizens, permanent residents, and temporary (working) residents for taxation, Social Security benefits, and other purposes. Social Security numbers are a primary target for identity thieves. SPU has not used Social Security numbers as identifiers for students and employees since 2003.

More Information

• FTC: Identity Theft and Social Security Numbers 
• FTC: Social Security Numbers in Commerce 
• FTC: Protecting the Privacy of Social Security Numbers from Identity Theft 
• Protecting Personal Information: A Guide for Business
• Homeland Security SSN Policy

Data Stewards

SSNs for University Employees: hr@spu.edu
SSNs for Students:  sas-info@spu.edu

Sarbanes-Oxley Act (SOX)

While most of the provisions of SOX are limited to public companies, the National Association of College and Business Officers (NACUBO) have analyzed SOX and recommended that Universities follow certain provisions as best provisions, including SOX Section 406 regarding "Code of ethics for senior financial officers."

Additionally, recent amendments to SOX have made its whistle blower protections applicable to all organizations. Any employee who files a complaint, gives testimony, provides information or otherwise assists in an SEC, Congressional or law enforcement investigation is protected. Under SOX, an employee whistle blower may not be harmed or discriminated against in the terms and conditions of employment because of any lawful act done as a whistle blower.

More Information

• Public Law 107 - 204 - Sarbanes-Oxley Act of 2002

Data Stewards

Office of Financial Affairs: budget@spu.edu

State Data Privacy Law

Many states have data privacy laws that protect state residents.  Those laws apply to SPU with respect to those state residents while attending SPU as a student.   For example, a student who is a legal resident of California is protected by the California Consumer Privacy Act  while attending SPU. 

Washington state also has data privacy regulations that impact how SPU handles sensitive data about students and employees.  In particular, Washington is one of two states that have classified the Student ID number as regulated Personal Information which requires notification to an individual if exposed or miss-handles.  Washington Rev. Code RCW 19.255 ,  42.56.590 specifically govern the data privacy of Washington state residents.

More Information

• State Data Privacy Laws
• State Student Privacy Laws
• State Breach Notification Law

Data Stewards

SSNs for University Employees: hr@spu.edu
SSNs for Students:  sas-info@spu.edu