The California State University (CSU) has responsibility to protect sensitive personal data and maintain confidentiality of that data under the Information Practices Act (IPA), Title 5, and the Family Educational Rights and Privacy Act (FERPA). Personal data includes (and not limited to) the following:
- Social Security Number (SSN)
- Date of Birth (DOB)
- Home Address
- Home Phone Number
- Physical Description
- Medical History
- Gender and Ethnicity
The Office of the Chancellor issued coded memorandum (HR2002-27 and HR2003-5) detailing the CSU's requirements for protecting confidential data. Additionally, the Office of General Counsel for the CSU issues and maintains a Records Access Manual, which provides an overview of federal and state law governing access to records possessed by the CSU.
IPA, California Civil Code Section 1798, et seq. protects individuals' privacy rights in 'personal information' contained in state agency records. Additionally, Sections 42396 through 42396.5 of Title 5 of the California Code of Regulations address privacy and the principles of personnel information management.
FERPA affords student certain rights with respect to their education record, one of which is the right to consent to the disclosure of personally identifiable information except to the extent that FERPA authorizes disclosure without consent.
CSUSB's Records, Registration, and Evaluations Office provide campus guidelines for complying with FERPA. Furthermore, CSUSB's Acceptable Use Policy for Electronic Communications provides general principles regarding respect for privacy and sharing of account passwords.
CSUSB requires all employees who have been determined to have a need for access to confidential personal information complete a Confidentiality & Compliance Form. This form is filed in the Human Resources Department. It is the responsibility of each department manager to ensure that forms are completed by their employees and returned to Human Resources.
Further information on these state and federal laws as well as CSUSB's policies, can be obtained at the following web site locations:
- Information Practices Act of 1977
- California Code of Regulations-Title V
- Family Educational Rights and Privacy Act (FERPA)
- Requirements for Protecting Confidential Employee Data: Updated to Reflect Faculty Unit Confidentiality Agreement Requirement
- CSU Coded Memorandum HR2002-27 - Requirements for Protecting Confidential Data
- CSU Coded Memorandum HR2003-5 - Req. for Protecting Confidential Data - Updated
- CSU Records Access Manual (February 2003)
- Policy and Procedures for Student Records Administration
- Acceptable Use Policy for Electronic Communications
Information Practices Act of 1977
To assist employees in understanding the IPA and to prevent inappropriate disclosure of information, below is a summary of key components:
- General Provisions and Legislative Findings
The right to privacy is a personal and fundamental right protected by Section 1 of Article I of the Constitution of California and by the United States Constitution. All individuals have a right of privacy in information pertaining to them. The California's Legislature has found that:
- The right to privacy is being threatened by the indiscriminate collection, maintenance, and dissemination of personal information and the lack of effective laws and legal remedies.
- The increasing use of computers and other sophisticated information technology has greatly magnified the potential risk to individual privacy that can occur from the maintenance of personal information.
- In order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits.
- The term 'personal information' means any information maintained by the campus that identifies or describes an individual, including, but not limited to: his or her name, social security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. It includes statements made by, or attributed to, the individual.
- The term 'disclose' means to disclose, release, transfer, disseminate or otherwise communicate all or any part of any record, orally, in writing, or by electronic or any other means to any person or entity.
- 'The intentional violation of any provision of this chapter or any rules or regulations adopted there under by an employee of any campus shall constitute a cause for discipline, including termination of employment.'
- Any person who willfully requests or obtains any record containing personal information from a campus under false pretenses shall be guilty of a misdemeanor or fined not more than five thousand dollars ($5,000), or imprisoned not more than one year, or both.