Information Services

Privacy is the right to be let alone, to be free from disturbance or intrusion. Privacy isn’t about whether someone has something to hide, it is a multidisciplinary field that is concerned with the degree to which people have control and autonomy over certain areas of their lives. It is also about identifying and assessing how well organizations are doing in upholding their responsibilities as data privacy stewards on behalf of those individuals whose data they collect, store, share, analyze, modify, and otherwise interact with and use.

The IS Privacy Office focuses on data privacy at CWU - controlling access over one's own information and how individuals’ data is used while carrying out its functions that fulfill essential educational and university strategic goals. Privacy encompasses other areas as well:

• Bodily Privacy – privacy over one’s physical being, such as healthcare choices, genetic testing, and drug testing
• Communication Privacy - having control over one’s private messages, such as monitored or recorded)
• Territorial Privacy – privacy over one’s physical space, such as being surveilled, searched, or being required to show ID

The exponential growth in technology such as mobile phones has brought privacy issues to the forefront. We have more digital data than we ever have, and people produce and use data constantly, for work or though personal devices. Data privacy is its own field of IT, with its own set of laws, standards, and frameworks.

Data privacy overlaps with information security in that both are concerned about determining risks and securing data. Data security is about the process of protecting digital assets (data) residing within systems from unauthorized access and use. Ensuring data privacy requires strong security. Data privacy is concerned with protecting data from unauthorized disclosure but it’s also about protecting data against authorized processing that wasn't set up with privacy or data protection in mind. Both circumstances may cause individuals significant social, personal, or professional harm should sensitive data be exposed. Release of sensitive personal details may cause serious embarrassment, loss of opportunities, negative reputational impacts, and loss of trust.

CWU’s Information Services is concerned with upholding both data privacy and security, because personal data isn't just an asset, it's a representation of people, and use of data can have real and lasting impacts on the lives of students, employees, and their families.

Every employee at CWU is responsible for protecting personal data if they work with personal data. As information is increasingly recorded, kept, and made available online, it's essential to become educated and stay current on safe and responsible data privacy practices.

Responsibility for safeguarding personal data is a shared effort between the individual as well institutions like CWU that collect and use personal data. Organizations may be held legally and reputationally accountable if they don't have sufficient protections in place or if their actions don't match what their privacy notices say they do. 

In the Family Educational Rights and Privacy Act (FERPA), the US Department of Education states that personally identifiable information includes but isn’t limited to:

1. A student’s name
2. A student’s parent or other family members;
3. The address of the student or student's family;
4. A personal identifier, such as the student's social security number, student number, or biometric record;
5. Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;
6. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
7. Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

“PII" is students' education record data, past and present, that may be linked to and therefore identify individuals either directly or indirectly.

In the federal  Family Educational Rights and Privacy Act (FERPA), the US Department of Education outlines certain pieces of student education record information of enrolled students that wouldn't generally be considered harmful or an invasion of privacy if disclosed without students' consent, that the institution designates as "directory information." (School officials who must have access to student data for official university business and educational purposes may have such access to data, if access is necessary for fulfillment of their job functions.)

Students (and parents of minor students) may opt out of having their data included in the student directory when they enroll at CWU and at any time thereafter.

FERPA allows institutions to choose what constitutes their specific student directory information. At CWU, directory information includes:

• a student’s name
• university and permanent address
• telephone number
• photograph
• major field of study
• Terms enrolled
• Years of attendance (i.e., the period of time during which the student attends or attended the school)
• participation in officially recognized activities and sports
• weight and height of members of athletic teams
• degrees
• honors, awards, and achievements received, such as honor roll
• previous schools attended

Social security Number, Student ID, citizenship, gender, email address, date and place of birth, race, ethnicity, grades, GPA, and class schedules, are NOT part of CWU directory information.

For more information on FERPA, directory information, and opting out of the student directory at CWU, please check with the Office of the Registrar.

.

In its Notice of Security Breaches RCW 19.255.005, The State of Washington views personal information differently that FERPA does, and the rights regarding personal information extend to individuals whose data is being maintained by a person or a business.

The IS Data Privacy Office promotes CWU’s adoption of the Washington State Office of Privacy and Data Protection's Washington State Agency Privacy Principles:

• Lawful, fair, and responsible use – Data will be collected in a non-discriminatory, non-harmful way and its use will be based on legal authority. Data use will be relevant, reasonably necessary, and for legitimate reasons.
• Data minimization - The minimum amount of data will be collected, used, and disclosed for its stated purpose
• Purpose limitation - Use of data will be determined before or at the time it is collected. Use and disclosure of data will be limited to what's reasonably necessary.
• Transparency & accountability – The university will be clear and open about what data will be collected and what it will be used for. Employees will be responsible for and responsive to privacy inquiries and will be accountable for adhering to privacy laws and regulations
• Due diligence - Reasonable actions will be taken before sharing data with third-party data partners such as vendors, other educational agencies to ensure safe data privacy practices will be upheld
• Individual participation - Individuals may exercise control over the collection and use of their personal data, when possible
• Security - appropriate security controls will be used to protect the confidentiality, integrity, and availability of data

The Data Privacy Office is in the process of identifying and documenting privacy risks by following the Washington State Agency Privacy Framework, a flexible framework for state agencies to build and grow their privacy programs to appropriately handle personal information, including sensitive and especially sensitive personal information. It was designed by WA State Washington Technology Solution's (Watech) Office of Privacy and Data Protection and is based off of the National Institute of Standards and Technology (NIST) Privacy Framework and other best privacy practices and standards. The framework consists of functions (Identify, Govern, Protect, Communicate, and Respond) which relate to the actions agencies should take in identifying, assessing, mitigating, and communicating about data privacy risk.

Data classification is a categorization scheme based on data sensitivity levels and a process by which levels are assigned to data and data systems based on the highest sensitivity of data within systems. It is essential for CWU departments to be educated about data classification so they may classify and document data contained in all systems and software applications used. Doing so allows CWU to better manage its privacy risks and respond timely and effectively to privacy threats and incidents.

Data classification is so important for privacy and security risk management that it is outlined in Washington State technology policy repeatedly as something state agencies and institutes of higher education must do:

Policy 141.10 (4.1) (Now SEC-08-01-S) Data Classification Standard identifies a 4-tier classification scheme with definitions for each tier. Policy 112.10 (Now MGMT-01-01-S) Technology Portfolio Foundations - Applications includes data classification as part of IT Portfolio management compliance. Throughout the year the IS Data Privacy Office participates in the process of gathering and updating this information from all areas of the university.

Additionally, Policy 114 Business Application/System Governance lays out expectations that management of technology systems and software applications is a shared responsibility between business and technology stewards.

The State of Washington’s 4-tier classification scheme:

• Category 1: Public Information – Information that can be or already has been released to the public. It does not require legal protections from unauthorized disclosure because disclosure is not generally considered harmful or a privacy invasion, but it does need integrity and availability protection controls.
• Category 2: Sensitive Information – Information that is not specifically legally protected from unauthorized disclosure, but it is for official use only. It is information usually withheld unless specifically requested.
• Category 3: Confidential Information – Information that is specifically protected from either release or disclosure by law. This includes but is not limited to:
  • Personal information as defined in RCW 42.56.590 and RCW 19.255.010
  • Information about public employees as defined in RCW 42.56.250
  • Lists of individuals for commercial purposes as defined in RCW 42.56.070(8)
  • Information about infrastructure and security of computer and telecommunication networks as defined in RCW 42.56.420
• Category 4: Confidential Information Requiring Special Handling - Information that is specifically protected from either release or disclosure by law and
  • Especially strict handling requirements are dictated for it such as statutes, regulations, agreements, or other external compliance mandates.
  • Serious consequences could arise from its unauthorized disclosure, such as health and safety threats or legal sanctions.

The State provides the following information for agencies when categorizing data:

• Agencies must identify and understand all laws, regulations, policies, and standards that apply to their data and ensure applicable requirements are met.
• Agencies must take their missions and business objectives into consideration when evaluating their data classifications.
• Agencies must consider how combining or aggregating data may change the sensitivity of the data.
• In general, the sensitivity of a given data element is likely to be greater in combination than in isolation (e.g., association of an account number with the identity of an individual and or institution).
• When data is newly combined or aggregated its classification level should be reviewed.
• Agency must consider their Data Sharing and Privacy Agreements

IS is in the process of transitioning from our prior 3-tier classification scheme (see (3)(C) Data Classification) to Washington State’s classification scheme for better alignment with state technology policy.