Data Privacy Office


What does the IS Data Privacy Office do?

  • Establishes CWU’s adoption and education on the Washington State Privacy Framework and Washington State Agency Privacy Principles
  • Data collection for WA State technology portfolio management compliance and privacy risk identification. Works with with CWU departmental data owners and stewards to identify, document, and update data systems and software containing sensitive and protected data
  • Reviews departmental solution requests with IS directors
  • Reviews data sharing agreements for data privacy risk with IS Security Services and Contracts
  • Education, training, and guidance on data classification and data governance roles & responsibilities
  • Communicates and respondes to changes in WA State, federal, and international privacy law impacting higher education
  • Develops data privacy-related policy and procedures
  • Documentation of processes and data lifecycle inventories
  • Privacy notices
  • Data privacy incident mitigation, investigation, and notification
  • What is privacy? What is data privacy?

    Privacy is the right to be let alone, to be free from disturbance or intrusion. Privacy isn’t about whether someone has something to hide, it is a multidisciplinary field that is concerned with the degree to which people have control and autonomy over certain areas of their lives. It is also about identifying and assessing how well organizations are doing in upholding their responsibilities as data privacy stewards on behalf of those individuals whose data they collect, store, share, analyze, modify, and otherwise interact with and use.

    The IS Privacy Office focuses on data privacy at CWU - controlling access over one's own information and how individuals’ data is used while carrying out its functions that fulfill essential educational and university strategic goals. Privacy encompasses other areas as well:

    • Bodily Privacy – privacy over one’s physical being, such as healthcare choices, genetic testing, and drug testing
    • Communication Privacy - having control over one’s private messages, such as monitored or recorded)
    • Territorial Privacy – privacy over one’s physical space, such as being surveilled, searched, or being required to show ID
  • How is data privacy different from information security?

    The exponential growth in technology such as mobile phones has brought privacy issues to the forefront. We have more digital data than we ever have, and people produce and use data constantly, for work or though personal devices. Data privacy is its own field of IT, with its own set of laws, standards, and frameworks.

    Data privacy overlaps with information security in that both are concerned about determining risks and securing data. Data security is about the process of protecting digital assets (data) residing within systems from unauthorized access and use. Ensuring data privacy requires strong security. Data privacy is concerned with protecting data from unauthorized disclosure but it’s also about protecting data against authorized processing that wasn't set up with privacy or data protection in mind. Both circumstances may cause individuals significant social, personal, or professional harm should sensitive data be exposed. Release of sensitive personal details may cause serious embarrassment, loss of opportunities, negative reputational impacts, and loss of trust.

    CWU’s Information Services is concerned with upholding both data privacy and security, because personal data isn't just an asset, it's a representation of people, and use of data can have real and lasting impacts on the lives of students, employees, and their families.

  • Who is responsible for upholding data privacy at CWU?

    Every employee at CWU is responsible for protecting personal data if they work with personal data. As information is increasingly recorded, kept, and made available online, it's essential to become educated and stay current on safe and responsible data privacy practices.

    Responsibility for safeguarding personal data is a shared effort between the individual as well institutions like CWU that collect and use personal data. Organizations may be held legally and reputationally accountable if they don't have sufficient protections in place or if their actions don't match what their privacy notices say they do. 

  • What is personally identifiable data (PII) according to the US Department of Education?

    In the Family Educational Rights and Privacy Act (FERPA), the US Department of Education states that personally identifiable information includes but isn’t limited to:

    1. A student’s name
    2. A student’s parent or other family members;
    3. The address of the student or student's family;
    4. A personal identifier, such as the student's social security number, student number, or biometric record;
    5. Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;
    6. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
    7. Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

    “PII" is students' education record data, past and present, that may be linked to and therefore identify individuals either directly or indirectly.

    FERPA
  • What is student directory information?

    In the federal  Family Educational Rights and Privacy Act (FERPA), the US Department of Education outlines certain pieces of student education record information of enrolled students that wouldn't generally be considered harmful or an invasion of privacy if disclosed without students' consent, that the institution designates as "directory information." (School officials who must have access to student data for official university business and educational purposes may have such access to data, if access is necessary for fulfillment of their job functions.)

    Students (and parents of minor students) may opt out of having their data included in the student directory when they enroll at CWU and at any time thereafter.

    FERPA allows institutions to choose what constitutes their specific student directory information. At CWU, directory information includes:

    • a student’s name
    • university and permanent address
    • telephone number
    • photograph
    • major field of study
    • Terms enrolled
    • Years of attendance (i.e., the period of time during which the student attends or attended the school)
    • participation in officially recognized activities and sports
    • weight and height of members of athletic teams
    • degrees
    • honors, awards, and achievements received, such as honor roll
    • previous schools attended

    Social security Number, Student ID, citizenship, gender, email address, date and place of birth, race, ethnicity, grades, GPA, and class schedules, are NOT part of CWU directory information.

    For more information on FERPA, directory information, and opting out of the student directory at CWU, please check with the Office of the Registrar.

    .

  • What is personal information according to Washington State law?

    In its Notice of Security Breaches RCW 19.255.005, The State of Washington views personal information differently that FERPA does, and the rights regarding personal information extend to individuals whose data is being maintained by a person or a business.

    (2)(a) "Personal information" means:
    (i) An individual's first name or first initial and last name in combination with any one or more of the following data elements:
    (A) Social security number;
    (B) Driver's license number or Washington identification card number;
    (C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account;
    (D) Full date of birth;
    (E) Private key that is unique to an individual and that is used to authenticate or sign an electronic record;
    (F) Student, military, or passport identification number;
    (G) Health insurance policy number or health insurance identification number;
    (H) Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer; or
    (I) Biometric data generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual;
    (ii) User name or email address in combination with a password or security questions and answers that would permit access to an online account; and
    (iii) Any of the data elements or any combination of the data elements described in (a)(i) of this subsection without the consumer's first name or first initial and last name if:
    (A) Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and
    (B) The data element or combination of data elements would enable a person to commit identity theft against a consumer.
    (b) Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

     

    RCW 19.255.005
  • What are the Washington State Agency Privacy Principles?

    The IS Data Privacy Office promotes CWU’s adoption of the Washington State Office of Privacy and Data Protection's Washington State Agency Privacy Principles:

    • Lawful, fair, and responsible use – Data will be collected in a non-discriminatory, non-harmful way and its use will be based on legal authority. Data use will be relevant, reasonably necessary, and for legitimate reasons.
    • Data minimization - The minimum amount of data will be collected, used, and disclosed for its stated purpose
    • Purpose limitation - Use of data will be determined before or at the time it is collected. Use and disclosure of data will be limited to what's reasonably necessary.
    • Transparency & accountability – The university will be clear and open about what data will be collected and what it will be used for. Employees will be responsible for and responsive to privacy inquiries and will be accountable for adhering to privacy laws and regulations
    • Due diligence - Reasonable actions will be taken before sharing data with third-party data partners such as vendors, other educational agencies to ensure safe data privacy practices will be upheld
    • Individual participation - Individuals may exercise control over the collection and use of their personal data, when possible
    • Security - appropriate security controls will be used to protect the confidentiality, integrity, and availability of data
    WA Agency Privacy Principles
  • What privacy framework does the Data Privacy Office subscribe to?

    The Data Privacy Office is in the process of identifying and documenting privacy risks by following the Washington State Agency Privacy Framework, a flexible framework for state agencies to build and grow their privacy programs to appropriately handle personal information, including sensitive and especially sensitive personal information. It was designed by WA State Washington Technology Solution's (Watech) Office of Privacy and Data Protection and is based off of the National Institute of Standards and Technology (NIST) Privacy Framework and other best privacy practices and standards. The framework consists of functions (Identify, Govern, Protect, Communicate, and Respond) which relate to the actions agencies should take in identifying, assessing, mitigating, and communicating about data privacy risk.

    WA State Agency Privacy Framework
  • What is data classification? Why must CWU do it?

    Data classification is a categorization scheme based on data sensitivity levels and a process by which levels are assigned to data and data systems based on the highest sensitivity of data within systems. It is essential for CWU departments to be educated about data classification so they may classify and document data contained in all systems and software applications used. Doing so allows CWU to better manage its privacy risks and respond timely and effectively to privacy threats and incidents.

    Data classification is so important for privacy and security risk management that it is outlined in Washington State technology policy repeatedly as something state agencies and institutes of higher education must do:

    Policy 141.10 (4.1) (Now SEC-08-01-S) Data Classification Standard identifies a 4-tier classification scheme with definitions for each tier. Policy 112.10 (Now MGMT-01-01-S) Technology Portfolio Foundations - Applications includes data classification as part of IT Portfolio management compliance. Throughout the year the IS Data Privacy Office participates in the process of gathering and updating this information from all areas of the university.

    Additionally, Policy 114 Business Application/System Governance lays out expectations that management of technology systems and software applications is a shared responsibility between business and technology stewards.

    The State of Washington’s 4-tier classification scheme:

    • Category 1: Public Information – Information that can be or already has been released to the public. It does not require legal protections from unauthorized disclosure because disclosure is not generally considered harmful or a privacy invasion, but it does need integrity and availability protection controls.
    • Category 2: Sensitive Information – Information that is not specifically legally protected from unauthorized disclosure, but it is for official use only. It is information usually withheld unless specifically requested.
    • Category 3: Confidential Information – Information that is specifically protected from either release or disclosure by law. This includes but is not limited to:
      • Personal information as defined in RCW 42.56.590 and RCW 19.255.010
      • Information about public employees as defined in RCW 42.56.250
      • Lists of individuals for commercial purposes as defined in RCW 42.56.070(8)
      • Information about infrastructure and security of computer and telecommunication networks as defined in RCW 42.56.420
    • Category 4: Confidential Information Requiring Special Handling - Information that is specifically protected from either release or disclosure by law and
      • Especially strict handling requirements are dictated for it such as statutes, regulations, agreements, or other external compliance mandates.
      • Serious consequences could arise from its unauthorized disclosure, such as health and safety threats or legal sanctions.

    The State provides the following information for agencies when categorizing data:

    • Agencies must identify and understand all laws, regulations, policies, and standards that apply to their data and ensure applicable requirements are met.
    • Agencies must take their missions and business objectives into consideration when evaluating their data classifications.
    • Agencies must consider how combining or aggregating data may change the sensitivity of the data.
    • In general, the sensitivity of a given data element is likely to be greater in combination than in isolation (e.g., association of an account number with the identity of an individual and or institution).
    • When data is newly combined or aggregated its classification level should be reviewed.
    • Agency must consider their Data Sharing and Privacy Agreements

    IS is in the process of transitioning from our prior 3-tier classification scheme (see (3)(C) Data Classification) to Washington State’s classification scheme for better alignment with state technology policy.

CWU News

Submit your cost-saving ideas and win up to $10,000

May 22, 2024

by

CWU Board of Trustees announces 2024 Distinguished Faculty

May 22, 2024

by

More News

Contact


Colleen Falconer, CIPP-US

Available via MS Teams and Zoom