MFA Setup

Security Services
Samuelson 255
(509) 963-2001

Data Laws, Regulations, and Standards

Central Washington University falls under different laws, regulations, and standards. Each accordion item below details what CWU does to comply with those different laws, regulations, and standards.

  • Payment Card Industry Data Security Standard (PCI)


    All Central Washington University (University) departments and schools that accept, process, store, and/or transmit payment card data must comply with the Payment Card Industry Data Security Standard (PCI DSS) and all relevant University policies and procedures to ensure the security of cardholder data processed by the University.

    The PCI DSS standard apply to all types of payments, including in-person, telephone, and web transactions. The University is committed to maintaining the security of customer information and follows best practices for protecting payment card information.

    For specific information, guidelines and compliance criteria, visit PCI's document library.

    PCI Policies and Procedures

    The current policy and procedure related to PCI DSS are available below.

    PCI Policies and Procedures
    Policy Name Policy Number Version
    Payment Card Policy CWUP 2-70-040 1.0
    Payment Card Procedure CWUP 7-70-050 1.0

    Approved Payment Card Processor List

    The following is a list of approved payment card processor that are authorized to conduct business with the University. If you are establishing yourself as a Merchant and your payment card processor is not on this list, please contact the Accounting office for more information.

  • Health Insurance Portability and Accountability Act (HIPAA)

    Central Washington University is committed to comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Electronic Transaction standards. Central Washington University is implementing policies, processes and procedures designed to ensure compliance with the Privacy standards and monitoring for compliance and effectiveness.

  • Family Education Rights and Privacy Act (FERPA)

    Central Washington University is committed to comply with the Family Education Rights and Privacy Act (FERPA). Central Washington University has implemented policies, processes and procedures designed to ensure compliance with the Privacy standards and monitoring for compliance and effectiveness.

    For more information visit CWU's Office of the Registrar's website.

  • General Data Protection Regulation (GDPR)


    Central Washington University (CWU) is committed to protecting the privacy of personal data. In compliance with the European Union (EU) General Data Protection Regulation (GDPR) effective as of May, 2018, we are issuing this notice to outline how we collect, use and disclose personal and special category data provided by students, faculty, applicants, alumni, donors and any and all other individuals disclosing personal and/or special category data, which is subject to the GDPR.

    This notice addresses how CWU processes your personal data if you are an individual with rights under the General Data Protection Regulation (GDPR).


    The General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and harmonizes data privacy laws across Europe, to protect and empower all EU citizens with data privacy while also reshaping the way organizations across the region approach data privacy. For additional information about the GDPR see the EU Data Protection page.

    “Personal data” is defined as any information relating to a person who can be directly or indirectly identified in particular by reference to specific data collected or provided by you. Examples include name, email address, IP address, and identification number.

    "Special category data" means personal data about a person’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.

    "Processing" covers all activities relating to the use of personal data by an organization, from its collection through to its storage and disposal and everything in between.

    Sharing of Personal Data

    Your personal information may be shared with relevant staff as needed. For purposes of enrollment, providing services, or in compliance with legal requirements, your data may be shared with external organizations, including, but not limited to:

    • Agencies of the State of Washington
    • Agencies of the United States Government
    • Non-governmental partners
    • Those funding/lending your monies for enrollment
    • Providers of any external/collaborative learning and training placements or fieldwork opportunities
    • Auditors, examiners, and assessors external to the institution
    • Relevant professional or statutory regulatory bodies
    • University student organizations, clubs, and societies relative to your membership in such organizations
    • Local authorities
    • As needed, police and other law enforcement
    • As needed, entities affiliated with The University (e.g. The CWU Foundation. CWU Alumni)
    • Companies or entities providing services to or on behalf of The University

    Anonymization and Pseudonymization of Data

    Data that has been de-aggregated or de-identified can be shared without any limits being placed on such a disclosure.

    Security Measures

    Appropriate technical and organizational security measures are in place aimed to protect data when transmitted and once stored in systems which we directly control and systems which we control through a third-party vendor.

    Retention and Destruction of Data

    CWU retains your data pursuant to applicable state and federal law, and in adherence to the specific retention periods that apply to such data. If a request is entered for data destruction, it will only be processed if doing so does not contradict state or federal law, including but not limited to, data retention rules. Destruction of data shall be conducted in the manner that best preserves and ensures the confidentiality of the information based on the sensitivity, value and how critical the data is to the University.

    Impact of Retention Periods

    Erasure of data shall be subject to the retention periods of applicable state and federal law. CWU adheres to specific records retention schedules. See the Information on Records Retention Schedules page for additional information.

    Rights Available Under GDPR

    For generally information on rights provided by the GDPR, please see the Information Commissioner's website.

This page contains links to websites outside of The views and opinions expressed on unofficial pages of Central Washington University faculty, staff or students are strictly those of the page authors. The content of such pages has not been reviewed or approved by Central Washington University.