Privacy & Compliance

Overview

All Central Washington University (University) departments and schools that accept, process, store, and/or transmit payment card data must comply with the Payment Card Industry Data Security Standard (PCI DSS) and all relevant University policies and procedures to ensure the security of cardholder data processed by the University.

The PCI DSS standard apply to all types of payments, including in-person, telephone, and web transactions. The University is committed to maintaining the security of customer information and follows best practices for protecting payment card information.

For specific information, guidelines and compliance criteria, visit PCI's document library.

PCI Policies and Procedures

The current policy and procedure related to PCI DSS are available below.

Approved Payment Card Processor List

The following is a list of approved payment card processor that are authorized to conduct business with the University. If you are establishing yourself as a Merchant and your payment card processor is not on this list, please contact the Accounting office for more information.

• Blackbaud
• CampusCE
• CyberSource
• EAB/Royall
• Elavon
• Freedompay
• Frontstream
• Nayax
• OnplanU
• Ratex/Nebraska Book Company
• Shift4
• TouchNet
• Vendini
• Virtual Education Software Inc
• Authorized.Net

Central Washington University is committed to comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Electronic Transaction standards. Central Washington University is implementing policies, processes and procedures designed to ensure compliance with the Privacy standards and monitoring for compliance and effectiveness.

Central Washington University is committed to comply with the Family Education Rights and Privacy Act (FERPA). Central Washington University has implemented policies, processes and procedures designed to ensure compliance with the Privacy standards and monitoring for compliance and effectiveness.

For more information visit CWU's Office of the Registrar's website.

Overview

Central Washington University (CWU) is committed to protecting the privacy of personal data. In compliance with the European Union (EU) General Data Protection Regulation (GDPR) effective as of May, 2018, we are issuing this notice to outline how we collect, use and disclose personal and special category data provided by students, faculty, applicants, alumni, donors and any and all other individuals disclosing personal and/or special category data, which is subject to the GDPR.

This notice addresses how CWU processes your personal data if you are an individual with rights under the General Data Protection Regulation (GDPR).

Definitions

The General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and harmonizes data privacy laws across Europe, to protect and empower all EU citizens with data privacy while also reshaping the way organizations across the region approach data privacy. For additional information about the GDPR see the EU Data Protection page.

“Personal data” is defined as any information relating to a person who can be directly or indirectly identified in particular by reference to specific data collected or provided by you. Examples include name, email address, IP address, and identification number.

"Special category data" means personal data about a person’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.

"Processing" covers all activities relating to the use of personal data by an organization, from its collection through to its storage and disposal and everything in between.

Sharing of Personal Data

Your personal information may be shared with relevant staff as needed. For purposes of enrollment, providing services, or in compliance with legal requirements, your data may be shared with external organizations, including, but not limited to:

• Agencies of the State of Washington
• Agencies of the United States Government
• Non-governmental partners
• Those funding/lending your monies for enrollment
• Providers of any external/collaborative learning and training placements or fieldwork opportunities
• Auditors, examiners, and assessors external to the institution
• Relevant professional or statutory regulatory bodies
• University student organizations, clubs, and societies relative to your membership in such organizations
• Local authorities
• As needed, police and other law enforcement
• As needed, entities affiliated with The University (e.g. The CWU Foundation. CWU Alumni)
• Companies or entities providing services to or on behalf of The University

Anonymization and Pseudonymization of Data

Data that has been de-aggregated or de-identified can be shared without any limits being placed on such a disclosure.

Security Measures

Appropriate technical and organizational security measures are in place aimed to protect data when transmitted and once stored in systems which we directly control and systems which we control through a third-party vendor.

Retention and Destruction of Data

CWU retains your data pursuant to applicable state and federal law, and in adherence to the specific retention periods that apply to such data. If a request is entered for data destruction, it will only be processed if doing so does not contradict state or federal law, including but not limited to, data retention rules. Destruction of data shall be conducted in the manner that best preserves and ensures the confidentiality of the information based on the sensitivity, value and how critical the data is to the University.

Impact of Retention Periods

Erasure of data shall be subject to the retention periods of applicable state and federal law. CWU adheres to specific records retention schedules. See the Information on Records Retention Schedules page for additional information.

Rights Available Under GDPR

For generally information on rights provided by the GDPR, please see the Information Commissioner's website.