ICSUAM 8025 | Privacy of Personal Information
CSUSM complies with the ICSUAM poilcy regarding privacy of personal information:
Effective Date: 4/19/2010 | Revised Date: 4/19/2010
The CSU Information Security policy provides direction and support for protecting the privacy of personal information managed by the C SU and guidance for collecting and accessing personal information.
100 Privacy of Personal Information
All users of campus information systems or network resources are advised to consider the open nature of information disseminated electronically and must not assume any degree of privacy or restricted access to information they create or store on campus systems. The CSU is a public university and information stored on campus information systems may be subject to disclosure under state law. No campus information system or network resource can absolutely ensure that unauthorized persons will not gain access to information or activities. However, the CSU acknowledges its obligation to respect and protect private information about individuals stored on campus information systems and network resources.
200 Collection of Personal Information
To comply with state and federal laws and regulations, campuses may not collect personally identifiable information unless the need for it has been clearly established.
Where such information is collected:
- The campus will use reasonable efforts to ensure that personally identifiable information is adequately protected from unauthorized dis closure.
- The campus shall store personally identifiable information only when it is appropriate and relevant to the purpose for which it has been collected.
300 Access to Personal Information
Except as noted elsewhere in CSU policy, information about individuals stored on campus information systems may only be accessed by:
- The individual to whom the stored information applies or his/her designated representative(s).
- Authorized CSU employees with a valid CSU-related business need to access, modify, or disclose that information.
- Appropriate legal authorities.
When appropriate, authorized CSU personnel following established campus procedures may ac cess, modify, and/or disclose information about individuals stored on campus information systems or a user’s activities on campus information systems or network resources without consent from the individual. For example, CSU may take such actions for any of the following reasons:
- To comply with applicable laws or regulations.
- To comply with or enforce applicable CSU policy.
- To ensure the confidentiality, integrity or availability of campus information.
- To respond to valid legal requests or demands for access to campus information.
If CSU personnel accesses, modifies, and/or discloses information about an individual and/or his/her activities on campus information systems or network resources, staff will make every reasonable effort to respect information and communications that are privileged or otherwise protected from disclosure by CSU policy or applicable laws .
Campuses are advised to consult the CSU Records Access Manual to determine which records must be made available for public inspection under the California Public Records Act.
400 Access to Electronic Data Containing Personal Information
Individuals who access or store protected data must use due diligence to prevent unauthorized access and disclosure of such assets.
Browsing, altering, or accessing electronic messages or stored files in another user’s account, computer, or storage device is prohibited, even when such accounts or files are not password protected, unless specifically authorized by the user for CSU business reasons. This prohibition does not affect:
- Authorized access to shared files and/or resources based on assigned roles and responsibilities.
- Authorized access by a network administrator, computer support technician, or departmental manager where such access is within the scope of that individual’s job duties.
- Access to implicitly publicly accessible resources such as University websites.
- Campus response to subpoenas or other court orders.
- Campus response to a request pursuant to public record disclosure laws.