This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It establishes a university-wide privacy program that respects and protects the privacy of students, alumni, faculty, staff and guests, and safeguards information resources from loss, misuse, and unauthorized access or modification. Data must be safeguarded to maintain privacy levels based on Data Classification.
Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the Request for Exception to IT Security Policy.
Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.
Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.
Full IT Glossary
FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for managing privacy risk through enterprise risk management. The Privacy Framework Core uses functions, activities, and desired outcomes to align university policy to privacy risk management. The Privacy Framework leverages industry standards, guidelines, and practices to establish baseline expectations for privacy for all university units.
Consolidated University Units (CUUs) are responsible for using this framework and related controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.
Roles and Responsibilities
Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
Consolidated University Unit (CUU) Privacy Coordinator
The liaison designated by the CUU Dean, Director or Department Head (DDDH) responsible for coordinating the CUU’s privacy program. The CUU Privacy Coordinator is the central point of contact between the University Units and ISPO for privacy issues.
Responsibilities related to this Standard include, but are not limited to:
- Maintain the CUU’s information privacy program according to IT Security and Privacy Policies, Standards, Procedures and Guidelines.
- Work with the CUU and University Unit ISMs and Data Custodians to coordinate the implementation of electronic and physical controls for information classified as High Risk or Moderate Risk to ensure they meet legislated or contracted privacy requirements.
- Ensure information identification, classification, and documentation of all CUU data as defined by the Data Security Standard.
- Ensure CUU staff are trained on FSU Security policies, standards, and guidelines, and specific legislated or contracted privacy requirements including special requirements related to FERPA, HIPAA, PCI DSS, etc. as defined by the IT Security and Privacy Training Standard.
- Facilitate and ensure compliance with the IT Third-Party Management Standard for any CUU third-party agreements.
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources, based on the Data Security Standard.
All users are accountable for all activities performed by their account:
- safeguarding FSU IT resources.
- understanding the Data Classification of information being stored, transmitted, processed, or otherwise handled to ensure that appropriate action is taken to protect the information in accordance with FSU Security and Privacy Policies and Standards.
- complying with all applicable federal, state and local laws; and all contractual obligations.
- signing and complying with requirements of the Florida State Employee Memorandum of Understanding addressing access to High Risk or Moderate Risk information (employees).
For more information, see IT Roles and Responsibilities.
Data Custodians, in conjunction with their CUU and University Unit Privacy Coordinators, must ensure that privacy is properly safeguarded to maintain privacy levels according to the requirements for each data risk classification as defined by the Data Security Standard. All information must be inventoried, classified, and managed as required by FSU Policies and Standards, based on these risk classification levels.
The following Privacy Principles apply:
- Apply appropriate Security and Privacy Controls based on the Risk Classification level of the data: High Risk and Moderate Risk information must be safeguarded. Additional legislative or contractual terms may also apply.
- Attach the University’s Third Party Information Sharing Agreements – Terms and Conditions to outsourcing agreements when outsourcing the processing of High Risk and Moderate Risk information to third-party entities. See IT Third-Party Management Standard.
- Collect only the information required for a specific purpose: Collect High Risk and Moderate Risk information only when required to support critical university business processes.
- Store information no longer than required: Keep High Risk and Moderate Risk data only as long as required by law or a business need.
Access To High Risk and Moderate Risk Information
Authorization for Users of High Risk and Moderate Risk Information
Access to FSU information classified as High Risk or Moderate Risk requires appropriate authorization as defined by the IT Access, Authorization and Authentication Standard.
The CISO has the authority to support public health and safety, and consistent with applicable privacy laws and policies, FSU may perform monitoring, including but not limited to, location data, wireless connections, and FSU card utilization. Use of FSU information technology resources constitutes consent to monitoring activities. Use of FSU information technology resources constitutes consent to monitoring activities.
Third-party Access to High Risk and Moderate Risk Information for Contracted Services or Technical Support
FSU may choose to contract with a third-party vendor for the collection, storage, or processing of information, including High Risk or Moderate Risk information. The third-party vendor may offer services in the form of hosting, outsourcing, or private/public cloud computing services.
Third-party access to High Risk or Moderate Risk information must be regulated in a written agreement, in which the rights and duties of FSU and the third-party vendor in addition to any subcontractors engaged by the primary third-party vendor are specified, as defined by the IT Third-Party Management Standard.
Use of High Risk and Moderate Risk Information
Clear Desk and Clear Screen Procedures
- Offices and storage facilities that maintain High Risk or Moderate Risk information locally must:
- Ensure that all High Risk or Moderate Risk information in hardcopy or electronic form is secure in the work area at the end of the day and when staff are away from their work area.
- Secure computer workstations that process, transmit, or store High Risk or Moderate Risk information when the workspace is unoccupied.
- Secure High Risk or Moderate Risk information when the work area is unoccupied, and the room cannot be secured.
- Secure file cabinets containing High Risk or Moderate Risk information when not in use or when not attended.
- Secure keys used to access resources containing High Risk or Moderate Risk information.
- Secure passwords.
- Set printers to perform Secure Printing (pin code required) or immediately remove printouts containing High Risk or Moderate Risk information from printers in unsecured areas.
- Upon disposal, shred documents containing High Risk or Moderate Risk information or place them in locked confidential disposal bins. Disposal of electronic media containing High Risk or Moderate Risk information must comply with the requirements of the Data Disposal and Media Sanitization Standard. For more information, see National Institute of Standards and Technology-Special Publication 800-88 Revision 1 - Guidelines for Media Sanitization.
- Ensure whiteboards containing High Risk or Moderate Risk information are not visible for unauthorized viewing.
- Secure portable computing devices containing High Risk or Moderate Risk information such as laptops, phones, tablets, CDROMs, DVDs, USB flash drives.
Additional physical privacy controls may also be required by law or contractual obligation for specific information items. See IT Physical Security Standard.
High Risk or Moderate Risk Information Use in Social Media
The same laws, policies, rules of conduct and etiquette that apply to all other activities at or concerning FSU govern the use of social media. Because of the powerful ability of social media to broadcast information worldwide, faculty and staff must safeguard all High Risk or Moderate Risk information by posting only university information that is authorized explicitly by law or FSU Policy.
Professors, Instructors, Adjuncts, and Teaching Assistants who use social media in courses must consider student privacy carefully, including compliance with the Family Educational Rights and Privacy Act (FERPA). Most information that identifies a student and is maintained by FSU, or by an FSU educator or agent of FSU, is protected under FERPA. This protection extends to postings of any information item considered to be part of a student’s education record on social media course accounts. A signed FERPA release for a specific activity must be retained by the campus entity to publicly post information considered a protected education record.
High Risk or Moderate Risk Information Use in Photography and Videography
Certain photos and videos of students are considered educational records under FERPA and cannot be shared publicly without the written consent of the student. Consent is particularly important where:
- Photos or videos prominently show one or a few students.
- Photos or video images are part of FSU’s official functions and/or depict students in their educational or academic environment.
Class recordings may raise privacy concerns due to FERPA regulations. In cases where class-recording videos are made accessible only to the students and instructors in the class and academic administrators, students must be informed of the video recording in advance. Within a class or even outside of the classroom, if a student or students are identifiable in a photograph or video, FERPA may apply and requires express consent be obtained before photos or videos are shared publicly. Allowable student recording in the classroom and use of such recordings is also defined and restricted by s. 1004.097, F.S.
Facial recognition technology (FRT) allows for the identification and the verification of a person’s identity. It combines biometric systems properties using video or photography with a computer application to associate identity to individually distinctive features of the body. Use of FRT by CUUs must be reviewed and approved by the CISO.
Any information obtained through the use of automated photo license plate reading devices shall not be used for any purpose other than to identify a license plate number, to verify campus parking eligibility of the vehicle, and to facilitate the serving of notices of parking violations and notices of delinquent parking citations. This information will not be retained beyond its useful need with exceptions specified by legal requirements including retention schedules for license plate information collected and maintained by the Florida State University Police Department.
Student use of electronic devices, including wearable computing devices, capable of photography, audio, or video recording of events are prohibited during certain classroom functions, research activities, or supporting business processes involving information classified as High Risk or Moderate Risk. Examples of prohibited uses include academic functions such as examinations, unapproved use in healthcare functions covered by HIPAA, and research functions where contractual or legal rules restrict information sharing.
Use of Biometric Technologies
University units implementing biometric technologies must ensure they meet any relevant privacy and biometric laws and regulations as they may relate to the acquisition and retention of biometric information. In addition, the CUU must ensure that its use meets a defined business need with auditable procedures to secure the biometric information and privacy of the enrollees.
Online Collection of High Risk or Moderate Risk Information (Outside of the European Union)
CUUs that collect High Risk or Moderate Risk information on their public or Intranet web pages must ensure technical controls provide encryption of protected information communicated between a user's browser and a web-based application through the use of secure protocols (e.g., HTTPS, TLS/SSL, etc.). See IT Application Secure Coding Standard. In addition, any storage of High Risk or Moderate Risk data on publicly accessible webservers must be encrypted as defined by the Encryption Standard. University websites collecting High Risk or Moderate Risk information requires a link to this Standard.
Prospective students, current students, faculty, staff, and interested parties residing outside of the United States and providing High Risk or Moderate Risk information electronically to FSU acknowledge that this information will be transferred to the U.S. where it will be processed and stored under U.S. privacy standards or by applicable framework agreements. Individuals providing information to the university within the European Union are covered under the General Data Protection Regulation section of this policy.
European Union’s General Data Protection Regulation (GDPR)
Lawful Basis for Collecting or Processing Data
Personal data means any information relating to an identified or identifiable natural person. FSU is the acknowledged Data Controller under the regulation and is responsible for the collection and processing of Personal Information and Sensitive Personal Information from individuals who interact with the university only as necessary in the exercise of the University’s legitimate interests, functions, and responsibilities as a public research higher education institution. Processing means any operation or set of operations which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Personal Information is collected from students and shared with internal and external parties to register or enroll persons in FSU, provide and administer housing to students, manage a student account, provide academic advising, develop, and deliver education programs, track academic progress, analyze, and improve education programs, recruitment, regulatory reporting, auditing, maintenance of accreditation, and other related University processes and functions.
FSU collects information on customers of the university for athletic and cultural events to assign seats, event notifications, subscriptions, memberships, and fundraising activities. The university may collect certain information about individuals which may include their name, gender, credit card number, email address, physical address, and telephone number. Marketing and communications activities (where separate consent is provided) include:
- Sending information about promotions and offers
- Sending newsletters
- Sending information about merchandise offers or fundraising activities
FSU also collects and processes Personal Information and Sensitive Personal Information from individuals who are research subjects in the exercise of scientific, historical research, or statistical purposes. Research subject information is controlled by the university’s Institutional Review Board ("IRB"), also known as the Human Subjects Committee ("HSC") who has the authority to oversee research involving human subjects.
Faculty and Staff
FSU collects and processes Personal Information from individuals who are applicants for faculty and staff positions in order to enter into or administer a contract for employment with the University.
FSU also uses Personal Information and Sensitive Personal Information to conduct general demographic and statistical research to improve University programs. Sensitive Personal Information is collected, processed, and shared internally and externally, as necessary, applicable, and appropriate, to identify appropriate support services or activities, provide reasonable accommodations, enforce University policies or comply with applicable laws. Finally, Personal Information and Sensitive Personal Information may be shared by FSU with third parties (Data Processors for FSU) who have entered into contracts with the University to perform functions on behalf of the University, subject to the obligation of confidentiality and safeguarding from unauthorized disclosure.
Third-Party Use of Sensitive Information
We may disclose individuals’ Sensitive Personal Information and other Personal Information as follows:
- Consent: if we have consent to do so.
- Emergency Circumstances: when necessary to protect their interests and when they are physically or legally incapable of providing consent.
- Employment Necessity: when necessary for administering employment or social security benefits in accordance with applicable law or any applicable collective bargaining agreement, subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- Charitable Organizations: with the FSU Foundation and other not-for-profit organizations in connection with charitable giving subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- Public Information: if it has been manifestly made public.
- Archiving: for archiving purposes in the public interest, and for historical research, and statistical purposes.
- Performance of a Contract: when necessary to administer a contract between the individual and the University.
- Legal Obligation: when the disclosure is required or permitted by international, federal, and state laws and regulations.
- Service Providers: with third-party vendors with whom we have entered into a contract to support the administration of university operations and policies. In such cases, we share Personal Information with such third parties subject to the imposition of appropriate safeguards to prevent further unauthorized disclosure.
- University Affiliated Programs: with parties that are affiliated with the University for the purpose of contacting individuals about goods, services, charitable giving, or experiences that may be of interest.
- De-Identified and Aggregate Information: in de-identified or aggregate form without limitation.
Cookies are files that FSU websites transfer to users’ web browsers to enable the site to deliver personalized services or to provide persistent authentication. The information contained in a cookie typically includes information collected automatically by the web server and/or information provided voluntarily by the user. FSU websites may use persistent cookies in conjunction with a third-party technology partner to analyze search engine usage and web traffic patterns. This information is used in the aggregate to monitor and enhance our web pages. It is not used to track the usage patterns of individual users.
Security of Personal Data
All personal data and Sensitive Personal data collected or processed by any FSU CUUs under the scope of this standard must comply with the security controls and requirements set forth in FSU policies and related Standards. Data protection is given due consideration in all stages of system development, in routine and in daily use. Information technology personnel must ensure data, devices, networks, and processes comply with all requirements for High and Moderate Risk data.
Retention and Destruction of Information
Information will be retained by FSU in accordance with applicable state and federal laws. Information will be destroyed upon request unless applicable law requires destruction after the expiration of an applicable retention period. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of information given the level of sensitivity, value, and criticality to the University.
Exercise of Rights
Individuals have the right to request access to, a copy of, rectification, restriction in the use of, or erasure of information in accordance with all applicable laws. Upon verification and confirmation, Individuals will be provided a copy of information requested free of charge. A reasonable administrative fee will apply for any excessive or repetitive request. The erasure of information shall be subject to the retention periods and in accordance with applicable state and federal laws. If an individual has provided consent to the use of their information, they have the right to withdraw consent without affecting the lawfulness of the University’s use of the information prior to receipt of the request. Any individual wishing to exercise their rights under this policy should contact the university at email@example.com.
Specific Information Types
FSU faculty, staff, and contracted business partners must ensure the safekeeping of public records. The FSU 4-OP-F-03 Records Management Policy contains specific responsibilities for the retention, storage, disposal, and archival of FSU records. Archived information classified as High Risk or Moderate Risk information must be maintained with the same safeguarding controls, such as encryption, that are legislated or contracted for production systems. It is also the responsibility of each person processing a public records request to ensure exempt or confidential information under Chapter 119, Florida Statutes, is redacted prior to public release unless publication is approved by the President, Provost, or designated senior administrative staff. Any questions related to public records request should be directed to the Office of General Counsel.
Student Education Records
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that protects the privacy of student education records. Florida Statute 1002.22 requires FSU to protect student education records in accordance with FERPA.
- The disclosure of education records maintained by an educational institution.
- Access to these records.
FSU has defined certain components of a student’s education record as “Directory Information.” “Directory Information” means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. These items are classified as Public information unless a student has filed a "Request to Prevent Release or Publication of Directory Information" form, which places a privacy hold on the student's account including “Directory Information”. (For more information, see Undergraduate Bulletin). The Office of the Registrar maintains the current listing of items classified as “Directory” information at FSU.
Social Security Numbers
FSU collects and stores Social Security Numbers (SSNs), classified as High-Risk information by the university, as permitted by law. University units and their employees are only permitted to collect or store SSNs when necessary to meet a state or federal requirement or the unit has obtained written approval from the President, Provost, Vice President, General Counsel, Director of Information Security and Privacy, or designated approver to meet an official business process.
FSU requires all entities maintain privacy controls over SSNs to meet legal, contractual, or good privacy practice requirements including:
- FSU EMPLID’s are to be used instead of SSNs for routine university business.
- Collection, storage, or processing of SSNs is restricted to FSU automated systems that serve the Enterprise Resource Planning (ERP) student, financial, and human resource systems.
- SSNs must not be stored on FSU-owned, personal computing devices, or transferred to vendor storage services including cloud computing resources, unless appropriate management approval and execution of an information sharing agreement is granted for mission-critical FSU business activities.
- Any approved storage of SSNs on FSU-owned portable storage devices or mobile computing devices must be encrypted to maintain the privacy of the information, as defined by the Encryption Standard. The encryption solution must meet Federal Information Processing Standard (FIPS) 140-2 standards.
- SSNs or partial SSNs should never be displayed in areas such as public locations where it is not possible to restrict access to only those authorized to view SSNs.
- Any approved business process requiring the transfer of electronic documents containing SSNs over internal FSU network, Internet, or a wireless carrier’s network requires the encryption of the transferred documents between the users’ computing device and FSU information processing equipment.
- Any required mailing of paper documents containing SSNs must be done in a manner that reduces the risk of displaying SSNs before the document is opened.
Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA Privacy Rule provides protections for individually identifiable health information held by Covered Entities and their business associates and gives patients an array of rights with respect to that information. For more information on HIPAA requirements and FSU Covered Components, see this Standard.
Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLBA)
FSU generates, receives and stores many financial documents and records classified as High Risk or Moderate Risk. This includes, but is not limited to, information about the awarding and issuance of loans to students, and the collection of payments from students, parents, patients and customers via check, money order, wire transfer, Automated Clearing House (ACH) and credit/debit card. GLBA (Public Law 106-102) applies to any record handled by, maintained by, or on behalf of FSU or its affiliates that contains protected financial information about a student or other third-party who has a relationship with FSU.
GLBA safeguarding provisions pertain to any record containing protected financial information whether in paper, electronic or other form, which is handled or maintained by or on behalf of the FSU or its affiliates. For these purposes, the term protected financial information shall mean any information (i) a student or other third-party providers in order to obtain a financial service from FSU, (ii) about a student or other third-party resulting from any transaction with FSU involving a financial service, or (iii) otherwise obtained about a student or other third-party in connection with providing a financial service to that person. In particular, FSU policies and safeguarding provisions of this Standard (i) ensure the security and confidentiality of covered records, (ii) protect against any anticipated threats or hazards to the security of such records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.
All FSU contracts with providers who are responsible for processing, transferring, or storing GLBA-protected FSU information will be required, under the terms of the contract, to stipulate implemented safeguards that adhere to, and are in compliance with, the provisions of the Gramm-Leach-Bliley Act.
Branded Credit/Debit Card Transactions
FSU will collect and use information obtained from branded credit/debit card transactions (VISA, MasterCard, American Express, and Discover) only for business purposes upon approval by the FSU Controller’s Office. The credit card information will be safeguarded in a confidential manner as defined by 4-OP-D-2-G Payment Cards Policy and as specified in the merchant agreements as contractual obligations. Such obligations include compliance with the Payment Card Industry – Data Security Standard (PCI DSS).
Artificial intelligence (AI) is the concept used to describe computer systems that are able to learn from their own experiences and solve complex problems in different situations. The requirement for privacy controls extends to any protected or private information used in a university or vendor supported artificial intelligence development as well as any output of the AI process when the inclusion of personal data classified by the university as private or protected is used in the output of the AI process. Automated decisions that involve special categories of personal data (Sensitive Personal data classified as protected by the university) are permitted only if the data subject has consented, or if they are legally warranted.
CUUs conducting research must be aware of appropriate privacy restrictions for information transmitted, stored, or processed as part of research projects. Research projects are also a required component of a CUUs yearly data classification, risk assessment, and risk mitigation planning.
Legal privacy restrictions include, but are not limited to, the Health Insurance Portability and Accountability Act (HIPAA), International Traffic in Arms Regulations (ITAR), The Belmont Report (1979) and 2.1 Code of Federal Regulations Title 45 Part 46: The Common Rule concerning the protection of human subjects, and other federal or state legal requirements, and contractual research information privacy restrictions. In addition, CUUs must protect the privacy of protected or private research information with appropriate information privacy and security controls such as those published by the National Institute of Standards and Technology (NIST), ISO, Federal Information Security Management Act (FISMA), or Defense Federal Acquisition Regulation Supplement (DFAR 252.204-7012) and Federal Acquisition Regulation (FAR 52.204-21) contract clauses. Required information privacy and security controls extend to any device used to transmit, store or process protected or private research information.
Confidentiality and privacy cannot be guaranteed through electronic communications because of the nature of the medium and the FSU's accountability as a public institution. FSU supports a climate of trust and respect and does not ordinarily read, monitor, or screen instant messaging, voice mail, or electronic mail services provided by FSU.
The President, Provost, or their designee may authorize access to faculty, staff, or student instant messaging archives, voice mail, or email in a number of circumstances including, but not limited to:
- Situations involving the health or safety of people or property.
- Possible violations of FSU codes of conduct, regulations, or policies.
- Possible violations of state or federal laws; subpoenas and court orders.
- Other legal responsibilities or obligations of FSU.
- The need to locate information required for FSU business purposes.
Emails containing information classified as High Risk or Moderate Risk must use encryption or password protect the document as an attachment.
Faxing of information classified as High Risk or Moderate Risk must be safeguarded. For more information, see Protected Fax.pdf (fsu.edu).
Personal Employee Information
IT professionals provide support for computing devices, systems and application administration for computing devices under their management. IT professionals may have administrative access to the operating system, files, emails, databases, or applications being supported as part of their job responsibilities.
IT professionals may only access employee personal information or communications within their specific job responsibilities with the approval of the Data Custodian. This access may only be used in support of university business and consistent with the roles and responsibilities of the staff member as prescribed by university management.
Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at firstname.lastname@example.org. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the IT Incident Response Standard for more information.