Compliance

Privacy can mean different things to different people. It’s our perception of it that underlies how we define it, which adds a level of complexity to it. Regardless of how you define it, people have rights as to how their data is collected, handled, and used. Privacy laws inform what things the laws protect around regulating, storing, and using personally identifiable information. The relevant international regulations, federal and state laws, and industry standards for the various data types in higher education are summarized below. 

Questions regarding the interpretation or application of laws and regulations should be directed to the Office of General Counsel

State Laws & Regulations

Colorado Public (Open) Records Act

The State of Colorado requires that all public records be open for inspection by any person at reasonable times, except as otherwise provided by law. Under the Colorado Public (Open) Records Act (Colorado Revised Statutes §24-72-101, et seq.), all records made or maintained by a state institution such as Mines are “public,” regardless of the format or medium of such records. Certain personal information may be protected by state and federal law. However, all information becomes a public record once it is provided and may be subject to public inspection and copying, if not protected by federal or state law. 

Colorado Revised Statutes State Electronic Mail Monitoring (C.R.S. 24-72-204.5)

Requires a written policy on any monitoring of electronic mail communications and the circumstances under which it will be conducted.  

Colorado Revised Statute Security Breaches and Personal Information (C.R.S. §24-73-101 thru 103)

https://leg.colorado.gov/bills/hb18-1128 

(LexisNexis website http://www.lexisnexis.com/hottopics/michie/ > Colorado > Title 24, > Governmental Access to News Information > Security Breaches and personal information (Article 73)) 

Became effective September 1, 2018. Governmental entities are required to: 

  • Have a written policy for the disposal of paper and electronic documents containing PII – Coming Soon!  
  • Maintain reasonable security procedures and practices to protect personally identifiable information (PII); and 
  • Provide notice of data breaches to consumers and the Attorney General within specified timelines. 
Colorado Revised Statutes State Library Protections (C.R.S. 24-90-119)

https://www.cde.state.co.us/cdelib/librarylaw/part1#24-90-119 

The State of Colorado Privacy Regulations restricts the disclosure of any library record or identifiable information of a person who has requested or obtained specific materials or services from the library. 

Security Breaches and Personal Information C.R.S. § 24-73-101<br /> through 103.

https://leg.colorado.gov/bills/hb18-1128 

Became effective September 1, 2018. Governmental entities are required to: 

  • Have a written policy for the disposal of paper and electronic documents containing PII – Coming Soon!  
  • Maintain reasonable security procedures and practices to protect personally identifiable information (PII); and 
  • Provide notice of data breaches to consumers and the Attorney General within specified timelines. 

Federal Laws & Regulations

Federal Information Security Management Act

https://www.dhs.gov/fisma 

The Federal Information Security Management Act requires federal agencies to protect federal information systems through information system requirements. The act also covers the University as a federal contractor where it is holding federal data pursuant to federally-funded research. The Act requires that the University: 1) implement security programs and policies; 2) assess risk; and 3) periodically test controls.

FERPA (Family Education Rights and Privacy Act)

https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html 

“The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives students who attend a post-secondary institution the right to inspect and review their own education records, and it generally prohibits the release of education records, other than public directory information, without the student’s express permission. Please see Mines’ FERPA Policy for more information regarding your rights under FERPA.” Mines Policy can be found here

 

GLBA (Gramm Leach Bliley Act)

https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act 

Governs the collection, disclosure, and protection of consumer’s personal information and personally identifiable information. It applies to how higher education institutions collect, store, and use student financial records (e.g., records regarding tuition payments and/or financial aid) containing PII. Colleges and Universities are deemed to be in compliance with the GLBA Privacy Rule if they are in compliance with FERPA. The Safeguard rule is subject to the Federal Student Aid’s single audit process to ensure compliance. 

Requires institutions that offer consumers financial products or services like loans, financial or investment advice, or insurance to explain their information-sharing practices to their customers and to safeguard sensitive data. 

HIPAA Privacy Rule (45 CRF Part 160, and Subparts A and E of Part 164):

https://www.hhs.gov/hipaa/for-professionals/privacy/index.html 

Establishes national standards to protect individual’s medical records and other personal health information and applies to health plans and those health care providers that conduct certain health care transactions electronically. Requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. Gives patient’s rights to examine and obtain a copy of their health records, and to request corrections.

Red Flags Rule

https://www.ftc.gov/tips-advice/business-center/privacy-and-security/red-flags-rule 

The Red Flags Rule (published at 16 CFR 681.1 and issued under section 114 and 315 of the Fair and Accurate Credit Transactions Act) requires financial institutions and creditors that hold covered accounts to develop policies and procedures to identify and respond to attempted identity theft. The Rule requires a written Identity Theft Prevention Program designed to detect the warnings signs – or red flags – of identity theft in day-to-day operations. The Red Flags Rule may apply to an institution of higher education depending on the types of transactions and activities the institution engages in.

International Privacy Standards

GDPR

General Data Protection Rights (GDPR) provides for the protection of rights of data subjects in the free movement of data. Regulations became effective May 25, 2018. 

Key aspects of the new regulation include:

  • Transparency 
  • Right to rectification 
  • Right to be forgotten 
  • Right of access 
  • Right to restriction of processing 
  • Right to data portability 
  • Right to object (for public interest purposes, for legitimate interests pursued by Mines, and direct marketing purposes) 

Industry Regulations

PCI (Payment Card Industry) Standards

https://www.pcisecuritystandards.org/ 

Robust and comprehensive standards to enhance payment card data security.