Privacy of Personal Information

General

This section implements Integrated CSU Administrative Manual (ICSUAM) Policy 8025.0.

Collection of Personal Information

The Information Security Officer or designee, in consultation with the University’s Institutional Review Board and other appropriate administrative units, will establish procedures governing collection of personal information.  Such procedures must prescribe appropriate business needs for the collection of personal information, adequate protections against unauthorized use or disclosure of the personal information collected, and appropriate methods of storage and destruction.

Access to Personal Information

The Information Security Officer or designee, in consultation with other appropriate administrative units, will create procedures to ensure that access to collected personal information is limited to those who have a legitimate business or academic need for the access.

Each person who accesses or stores protected data must use due diligence to prevent unauthorized access and disclosure of such information. T&I will integrate best practices for handling sensitive data into initial and recurrent information security awareness training.