Office of Data Privacy

Privacy is power.  Those who have control over their data have informational self-determination because they decide who can access their data and how it is used. 

Privacy is compromised when personal data are collected unnecessarily, used or shared for vague or undisclosed purposes, or when individuals are not properly notified or given the opportunity to review and correct inaccurate information. The loss of privacy carries risks. Depending on the circumstances, individuals may face emotional, physical, or financial harm.

After decisions are made about how data is to be protected, according to personal preference or the law, the CSCU Information Security Office applies appropriate security controls to protect the confidentiality, integrity and access to that data. To learn more about data security at CSCU, visit the Information Security Program Office

The CSCU Data Privacy Office enables the safe use of data to support CSCU’s vision to continually increase the number of students completing personally and professionally rewarding academic programs.

• Individual privacy is respected at all stages of the data lifecycle by upholding the Fair Information Privacy Practices (FIPPs)[2].
• CSCU is fully transparent about the use of individual data while enabling autonomy, protecting privacy and abiding by regulatory requirements.
• Data are categorized so that security controls can be applied, and risks of data usage are understood and managed.
• Goals and boundaries are in alignment with the National Institute of Standards and Technology (NIST) Data Privacy Framework.
   

[2] Federal Privacy Council. “Fair Information Practice Principles (FIPPs).” FPC.gov. Accessed August 27, 2025. https://www.fpc.gov/resources/fipps/ 

The CSCU DPO follows Fair Information Privacy Principles (FIPPs) which originated in the US Privacy Act of 1974 and are a component of major privacy initiatives across the globe.

Access and Amendment. Agencies should provide individuals with appropriate access to PII and appropriate opportunity to correct or amend PII.

Accountability. Agencies should be accountable for complying with these principles and applicable privacy requirements, and should appropriately monitor, audit, and document compliance. Agencies should also clearly define the roles and responsibilities with respect to PII for all employees and contractors, and should provide appropriate training to all employees and contractors who have access to PII.

Authority. Agencies should only create, collect, use, process, store, maintain, disseminate, or disclose PII if they have authority to do so, and should identify this authority in the appropriate notice.

Minimization. Agencies should only create, collect, use, process, store, maintain, disseminate, or disclose PII that is directly relevant and necessary to accomplish a legally authorized purpose, and should only maintain PII for as long as is necessary to accomplish the purpose.

Quality and Integrity. Agencies should create, collect, use, process, store, maintain, disseminate, or disclose PII with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual.

Individual Participation.Agencies should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the creation, collection, use, processing, storage, maintenance, dissemination, or disclosure of PII. Agencies should also establish procedures to receive and address individuals’ privacy-related complaints and inquiries.

Purpose Specification and Use Limitation. Agencies should provide notice of the specific purpose for which PII is collected and should only use, process, store, maintain, disseminate, or disclose PII for a purpose that is explained in the notice and is compatible with the purpose for which the PII was collected, or that is otherwise legally authorized.

Security. Agencies should establish administrative, technical, and physical safeguards to protect PII commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss, destruction, dissemination, or disclosure.

Transparency. Agencies should be transparent about information policies and practices with respect to PII, and should provide clear and accessible notice regarding creation, collection, use, processing, storage, maintenance, dissemination, and disclosure of PII.

Led by the Data Privacy Officer, members participate in activities such as:

• Discuss and document data privacy strengths and areas where supports are needed for students and employees.
• Develop near and long-term visions for privacy governance that will enable decision-making, prioritization and formation of relevant data privacy policies and procedures across CSCU institutions
• Review national standards and best practices and to make recommendations for the structure of a CSCU Data Privacy Program that would have capacity to address current gaps in awareness, practice, and policy.
• Recommend selection of a nationally recognized privacy standard to use for the development of a CSCU privacy policy and as a framework for program maturation.
• Consider options for the structure, representation, and responsibilities of a permanent CSCU Data Privacy Council to provide ongoing strategic planning, guidance, and oversight.
• Document recommendations for Board Policy where needed.
• Identify ways to enhance privacy awareness and expertise across CSCU institutions.
• Consider specific data privacy related tasks and how establishing working groups or subcommittees may enable completion of work such as the following.
  • Develop a CSCU Data Privacy Policy.
  • Conduct a data inventory and gap analysis including the documentation of data flows and data lifecycle practices.  The gap analysis will reveal differences between the legal and contractual requirements and current practice to identify areas of risk for the implementation of controls and mitigation of risk.
  • Develop thresholds for risk tolerance that can provide guidance when making determinations about control selection and risk assessments.^[1]
  • Establish a process and metrics for assessment, accountability, and improvement.
  • Develop and implement privacy awareness training/campaign.

Not all members are listed.