Western Washington University is committed to maintaining the privacy and security of personal information and other highly sensitive data that it collects and uses. Our privacy and public records obligations are governed by state policy, state and federal regulations, and now international regulations.
To reduce the complexities of attempting to comply with each regulation individually, Western has adopted the position of striving for the highest standards for:
- Reviewing how and why personal data is collected and used, and
- Taking proactive steps to mitigate security and/or privacy breaches.
In the works:
- Delegation of compliance ownership for specific privacy regulations is in progress. Official delegations made by the University President will be published in a University Compliance Matrix.
- University policies on privacy and information security are under development.
- Updates to training and policy manuals related to personal health information are in progress.
Student Records
Personal Health Information
GDPR
Data Privacy Laws
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
Gramm-Leach-Bliley Act (GLBA)
The Gramm Leach Bliley Act (GLBA) is a law that applies to financial institutions and includes privacy and information security provisions that are designed to protect consumer financial data. This law applies to how higher education institutions collect, store, and use student financial records (e.g., records regarding tuition payments and/or financial aid) containing personally identifiable information. GLBA regulations include both a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314), both of which are enforced by the Federal Trade Commission (FTC) for higher education institutions. Colleges and universities are deemed to be in compliance with the GLBA Privacy Rule if they are in compliance with the Family Educational Rights and Privacy Act (FERPA).
Federal Trade Commission Act
The Federal Trade Commission (FTC) provides the greatest overall data protection to consumers, but it does so based on its general authority as a federal agency and not on a specific data privacy law. It’s authority comes from the Federal Trade Commission Act which authorizes the FTC to seek to prevent unfair or deceptive trade practices. The FTC’s chief weapon in combating incursions into consumer data privacy is its ability to obtain agreements with private companies to regulate the use of the data that they collect. For example, it entered into an agreement with Facebook in 2011, which created a compliance plan and formalized privacy practices. The FTC hoped that other internet companies would model their privacy and data collection policies on the agreement reached with Facebook. The FTC investigates and prosecutes companies for deceptive data collection, misuse of consumer data, and other violations of improper internet and on-line web practices. One of the FTC’s primary functions is to prevent identity theft and it has established a complaint line for that purpose. The complaint line gathers information that is then shared with law enforcement.
The Privacy Act
To protect U.S. citizens from the misuse of their data by the federal government, the Privacy Act of 1974 was passed. It governs the collection, maintenance, and use of information about individuals stored by the federal agencies. It does not govern information collected by private companies or state agencies. While this law restricts how federal agencies collect and use personally identifiable records, it also grants individuals the right to access such records and to amend the data that is collected on them.
Health Insurance Portability and Accountability Act (HIPAA)
A person’s medical information is provided some of the strongest privacy regulations with HIPAA, which regulates the use and disclosure of an individual’s health information. There are civil and criminal penalties for failing to comply with the privacy rule requirements of HIPAA. Employee and student medical and treatment records are not covered under HIPAA.
Medical Records – Health Care Information Access and Disclosure State Law
Washington state law Title RCW 70.02 offers privacy protections for treatment records held by health care clinics.
Laws with Privacy Elements
Other laws have confidentiality requirements such as the Americans with Disabilities Act and the Family Medical Leave Act that limits disclosure of medical information.
Fair Credit Reporting Act
A consumer’s financial data is protected by the Fair Credit Reporting Act, which regulates consumer reporting agencies. It restricts the disclosure of credit reports, and other consumer reports. It works in conjunction with HIPAA to protect medical information as well. The act further requires notice to consumers when their credit reports have been disclosed, fraud alerts, and free access to credit reports in conjunction with a fraud alert. The Act is extensive and provides a number of consumer rights.
Controlling the Assault of Non-Solicited Pornography and Marketing Act
In an effort to limit the amount of unwanted email advertisements, especially ones with explicit sexual content, Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act (Can-Spam Act). It established requirements for sending unsolicited commercial email and regulates other fraudulent activities associated with electronic mail.
Electronic Communications Privacy Act
The US has long had a wiretap law that prohibited eavesdropping and recording of conversations that took place over telephone or telegraph wires, but the act was expanded to address modern forms of wireless communication. The Electronic Communications Privacy Act prohibits interception and disclosure of wire, oral, or electronic communications with exceptions for law enforcement, publicly available communications, or where permission has been given.
Computer Fraud and Abuse Act
To combat a hacker’s ability to take over government and private computers, the Computer Fraud and Abuse Act was passed. It’s purpose is to address computer hacking and data theft by making it illegal to access computers and taking computerized data. It’s important to note that this law makes it illegal to not only steal data, but also to access a computer without authorization, even if no data or information was taken.
General Data Privacy Act (GDPR)
The General Data Privacy Act is an international law that standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also extends the protection of personal data and data protection rights by giving control back to EU residents. GDPR applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location. Many organisations outside the EU are unaware that the EU GDPR regulation applies to them as well. If an organization offers goods or services to, or monitors the behavior of EU residents, it must meet GDPR compliance requirements.
Source Credit: Consumer.findlaw.com
For additional information, concerns, or suggestions please contact the University Compliance Manager or email compliance.matters@wwu.edu.
