The university is mandated by federal, state and/or local law, or university policy to enforce privacy and security safeguards for regulated data. This area of the Knowledgebase will help guide you through a general overview of regulated data-types at ISU. Please speak to your immediate supervisor for more information related to your role and responsibilities to meet regulatory compliance requirements when generating, storing, using, sharing, and managing regulated data.
Family Educational Rights & Privacy Act (FERPA)
The Family Educational Rights & Privacy Act or FERPA (the Buckley Amendment) is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA defines students’ rights broadly, giving the student the right to control to whom their education record is released. Broadly, FERPA:
- Establishes the rights of students to inspect and review their education records,
- Provides students the right to control the release of education records to third parties without permission of the student,
- Provides guidelines for the correction of inaccurate or misleading data through formal and informal hearings.
- Provides students the right to file complaints with the Family Policy Compliance Office, U.S. Department of Education concerning alleged failures by the institution to comply with the Act.
- For complete FERPA information, visit: https://studentprivacy.ed.gov/node/548/
Health Insurance Portability & Accountability Act (HIPAA)
Summary of the HIPAA Privacy Rule:
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
The ISU HIPAA Privacy Officer is the designated University person responsible for knowing HIPAA regulations, providing training for Clinic staff, student clinicians, and supervisors (“Clinic Personnel”) in HIPAA compliance, and assuring that HIPAA-related policies and procedures are instituted and followed. To that end, a breach is defined as the acquisition, access, use or disclosure of Protected Health Information ("PHI") in violation of the HIPAA Privacy Rule. Examples of a breach include stolen or improperly accessed PHI; PHI inadvertently sent to the wrong provider; and the unauthorized viewing of PHI. To report a breach, individuals are encouraged to contact the ISU Privacy Officer, by email at: HIPAAPrivacyOfficer@indstate.edu
Payment Card Industry - Data Security Standard (PCI-DSS)
The Payment Card Industry - Data Security Standard (PCI-DSS) is a global security standard that provides the security requirements defined by the Payment Card Industry Security Standards Council and the 5 major Payment Card Brands. It is required for all credit card transactions and is enforced via the Merchant Agreement terms.
- PCI DSS stands for Payment Card Industry Data Security Standard.
- The standard is a set of requirements which ensure technical and procedural security in accepting, transmitting and storing payment Card Holder Data (CHD).
- Payment cards include credit, debit, gift, prepaid, etc. For purposes of complying to the standard, payment cards do not include ISU's Commons Cash or Sodexo Cards
- The standard is issued and maintained by the PCI Security Standards Council (PCI SSC) and applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit CHD. Complete PCI DSS information can be found at the PCI SSC website.
- If you have any questions or concerns about how you are handling payment card information at ISU, then please contact your area OIT consultant.
Gramm Leach Blilley Act (GLBA)
The Gramm Leach Bliley Act (GLBA) is a federal law that requires financial institutions to ensure the confidentiality, integrity, and availability of customer information. While ISU is not a "financial institution" per se, as an institution of higher education, it is required to comply with this regulation. GLBA has two parts, one relating to privacy and one mandating security. For colleges and universities, FERPA addresses the privacy component of GLBA and ISU is not required to specifically address the privacy provisions in GLBA. The second part of GLBA called the Standards for Safeguarding Customer Information, requires ISU to adopt security controls to protect the confidentiality, integrity, and availability of personally identifiable information provided for the purposes of financial aid and student loan servicing.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a European Union regulation that dictates data and privacy protection requirements for all individuals within the European Union (EU) and the European Economic Area (EEA). The goal of GDPR is to ensure individuals have control over their personal data including who can collect it, what can be collected, and how that information can be used.