Confidentiality of Personal Information

The California State University (CSU) has a responsibility to protect sensitive personal data and maintain confidentiality of that data under the Information Practices Act (IPA), Title 5, and the Family Educational Rights and Privacy Act (FERPA). Personal data includes (and not limited to) the following:

• Social Security Number (SSN)
• Date of Birth (DOB)
• Home Address
• Home Phone Number
• Medical History
• Gender and Ethnicity

The Office of the Chancellor issued coded memorandum (HR 2005-16) detailing the CSU's requirements for protecting confidential data. Additionally, the Office of General Counsel for the CSU issues and maintains a Records Access Manual, which provides an overview of federal and state law governing access to records possessed by the CSU.

IPA, California Civil Code Section 1798, et seq. protects individuals' privacy rights in 'personal information' contained in state agency records. Additionally, Sections 42396 through 42396.5 of Title 5 of the California Code of Regulations address privacy and the principles of personnel information management.

FERPA affords students certain rights with respect to their education records, one of which is the right to consent to the disclosure of personally identifiable information except to the extent that FERPA authorizes disclosure without consent.

SDSU's Office of the Registrar provides campus guidelines for complying with FERPA. Furthermore, the CSU's Information Security Responsible Use Policy provides general principles regarding respect for privacy and sharing of account passwords.

What Employees Must Do

• Access only what you need to do your job (minimum necessary); don’t browse “out of curiosity.”
• Verify authorization before sharing: confirm the requester’s identity and legitimate need-to-know; when unsure, do not disclose.
• Store securely: keep confidential personal information only in approved SDSU/CSU systems; use strong passwords/MFA; lock screens; secure paper files (locked cabinet/controlled access).
• Transmit only through approved methods: use SDSU-approved email/tools and encryption where required; do not use personal email, personal cloud storage, consumer messaging apps, or unapproved file-sharing.
• Limit copies: avoid printing unless necessary; don’t download to unmanaged devices; don’t keep local “working copies” longer than required.
• Dispose properly: shred paper; securely delete electronic files per SDSU/CSU retention and disposal procedures; don’t toss documents in regular trash/recycle.
• Report immediately: suspected loss, misdirected email, unauthorized access, or exposure should be reported right away through the SDSU security/incident reporting channel.
• When in doubt, pause and ask: check with HR/Labor Relations, the data owner, or Information Security before releasing or moving information.

Report an Incident

If you believe you have experienced a security incident—such as receiving a misdirected email containing sensitive information, losing a device, or suspecting that data has been exposed—please report it immediately. To report an incident, visit the Report an Incident page at https://security.sdsu.edu/report-an-incident and follow the instructions provided.

Information Practices Act of 1977

To assist employees in understanding the IPA and to prevent inappropriate disclosure of information, below is a summary of key components:

1. General Provisions and Legislative Findings
   The right to privacy is a personal and fundamental right protected by Section 1 of Article I of the Constitution of California and by the United States Constitution. All individuals have a right of privacy in information pertaining to them. The California's Legislature has found that:
   • The right to privacy is being threatened by the indiscriminate collection, maintenance, and dissemination of personal information and the lack of effective laws and legal remedies.
   • The increasing use of computers and other sophisticated information technology has greatly magnified the potential risk to individual privacy that can occur from the maintenance of personal information.
   • In order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits.
2. Definitions
   • The term 'personal information' means any information maintained by the campus that identifies or describes an individual, including, but not limited to: his or her name, social security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. It includes statements made by, or attributed to, the individual.
   • The term 'disclose' means to disclose, release, transfer, disseminate or otherwise communicate all or any part of any record, orally, in writing, or by electronic or any other means to any person or entity.
3. Penalties
   • 'The intentional violation of any provision of this chapter or any rules or regulations adopted there under by an employee of any campus shall constitute a cause for discipline, including termination of employment.'
   • Any person who willfully requests or obtains any record containing personal information from a campus under false pretenses shall be guilty of a misdemeanor or fined not more than five thousand dollars ($5,000), or imprisoned not more than one year, or both.

Additional Resources

• SDSU IT Security Policies, Standards and Procedures
• Access to CSU Records (Public Records Act Context and Exemptions)
• California Code of Regulations (Official CCR Source) 
• SDSU Registrar FERPA Guidance
• HR 2005-16 (Requirements for Protecting Confidential Personal Data)