In keeping with state and federal legislation, the University safeguards the privacy of patients, students, employees, University business, and other matters by protecting electronic and hard-copy records considered confidential information. Unauthorized accessing and/or disclosure of confidential information by University employees is prohibited and may result in legal penalties. These standards apply to records maintained in any type of electronic or hard-copy record: computer, voice, video, or paper. It also applies to records created via the University website. For more details regarding user privacy when accessing NMSU’s website refer to this website – NMSU Website User Privacy.
Electronic Records: Electronic transmissions or messages created, sent, forwarded, replied to, transmitted, distributed, broadcast, stored, held, copied, downloaded, displayed, viewed, read, or printed by one or several electronic systems or services. This definition of electronic records applies equally to the contents of such records, attachments to such records, and transactional information associated with such records.
University Administrative Record: A University Record (see definition below) that is directly related to the conduct of the University’s administrative business.
University Record: By law, University records are any papers, books, photographs, tapes, films, recordings, or other documentary materials, or any copies thereof, regardless of physical form or characteristics, made, produced, executed, or received by any department or office of the University or by any academic or administrative staff member in connection with the transaction of University business, and retained by that agency or its successor as evidence of its activities or functions because of the information contained therein.
University Electronic Record: A University Record in the form of an electronic record, whether or not any of the electronic communications resources utilized to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print the electronic communications record are owned by the University. This implies that the location of the record, or the location of its creation or use, does not change its nature as a University electronic record for purposes of this or other University policy.
Until determined otherwise or unless it is clear from the context, any electronic record residing on university-owned or controlled telecommunications, video, audio, and computing facilities will be deemed to be a University electronic record for purposes of these standards.
Notification Users should be notified that information is being collected and they should be informed of their rights. (e.g., all Web pages that collect personally identifiable information should include a privacy notice that specifies how the information will be used.)
Minimization The institution should gather as little information as possible for legitimate purposes and delete information when it is no longer needed or no longer required by law to be retained. (e.g., library records need not be kept for more than a certain limited period of time.)
Secondary Use Information should be used only for the purposes for which it was collected unless the individual gives additional consent. (e.g., a department should not share information with an administrative office for a separate purpose without the individual’s knowledge and consent.)
Nondisclosure and Consent Information should not be released to third parties external to the University without consent. (e.g., vendors, business, etc.). University General Counsel and Chief Privacy Officer should review data sharing requests and establish data sharing agreements as deemed necessary. All faculty, staff, student employees and volunteers accessing NMSU regulated or other confidential data must complete and sign an NMSU confidentiality nondisclosure agreement.
Need to Know Only those with legitimate, official needs should have access to information. (e.g., a person’s position of authority in the University does not necessarily mean that they should be able to access information.)
Data Accuracy, Inspection, and Review Information must be accurate, and individuals should have the right to examine information about themselves and request changes. (e.g., employees should be able to review their records and make changes or follow a standard process for any information that is disputed.)
Information Security, Integrity, and Accountability Information should be secure and not vulnerable to unauthorized modification, and the handling of the data must be subject to accountability. (e.g., it should always be known who has access to information and changes to information should be documented.)
Education The University has the responsibility to educate its constituents concerning privacy rights and the proper handling of information. (e.g., all constituents should know whom to consult about these matters and all employees should understand their responsibilities for abiding by policies for information handling.)
The Chief Information Officer (CIO), Chief Privacy Officer (CPO), Data Stewards and Operating Departments in consultation with the Office of University Counsel determine the confidentiality of the data. Data Stewards are representatives of the University who are assigned responsibility to serve as a steward of University data in a particular area. They are responsible for developing procedures for creating, maintaining, and using University data, based on University policy established by the Data Governance Committee and applicable state and federal laws. For more information refer to data classification page.
The classification of data covers the whole data spectrum at NMSU including sensitive information about individuals such as information contained in the Human Resources system, and sensitive information about the University. Information receiving this classification requires a high level of protection against unauthorized disclosure, modification, destruction, and use. Specific categories of pervasive regulated or highly confidential information include information about:
- Current and former students (protected under the Family Educational Rights and Privacy Act (FERPA) of 1974), including student academic, disciplinary, and financial records and student works such as homework, term papers, and exams; and prospective students, including information submitted by student applicants to the University. For more information please visit NMSU’s FERPA website.
- NMSU’s Campus Health Center patients (protected under the Health Insurance Portability and Accountability Act (HIPAA of 1996), other Medical Center clients, library patrons, and donors and potential donors. For more information please visit NMSU’s HIPAA website.
- Current, former, and prospective employees, including employment, pay, health, and insurance data, and other personnel information.
- Research, including information related to a forthcoming or pending patent application (patents must be filed within a year of publication), and information related to human subjects.
- Certain University business operations, finances, legal matters, audit reports, or other operations of a particularly sensitive nature.
- Information security data, including passwords.
- In addition, the following data privacy regulations require proper safeguard, and privacy of certain data entrusted to NMSU:
- Gramm-Leach-Bliley Act of 1999 (GLBA) – For more information please visit NMSU’s GLBA website.
- RFR is the (Identity Theft) Red Flags Rule – For more information please visit NMSU’s Red Flags Rule website.
- Federal Information Security Management Act of 2002 (FISMA) – For more information please visit NMSU’s FISMA website.
- Payment Card Industry Data Security Standards (PCI DSS) – For more information please visit NMSU’s PCI DSS website.
- The EU General Data Protection Regulation (GDPR) – is a legislative framework valid across all the European Union states and a law that is designed to strengthen the privacy and protect data for individuals across all the EU countries by requiring companies to adopt new data protection processes and controls. Applicability and its impact to NMSU is being analyzed. For the mean time, if you handle student or employee data relating to citizens from EU countries please let the Chief Privacy Officer (CPO) know and follow the guidance provided to other data privacy regulations and the privacy principles applicable to NMSU’s entrusted data. For more information please visit NMSU’s GDPR website.
Determining authorizations. Only those with legitimate, official need have access to electronic records. Data Stewards and operating supervisors determine who is authorized to have access to their information. They should make sure that those with access have a need to know the information and know the security requirements for that information. For faculty and staff with access to internal through government owned information, supervisors should also make sure that those given access have a need to know and have signed an NMSU confidentiality nondisclosure agreement that covers the information.
THE WAY WE USE INFORMATION
Client information is used to route the requested Web page to your computer for viewing. In theory, the requested Web page and the routing information could be discerned by other entities involved in transmitting the requested page to you. We do not control the privacy practices of those entities. Essential and nonessential technical information helps us respond to your request in an appropriate format (or in a personalized manner) and helps us plan website improvements. Optional information enables us to provide services or information tailored more specifically to your needs or to forward your message or inquiry to another entity that is better able to do so and also allows us to plan website improvements.
We may use non-identifying and aggregate information to better design our website. For example, we may report that X number of individuals visited a certain area on our website or that Y number of men and Z number of women filled out our registration form, but we would not disclose anything that could be used to identify those individuals.
We may keep client information from our systems indefinitely after the Web page is transmitted, but we do not try to obtain any information to link it to the individuals who browse our website. However, on rare occasions when a “hacker” attempts to breach computer security, logs of access information are retained to permit a security investigation and in such cases may be forwarded together with any other relevant information in our possession to law enforcement agencies.
We use the information you provide about yourself when placing an order or request only to complete that order or request. We do not share this information with outside parties except to the extent necessary to complete that order or request. Similarly, we use the information you provide about someone else when placing an order or request only to complete that order or request. Again, we do not share this information with outside parties except to the extent necessary to complete that order or request.
We generally use return email addresses only to answer the email we receive. Such addresses are generally not used for any other purpose and by University and state policy are not shared with outside parties.
Finally, we never use or share the personally identifiable information provided to us online in ways unrelated to the ones described above without clear notice and the opportunity to opt-out or otherwise prohibit such uses.
PROVIDING INFORMATION IS YOUR CHOICE
There is no legal requirement for you to provide any information at our website. However, our website will not work without routing information and the essential technical information. Failure of your browser to provide nonessential technical information will not prevent your use of our website but may prevent certain features from working. For any optional information that is requested at the website, failure to provide the requested information will mean that the particular feature or service associated with that part of the Web page may not be available to you.
OUR COMMITMENT TO DATA SECURITY
To prevent unauthorized access, maintain data accuracy and ensure the correct use of information, we have put in place reasonable physical, electronic and managerial procedures to safeguard and secure the information we collect online, consistent with the policies of the University and with applicable data privacy laws and regulations.
We ensure the appropriate procedures are in place to detect, report, and investigate a personal data breach.
Known or suspected violations should be reported immediately to the CPO by phone at (575) 646-5902, or by email at firstname.lastname@example.org. The CPO will handle, investigate, document and report to the appropriate authorities.