This document provides an overview of CSU’s compliance with the European Union’s General Data Protection Regulation, or GDPR, which became effective on May 25, 2018, and the California Consumer Protection Act, or CCPA, which became effective January 1, 2020. It provides a summary of the areas covered by the GDPR and the CCPA, CSU’s high-level compliance in terms of governance and responsible parties, a general discussion about CSU’s IT Security and Privacy environment, and specific information regarding the nature and legitimate business need for processing the data.
The GDPR and the CCPA apply to organizations involved in the processing of personally identifiable information (PII) of individuals.
- The GDPR applies to residents of the EU located in the EU,. An organization may or may not maintain an “establishment” in the EU and be covered by GDPR  Without determining if or when CSU maintains an establishment, we recognize that GDPR applies when, acting as a controller or processor, “the processing activities are related to offering goods or services to data subjects in the [EU],” even when the goods and services are offered for free.  Further, GDPR protections apply when CSU processes the PII of data subjects in the EU and that processing is related to the “monitoring” in the EU of the “behavior” of data subjects as their behavior takes place within the EU. 
The CCPA bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. It provides essentially the same protections for Californians as does the GDPR for EU residents. However, it contains an additional provision that individuals who protect their privacy rights are not to be discriminated against. Also, users may use this toll-free telephone number to inquire about their rights and privileges under the CCPA: 833-610-1259.
Web pages and other forms may through the use of forms collect PII as well as by recording IP addresses or recognizing cookies  from the end user. All such PII that we collect is extremely well protected, and CSU desires to be transparent about how we secure and protect such data. Therefore, all University web pages offering services to individuals which process PII shall include a URL reference to this document on the home web page offering such a service.
A list of commonly used abbreviations and acronyms is provided at the end of this document.
Provisions of the GDPR and the CCPA
The GDPR and the CCPA subtend three areas involving individual’s personal data, each provided in a subsection below.
General Principles for Processing Data
Personal Data shall be:
- Processed (i.e. collected, handled, stored, backed up, made accessible, disclosed and destroyed) fairly, lawfully and transparently. An organization must have a ‘legal basis’ for processing an individual’s personal data (e.g. the individual has consented to the processing, or the processing is necessary to operate a contract with them, or the processing is necessary to fulfil a legal obligation).
- Processed only for specified, explicit and legitimate purposes.
- Adequate, relevant and limited to only what is necessary or for which consent ahs been given.
- Accurate (and corrected if it becomes inaccurate).
- Not retained for longer than necessary – data retention periods.
- Processed securely.
An Individual’s Rights
- The right to be informed of how their personal data are being used. This right is usually fulfilled by ‘privacy notices’ (or ‘privacy policies’) which set out how an organization will use an individual’s personal data, who it will be shared with, etc.
- The right of access to their personal data.
- The right to have their inaccurate personal data corrected.
- The right to have their personal data erased (right to be forgotten).
- The right to restrict the processing of their personal data pending its verification or correction.
- The right to receive copies of their personal data in a machine-readable and commonly-used format (right to data portability).
- The right to object: to processing (including profiling) of their data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest.
- The right not to be subject to a decision based solely on automated decision-making using their personal data.
- The right not to have their personal information sold to external entities.
Responsibilities of CSU
The legislations introduce a range of accountability requirements to encourage a proactive and documented approach to compliance. These accountability requirements include:
- Implementing policies, procedures, processes and training to promote ‘data protection by design and by default’.
- Having appropriate contracts in place when outsourcing functions that involve the processing of personal data.
- Maintaining records of the data processing that is carried out across the organization.
- Documenting and reporting personal data breaches.
- Defining Controllers as the points of contact for questions regarding the GDPR and the CCPA for data and services from the units covered.
- Identifying and acting on data retention periods for its data and acting upon that (i.e. purging data) when the retention period is exhausted.
There are various exemptions from compliance, two of which are pertinent to institutions higher educations, viz.:
- Personal data processed for journalistic, artistic, literary or ‘academic purposes’ are exempt from the principles and almost all of the rights, though not the accountability requirements.
- Personal data processed for ‘scientific or historical research purposes’, ‘statistical purposes’ or ‘archiving purposes in the public interest’ are exempt from two of the principles (those stating that personal data shall be processed solely for specified purposes and not kept for longer than necessary) and most of the rights, though not the other principles, the right to be informed (unless providing the privacy notice would be impossible or would involve ‘disproportionate effort’), or the accountability requirements.
An individual’s consent is not required to process personal information for legitimate business purposes. Indeed, virtually all of the data we collect falls into this category, and direct, affirmative consent is not required. However, activities which are peripheral to the University’s learning environment, research environment, and outreach environment are not exempt from having to obtain affirmative consent.
Finally, it is noted that CSU is required to collect, secure, keep, and maintain PII data under a wide variety of mandatory rules, regulations, and policies, including:
- State of Colorado records retention policy mandates keeping various types of documents and information for various time periods, as required by the State of Colorado Records Retention Manual (http://www.colorado.gov/pacific/archives/state-agency-records-management). Section 8 of that manual pertains to higher education in Colorado. CSU has its own complementary policies on records retention, as well.
- CALEA – the federal Communications Assistance for Law Enforcement Act of 1994 (47 USC §1002), enacted in 1994, requires CSU to collect and maintain information about individuals’ uses of our network and communication systems, for possible needs by law enforcement.
- GLBA – the federal Gramm-Leach-Bliley Act of 1999 (12 USC §1811) is synergistic with the GDPR and the CCPA, and requires certain protections to be put into place regarding IT Security and privacy of an individual’s financial records.
- SOX – the federal Sarbanes-Oxley Act of 2002 (116 USC §745) mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud, specifying reporting and retention clauses for financial data.
- Statewide reporting into the Colorado Department of Higher Education is required of student unit records into the statewide SURDS (Statewide Unit Record Data System) is required by state law.
General IT Security and Privacy Environment, and CSU’s Privacy Environment
Over about the last five plus years, there is no area in central IT to which we have paid more attention and devoted more effort than IT Security and Privacy. Over this time period, we have put many additional protections in place to enhance IT security and preserve individuals’ privacy, especially as regards Personally Identifiable Information (PII). Specifically, in response to the requirements of these two legislative bills, we have
- Identified Controllers for PII data for all of our relevant IT systems and services. Controllers are generally knowledgeable about the data collected, the business needs for the data, data retention and disposal periods, and other factors pertinent to their areas. Controllers may also refer individual requests to others with greater knowledge than they have, especially concerning reporting and business intelligence needs.
- Reviewed all of the PII we collect, and verified a business need to collect it.
- Reviewed storage and preservation of PII in our internal systems and established necessary retention periods from a business needs perspective.
- Identified which information can be purged from which systems, over which time periods.
- Reviewed, revised and put into place contractual terms for all of our external vendors to comply with the GDPR and the CCPA who hold our PII. Most especially important here are added terms and conditions for data retention and disposal.
- Included an affirmative acknowledgment for faculty, staff, students or affiliates agreeing to participate as a CSU patron under our compliance in our Acceptable Use Statement that all users must accept.
- Worked with our Institutional Review Board to understand that there must be both data retention and disposal clauses in all IRB-approved protocols.
- While requests may be made for an individual’s PII data to be removed from out systems, this will only be possible in very limited circumstances, as we are required by federal and state statues, state fiscal rules, and other strictures to retain data for 1) required reporting, including retaining data for sufficient periods of time to respond to questions or queries regarding the data, and to allow us to recreate reports from multiple data sources, and 2) employ the use of data for business analytics to inform strategic and operational directions for CSU to provide both more efficient and more effective IT services. The systems used for these purposes are our most well-protected systems, deep behind firewalls and access control lists, with granular access for individual users to only the data they need for business purposes.
How to Use the Information in This Document
Individuals residing in the EU who are covered under the GDPR and Californians may query the Controller for their area of particular interest, identified in Table 1 below in section “Areas and Controllers,” for specific questions regarding the processing of their personal data. General questions may be directed to the University’s General Controller, also identified in Table 1 in the section “Areas and Controllers.”
Right to Petition for Redress
Individuals residing in the EU who are covered under the GDPR or Californians who have contacted a Controller in their area of interest, and received an answer with which they are unsatisfied, or have not received an answer within a reasonable time period may petition for redress  to the University’s General Controller, identified in Table 1. The University’s General Controller shall caucus with the Vice President for Information Technology, and respond to the request, normally within one week of receipt of the request. Should the individual be unsatisfied with that answer, or have not received an answer within two weeks of submitting the request, the individual may contact University’s General Controller and request that the response be reviewed by the University’s Office of General Counsel, whose determination shall be final.
General Approaches to Special Circumstances
There are several areas that merit special circumstances for services of a general nature, as described below.
General data collection – CSU collections very, very little information of a personal nature, except as needed to fulfill a required business function. In most cases, we will not be able to accommodate “right to be forgotten” requests, as we must maintain complete and comprehensive information in order to facilitate efficient and effective operations in our environment. We simply do not have excess capacity to ingest and/or process extra information, nor do we ever sell your personal information to any provider for a fee. All of our sensitive data is maintained behind very robust firewalls, and thus very secure and highly private.
Cookies – Cookies are small files contained on your personal device, computer, laptop, table, smart phone, etc. that are particular to specific web pages you visit. Cookies are processed by the web page to maintain your connections and your identity as you browse across web pages (the web is stateless, meaning that the. web by itself will not remember who you are as you browse through pages, “cookies” are required for this purpose). You have complete control of cookies on your device and you can choose to disable them. However, if you do so, you may then be unable to receive services from CSU, especially ones that require your identity and maintaining your place in the hierarchy of the web.
System and network logs – CSU is required by several laws (referenced above) to maintain system and network logs for specified periods of time. In most cases the retention period for the data is determined by the software/application, and we have little or no say in that. As these logs are a legal requirement, we cannot support the “right to be forgotten” in these logs. However, we can assure you that these logs are only used by us internally for purposes of analyzing and tuning (optimizing) our service delivery. We never distribute these, so that are extremely secure and very private.
Privacy Areas and Controllers
Below, we indicate separately for each system and/or service the Privacy Controller (the “Controller”) for the system and/or service. Each Controller has reviewed the data collected for their system and/or service, removed from collection any data items not needed for reporting or business purposes, established a data retention period, and agreed to serve as the point of contact for individuals who may have questions about Privacy compliance.
|Table 1 Privacy Controllers by System and/or Service|
|Controller Name & Contact Info||General Area||General Description of PII Data Collected||PII Data Elements Collected|
|State of Colorado Chief Information Security Officer||Supervisory Authority||N/A||N/A|
|Steve Lovaas, Steven.email@example.com, 970.297.3707||General University Controller for GDPR||None for this purpose||None for this purpose|
|Suzi White, firstname.lastname@example.org
|CSU Libraries||Libraries Catalog – User Information||Users, materials checked out (only while they are checked out, so they can be tracked for return)|
|Suzi White, email@example.com
|CSU Libraries||Opt-in scholarly communication information|
|Networking||Logins and IP addresses, for debugging and support purposes||Username, time and date, login success|
|Joe Volesky, Joe.Volesky@colostate.edu,
|Central IT “academic” systems and services||System logs||Username, IP addresses, services accessed, time stamps|
|Josh Clark, firstname.lastname@example.org,
|Central IT “administrative” systems and services||System logs||Username, IP addresses, services accessed, time stamps|
|Environmental Health Services||Access information||First, middle, last name, CSUID, birthdate, EHSID|
|Sally Alexander, email@example.com, 970.491.7726||Office of Risk Management & Insurance||Workers Compensation (WC)||
Name, date of birth, address, and SSN. For WC: medical treatment plans, impairment ratings, physical ability assessments, marriage status, date of termination, wages, medical treatment plans, impairment ratings.
With consent: medical information, hospital records, and medical bills. Description of incidents
|Tyler Clayton, firstname.lastname@example.org, 970.491.5620||International Student and Scholar Services||International education exchange information; US Student and Exchange Visitor Program, INTO CSU program||Names, birthdates, contact information, immigration documents, passport information, financial documents, travel plans, confidential notes about immigration issues. For students: admission, academic, and enrollment information; confidential notes about academic issues. For employees: employment and salary information.|
|“||“||Departmental database for collecting, storing, and processing data about international students|
|Sarah Olson, Sarah.Olson@colostate.edu, 970.491.1393||Office of International Programs||Information in an internal CSU database necessary for enrolling individuals in programs, with contact information obtained for communications, including life and safety alerts.||Name, title, and possibly (for some programs) mailing address, email address, telephone number, specific information regarding their research, secure digital signature.|
|Laura Thornes, email@example.com, 970.491.2964||Office of International Programs – Education Abroad||Information relevant to a study abroad experience. Company was thoroughly vetted for IT security. CSU activated a GDPR Consent Setting in May 2018, giving them an opportunity to opt out prior to applying.||Names, gender, date of birth, emails, SID, passport info, major, personal demographic data.|
|Mike Brake, firstname.lastname@example.org, 970.491.7095||Collaborative for Student Achievement||Information provided by participants to assist advisors of students in their academic career at CSU.||Names, demographic information, academic history information provided by participants to assist in their academic career at CSU.|
|“||“||Academic Major investigation at CSU||Name, DOB, email opt-in for students.|
|“||“||Scholarship and academic progress reporting information.||Names of Scholarship recipients and academic progress/status.|
|“||“||Taking Stock Information, for student advising||Names, email addresses, hall, international status, student type. Student may provide some personal information as a result of taking the assessment.|
|“||“||Online orientation||Name, college, completion information|
|“||“||Scholarship/Award candidate information to encourage students to apply for those opportunities||Names, email addresses, cum_gpa|
|“||“||Applications for Key Communities, a student position with Orientation and Transition Programs, or apply for a scholarship||Names, emails, demographic information, personal essays, resumes, and other information necessary to apply.|
|“||“||Student Advising Network||Names, emails, demographic information, personal information, academic plans, advising comments.|
|Jordan Schroeder, Jordan.Schroeder@colostate.edu, 970.492.4750||CSU Online||Various information for CSU Online students||Student identities, transactions, academic history, demographics, IP addresses,|
|“||“||CSU online Student registration and associated services, web services, learning analytics service, surveys, fileshare||CSU Online internal data set necessary for receiving CSU Online services|
|Josh Clark, Josh.Clark@colostate.edu, 970.491.7169||
Online Shop Catalog
Financial Feeds Sent to CSU Pueblo.
Cell phone billing
Transaction and new card information from Mastercard
Allows Accounts Payable reconciliation of checks
Financial feed to the State
Manages lab equipment & billing for lab equipment.
Shipping insight software.
Time Clock and Leave Management System.
User, Position, New Hire.
State Classified employee information.
payroll data, benefits data
Employee information, payroll data, benefits data
Employee information and deduction information
Employee and deduction information
Employee, user, payroll data
Faculty Evaluation System
Ticket/Project Management System
Degree Auditing and Evaluation
Degree Auditing and Evaluation
Transfer Course Management
International Students/ESL/College Prep
Feed data to SAS
Student Health Insurance
Learning Management System
Report student status
ADA Scheduling System
Import SAT and AP Test Scores
Academic Catalog Management
Analytics & Counseling/Athletics
Haven/Alcohol EDU Training for Students
Analytics & Counseling
Conflict Resolution, for managing behavior records
Transcript Printing and Distribution
Health Insurance Management
Internaitional Office (FSA Atlas Replacement)
Analytics & Counseling
Name, CSUID, Phone Number, ename, dept. number, email address, credit card number, salary, supplemental pay, HR ID, federal tax ID, user, position new hire, employee information, state classified, payroll deduction information, user, payroll data
Name, Email, Phone Number, supplemental pay, HR ID
Name, Email Address
Most Student Data (All Pii)
Name, Phone Number, Email, Address,
CSUID, Phone number, credit card number, federal tax ID, User, Position, New Hire Employee information, State Classified employee information, Employee information, payroll and deduction data, benefits data. Employee and deduction information
Employee, user, payroll data
Name, Email, Phone Number
Names, Email Addresses, CSUID, Phone Number, Department Number, ename, email, address, salary, supplemental pay, HR ID,
Most Student Data.
|“||“||All PII Data, including: Name, CSUID, Email, Position, Phone Number, Department Name, Parent/Sponsor|
|Steve Burn, Steve.Burn@colostate.edu, 970.491.7770||Central Receiving:||Shipping information, allows departments to ship packages from their desks.||Name; CSU Id#; Dept – Name, Number; Kuali Account #; Address Information|
|Joe Rymski, email@example.com, 970.430.5757||Web Communications||Web site cookies are used in a wide variety of sites.||Users may clear their cache of cookies, and configure their browsers not to accept cookies.|
|Business and Financial Services||To record SSN’s for students and employees.||Name, address, CSUID, SSN|
|Business and Financial Services||Information necessary to notify individuals of monies due to CSU.||Name, address, CSUID, amount owed or due.|
|Grant Polzer, Grant.Polzer@colostate.edu, 970.491.2040||Business and Financial Services||I-10 form information||Name, address, Individual Taxpayer Identification Number (ITIN)|
|Jordan Fritts, Jordan.firstname.lastname@example.org, 970.491.5626||Admissions||Captures PII data for any person applying for admission and/or attending classes at CSU, degree-seeking or not.||SSN, DOB, address, email address, birth place, immigration information, eName, URLs visited, browsers/IP addresses, photos, parent information criminal/legal documents.|
|Registrar||All data, PII, and metadata, for students; all identity information for students, faculty, staff affiliates and CSU Online.||SSN, CSU ID, PIDM, State Assigned Student ID, Slate ID, Common Application ID, Electronic Prospect ID, Semester at Sea ID, Shipboard ID, INTO ID, INTO Internal ID, Alumni ID, HR Employee ID, Duplicate Purged ID, ISIS ID, SARS ID, Visa Type, Visa Number, Names, Addresses, Phone Numbers, Email Addresses, Birth Date, Sex, Gender Identity, Sexual Orientation, Race/Ethnicity, Deceased Date, Emergency Contacts, Parent Names, Parent Addresses, Parent Phone Numbers, Parent Email Addresses, First Generation, GI Bill, Veteran Info, Planned Leave, Programs of Study, Dates Enrolled in Each Program of Study, Registration Activity, Class Schedules, Grades, GPAs, Comments, Holds, High School Graduated From, Year of High School Graduation, High School GPA, High School Class Rank, Other Institutions Attended, Dates of Attendance at Other Institutions, Courses Taken at Other Institutions, Grades Received at Other Institutions, Degrees Awarded, Dates Degrees Awarded, Academic Honors, Sports, Fraternity/Sorority Membership, Advisors, Withdrawal Info, Bankruptcy Status, Collection Agency Assignment, Third Party Sponsor, Repeat/Deleted Courses, Fresh Start|
|William Mills, William.Mills@colostate.edu, 970.491.3803||Office of Financial Aid||Data used to award scholarships, and include student employment in the financial aid calculations.||Personal and Academic data, basic person information, Class Schedule, and Work Study awards.|
|Kathleen Harward, Kathleen.Harward@colostate.edu, 970.491.1482||Student Legal Services||Data used to provide student legal services||CSU ID, Name, Phone #, Address, email, DOB, Year in School, summary of legal case with names of adverse parties, Client doc’s, e.g. leases, police tickets, contracts, insurance doc’s, lawsuits, med records, collection notices, bank records.|
|Shaun Geisert, Shaun.Geisert@colostate.edu, 970 430.5858||Division of Student Affairs||Data used to inform students in a variety of ways that enhances their success as students.||Name, gender, ethnicity, email, contact information, system logs, CSUID, DOB, appointments, phone, arrest records, appointments, nominations, quiz grades and performance information, bicycle use, homebuyer, fraternity or sorority membership, health information,|
|Lori Lynn, Lori.Lynn@colostate.edu, 970.491.1752||CSU Health Network||Health information||Name, CSUID, password, email, department, course status, prescriptions, insurance, diagnosis, scans and images, lab results, demographics, counseling records,|
|Melissa Emerson, Melissa.Emerson@colostate.edu, 970.491.7165||Student Resolution Center||Name, address, phone, DOB, CSUID, parent name, conduct history with dates, parties involved, hearing notes, rationale, outcomes, findings, sanctions, action items, holds, deadlines, police reports, Clery reports, appointments|
|Cody Frye, Cody.Frye@colostate.edu, 970.491.2301||Campus Recreation||Name, CSUID, DOB, Email, eName, Address, Gender, Phone, Gender,|
|Laura Giles Laura.Giles@colostate.edu, 970.491.4748; or Shane Vigil, Shane.Vigil@colostate.edu, 970.491.3156||Housing & Dining Services||
Email, phone, on-campus address, package notifications, housing assignments, roommates,
employment agreements, eRezLife),
student job postings, applications, sign-ups for interviews, position assignments, and all application status notifications, items, employee information, job descriptions, compensation ranges, PII of applicants.
|Jason Huitt, Jason.Huitt@colostate.edu, 970.491.2511||Lory Student Center||First name, last name, appointments|
|Royce Lahman, Royce.Lahman@colostate.edu, 970.491.4687||Residential Dining||Information used to provide and improve dining services.||Name, ID Number (CSUID), phone number, address.|
|Dezarai Brubaker, Dezarai.Brubaker@colostate.edu, 970.491.1378||Conference and Event Services||Information is collected from opt-in participants for provided access to events and conferences.||Name, address, phone number, email, IP address. Credit card payment information is collected through a secure on-line porta, authorize.net, for opt-in services and payments.|
|Neal Luján, email@example.com, 970.491.5119||RAMCard||The RAMCard office stores information necessary to produce, maintain and verify CSU identity cards, and participate in University-sponsored events.||
CSUID, DOB, phone, Email Address, Photographs (RamPix Submission/In-Office), Customer Signature, Photo copy of Government-issued ID (Distance Students), RamCash Account History, Name and Preferred Name
University Data Used:
Personal and Demographic Information From Banner: AriesWeb Enrollment and Employment Status
|Kirk Wilkinson, Kirk.Wilkinson@colostate.edu,
|Apartment Life||Information necessary to operate, manage and support apartment residents.||Name, DOB, Phone Number, Email Address, Nationality, ADA Accommodation, Family Member Names and Ages, Guest Names and Ages, CSUID, Police Reports, Doctor’s Notes, Charges Applied to Resident, Eviction Records, Conduct Records, Printed Emails, Employee Photos, Apartment Address, Dates of Occupancy in Apartments, Signatures, Financial Information|
|Shane Vigil, Shane.Vigil@colostate.edu, 970.491.3156||HDS Admin||Information of electronic signatures, tutorials for language learners, ID card photographs and associated metadata,||
Name, DOB, phone, email address, campus mail address, home mail address, CSUID, I9 documentation (social security number, driver’s license, birth certificate, work authorization), preferred name, bank information, Tax withholding information, pay information.
eName, Gender, Ethnicity, DOB, Major; occasionally also facilitate uploads of documents with personally-identifiable information, such as resumes, Photos, video, surveys, job applications, resumes
|Laura Alexander, Laura.Alexander@colostate.edu, 970.491.0863||HDS Facilities||Information to support staff work orders.||Name, phone, and/or email.|
|Shane Vigil, Shane.Vigil@colostate.edu, 970.491.3156||HDS Technology Services||Complete profile information relevant to delivering student services, including technology support, in housing and dining. All data are kept on campus, and backed up on a secure Azure site. No data are shared.||
Name, CSUID, location, (username, IP address, MAC address), physical location, resume.
Full name, preferred name, DOB, phone, email, physical addresses ename, major, student level, class standing, program of study, academic standing, anticipated graduation date, credits (earned, transfer, CE, other), GPA, holds, college, department, university employment status, assignment history, university employment department, job title, gender, ethnicity (if supplied), country of citizenship, lifestyle preferences, preferred living options, ADA concerns, ADA accommodations, meal plans, meals used, RamCash balances, RamCash transactions, billing amounts due, collection status, account balance, deposit amounts
|TBD||Student Case Mgmt.||Information necessary to manage student cases.||name, CSUID, DOB, location, other factors: medical/mental health info, economic, cultural, social identity info|
|Kylan Marsh, Kylan.Marsh@colostate.edu, 970.491.7187||Development and Advancement||Information on CSU’s constituents – e.g. alums, faculty/staff, parents, donors, friends, etc., for the purposes of fund raising, tax reporting, etc.||
External systems: name, address, email, phone, gift/event details;
Internal systems: name, title, address, email, phone, gift/event registration info., scholarship info., CSUIDs, Displays elements of donor record. Normal IIS tracking occurs, degree information, tracking of responses, seating information.
|Joe Rymski, Joe.Rymski@colostate.edu, 970.491.5757||University Communications||Web cookies are specified to facilitate a user’s browsing experience, for example, transferring “state” between web page views. In almost all cases, they cannot be disables||Web cookies are stored on the user’s device, and are essential to provide a seamless, robust user experience. The University accesses these in a highly secured manner, only upon a user requesting a web page, and neither stores hem nor distributes them elsewhere.|
|Human Resources||Benefits management, BenefitSolver, benefitsolver.com; COBRA insurance and DCP premium refund, Healthsmart, healthsmart.com; Dental insurance, Delta Dental, deltadental.com; Employment verification, The Work Number, theworknumber.com; Flexible spending accounts and commuter transit benefit, Discovery, discoverybenefits.com; Form I-9 completion and ACA insurance management, Equifax, equifax.com; Health insurance, Anthem, anthem.com; Life insurance, Hartford, thehartford.com; Retirement accounts, Voya, voya.com; Retirement accounts, PERA, copera.org; Retirement accounts, TIAA, tiaa.org; Retirement accounts, Valic, valic.com; Retirement and HSA accounts, Fidelity, fidelity.com; Search, application, and hiring process; peopleadmin.com; Vision insurance, VSP, vsp.com; payroll deposits to various banks (opt in by employee).|
|Controller Name & Contact Info||General Area||General Description of PII Data Collected||PII Data Elements Collected|
|N/A||Agricultural Sciences, Soil and Crop Sciences|
– Audition applications;
– Travel forms;
– Search committee and P&T materials;
– Used for locker registrations, signups, prospective students events, marketing;
– University Tickets, Ticket Sales;
Project/Program Management Tool,
Copies and subscriptions to Colorado Review, contest entries;
Sending digital subscriptions of Colorado Review to subscribers, notifying previous entrants to contests that current contest is open;
Names, contact info;
Names and CSU contact information
Names, addresses, email, phone
Kacie Reed, Kacie.Reed@colostate.edu, 970.491.6104; and
Stefan Tonazzi, Stefan.Tonazzi@colostate.edu,
|College of Veterinary Medicine and Biomedical Sciences||
VTH patient management, Medical records;
CVMBS payment processing
CVMBS software consulting
– DVM application data,
– Student & Employee data, Client data
Proposals and sponsor attached to it.
– Facebook and Instagram Analytics
– Course evaluations.
Medical treatment plans
Names, addresses, phone numbers, emergency contacts, CSUID, DOB, email address, personal medical treatment, worker’s compensation, leave time, employee salary and benefits, employee evaluations, mobile device information, language, IP address, classes taken
Richie Nelsen, Richie.firstname.lastname@example.org 970.492.4929, and
|College of Business||– Applicants’ data||Student data; prospective student’s data|
|Gary Senseman, email@example.com,
|Warner College of Natural Resources||
– Backup system
-STEM education support
Management of internal resources, all internal systems
name, username, ip_address
name, username, ip_address, dept affiliation, software downloaded
name, username, csuid, title/class, department, ip address, photo, bio, publications, google scholar id, certifications, education, interests, dept affiliations, articles, websites, CV, email address, phone number, various attachments that may contain sensitive information, salary, research proposals, purchase, or travel information, program usage
name, username, email address, student major
|Natural Resource Ecology Laboratory||
Credit card processing
Internal management of people and resources
We supply shopping cart data, authorize.net collects payment data.
Accounting data may include salaries, funding, expenditures, travel, etc.
Name and contact information of customers for analytical laboratory services; System activity logs; Contact information, Registration data
|Center for Environmental Management of Military Lands||
File backups, Maps, and Users’ files
Internal management of people and resources
name, username, ip address, file contents
name, username, ip address, work data, file names
Abbreviations and Acronyms
ADA American with Disabilities Act
CE Continuing Education
CCPA California Consumer Protection Act
CSU Colorado State University
DOB Date of Birth
EHS Environmental Health Services
EU European Union
GDPR General Data Protection Regulation
GPA Grade Point Average
HDS Housing and Dining Services
HR Human Resources
N/A Not Applicable
PII Personally Identifiable Information
SEVIs US Student and Exchange Visitor Program
SSN Social Security Number
WC Worker’s Compensation
URL Uniform Resource Locator, or web address