Version 2021-02-03

This document provides an overview of CSU’s compliance with the European Union’s General Data Protection Regulation, or GDPR, which became effective on May 25, 2018, and the California Consumer Protection Act, or CCPA, which became effective January 1, 2020. It provides a summary of the areas covered by the GDPR and the CCPA, CSU’s high-level compliance in terms of governance and responsible parties, a general discussion about CSU’s IT Security and Privacy environment, and specific information regarding the nature and legitimate business need for processing the data.

The GDPR and the CCPA apply to organizations involved in the processing of personally identifiable information (PII) of individuals.

• The GDPR applies to residents of the EU located in the EU,. An organization may or may not maintain an “establishment” in the EU and be covered by GDPR [1] Without determining if or when CSU maintains an establishment, we recognize that GDPR applies when, acting as a controller or processor, “the processing activities are related to offering goods or services to data subjects in the [EU],” even when the goods and services are offered for free. [2] Further, GDPR protections apply when CSU processes the PII of data subjects in the EU and that processing is related to the “monitoring” in the EU of the “behavior” of data subjects as their behavior takes place within the EU. [3]

The CCPA bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code.[4] It provides essentially the same protections for Californians as does the GDPR for EU residents. However, it contains an additional provision that individuals who protect their privacy rights are not to be discriminated against. Also, users may use this toll-free telephone number to inquire about their rights and privileges under the CCPA: 833-610-1259.

Web pages and other forms may through the use of forms collect PII as well as by recording IP addresses or recognizing cookies [5] from the end user. All such PII that we collect is extremely well protected, and CSU desires to be transparent about how we secure and protect such data. Therefore, all University web pages offering services to individuals which process PII shall include a URL reference to this document on the home web page offering such a service.

A list of commonly used abbreviations and acronyms is provided at the end of this document.

Provisions of the GDPR and the CCPA

The GDPR and the CCPA subtend three areas involving individual’s personal data, each provided in a subsection below.

General Principles for Processing Data

Personal Data shall be:

• Processed (i.e. collected, handled, stored, backed up, made accessible, disclosed and destroyed) fairly, lawfully and transparently. An organization must have a ‘legal basis’ for processing an individual’s personal data (e.g. the individual has consented to the processing, or the processing is necessary to operate a contract with them, or the processing is necessary to fulfil a legal obligation).
• Processed only for specified, explicit and legitimate purposes.
• Adequate, relevant and limited to only what is necessary or for which consent ahs been given.
• Accurate (and corrected if it becomes inaccurate).
• Not retained for longer than necessary – data retention periods.
• Processed securely.

An Individual’s Rights

• The right to be informed of how their personal data are being used. This right is usually fulfilled by ‘privacy notices’ (or ‘privacy policies’) which set out how an organization will use an individual’s personal data, who it will be shared with, etc.
• The right of access to their personal data.
• The right to have their inaccurate personal data corrected.
• The right to have their personal data erased (right to be forgotten).
• The right to restrict the processing of their personal data pending its verification or correction.
• The right to receive copies of their personal data in a machine-readable and commonly-used format (right to data portability).
• The right to object: to processing (including profiling) of their data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest.
• The right not to be subject to a decision based solely on automated decision-making using their personal data.
• The right not to have their personal information sold to external entities.

Responsibilities of CSU

The legislations introduce a range of accountability requirements to encourage a proactive and documented approach to compliance. These accountability requirements include:

• Implementing policies, procedures, processes and training to promote ‘data protection by design and by default’.
• Having appropriate contracts in place when outsourcing functions that involve the processing of personal data.
• Maintaining records of the data processing that is carried out across the organization.
• Documenting and reporting personal data breaches.
• Defining Controllers as the points of contact for questions regarding the GDPR and the CCPA for data and services from the units covered.
• Identifying and acting on data retention periods for its data and acting upon that (i.e. purging data) when the retention period is exhausted.

There are various exemptions from compliance, two of which are pertinent to institutions higher educations, viz.:

• Personal data processed for journalistic, artistic, literary or ‘academic purposes’ are exempt from the principles and almost all of the rights, though not the accountability requirements.^[6]
• Personal data processed for ‘scientific or historical research purposes’, ‘statistical purposes’ or ‘archiving purposes in the public interest’ are exempt from two of the principles (those stating that personal data shall be processed solely for specified purposes and not kept for longer than necessary) and most of the rights, though not the other principles, the right to be informed (unless providing the privacy notice would be impossible or would involve ‘disproportionate effort’), or the accountability requirements.^[7]

An individual’s consent is not required to process personal information for legitimate business purposes. Indeed, virtually all of the data we collect falls into this category, and direct, affirmative consent is not required. However, activities which are peripheral to the University’s learning environment, research environment, and outreach environment are not exempt from having to obtain affirmative consent.

Finally, it is noted that CSU is required to collect, secure, keep, and maintain PII data under a wide variety of mandatory rules, regulations, and policies, including:

• State of Colorado records retention policy mandates keeping various types of documents and information for various time periods, as required by the State of Colorado Records Retention Manual (http://www.colorado.gov/pacific/archives/state-agency-records-management). Section 8 of that manual pertains to higher education in Colorado. CSU has its own complementary policies^[8] on records retention, as well.
• CALEA – the federal Communications Assistance for Law Enforcement Act of 1994 (47 USC §1002), enacted in 1994, requires CSU to collect and maintain information about individuals’ uses of our network and communication systems, for possible needs by law enforcement.
• GLBA – the federal Gramm-Leach-Bliley Act of 1999 (12 USC §1811) is synergistic with the GDPR and the CCPA, and requires certain protections to be put into place regarding IT Security and privacy of an individual’s financial records.
• SOX – the federal Sarbanes-Oxley Act of 2002 (116 USC §745) mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud, specifying reporting and retention clauses for financial data.
• Statewide reporting into the Colorado Department of Higher Education is required of student unit records into the statewide SURDS (Statewide Unit Record Data System) is required by state law.

General IT Security and Privacy Environment, and CSU’s Privacy Environment

Over about the last five plus years, there is no area in central IT to which we have paid more attention and devoted more effort than IT Security and Privacy. Over this time period, we have put many additional protections in place to enhance IT security and preserve individuals’ privacy, especially as regards Personally Identifiable Information (PII). Specifically, in response to the requirements of these two legislative bills, we have

1. Identified Controllers for PII data for all of our relevant IT systems and services. Controllers are generally knowledgeable about the data collected, the business needs for the data, data retention and disposal periods, and other factors pertinent to their areas. Controllers may also refer individual requests to others with greater knowledge than they have, especially concerning reporting and business intelligence needs.
2. Reviewed all of the PII we collect, and verified a business need to collect it.
3. Reviewed storage and preservation of PII in our internal systems and established necessary retention periods from a business needs perspective.
4. Identified which information can be purged from which systems, over which time periods.
5. Reviewed, revised and put into place contractual terms for all of our external vendors to comply with the GDPR and the CCPA who hold our PII. Most especially important here are added terms and conditions for data retention and disposal.
6. Included an affirmative acknowledgment for faculty, staff, students or affiliates agreeing to participate as a CSU patron under our compliance in our Acceptable Use Statement that all users must accept.
7. Worked with our Institutional Review Board to understand that there must be both data retention and disposal clauses in all IRB-approved protocols.
8. While requests may be made for an individual’s PII data to be removed from out systems, this will only be possible in very limited circumstances, as we are required by federal and state statues, state fiscal rules, and other strictures to retain data for 1) required reporting, including retaining data for sufficient periods of time to respond to questions or queries regarding the data, and to allow us to recreate reports from multiple data sources, and 2) employ the use of data for business analytics to inform strategic and operational directions for CSU to provide both more efficient and more effective IT services. The systems used for these purposes are our most well-protected systems, deep behind firewalls and access control lists, with granular access for individual users to only the data they need for business purposes.

How to Use the Information in This Document

Individuals residing in the EU who are covered under the GDPR and Californians may query the Controller for their area of particular interest, identified in Table 1 below in section “Areas and Controllers,” for specific questions regarding the processing of their personal data. General questions may be directed to the University’s General Controller, also identified in Table 1 in the section “Areas and Controllers.”

Right to Petition for Redress

Individuals residing in the EU who are covered under the GDPR or Californians who have contacted a Controller in their area of interest, and received an answer with which they are unsatisfied, or have not received an answer within a reasonable time period may petition for redress ^[9] to the University’s General Controller, identified in Table 1. The University’s General Controller shall caucus with the Vice President for Information Technology, and respond to the request, normally within one week of receipt of the request. Should the individual be unsatisfied with that answer, or have not received an answer within two weeks of submitting the request, the individual may contact University’s General Controller and request that the response be reviewed by the University’s Office of General Counsel, whose determination shall be final.

General Approaches to Special Circumstances

There are several areas that merit special circumstances for services of a general nature, as described below.

General data collection – CSU collections very, very little information of a personal nature, except as needed to fulfill a required business function. In most cases, we will not be able to accommodate “right to be forgotten” requests, as we must maintain complete and comprehensive information in order to facilitate efficient and effective operations in our environment. We simply do not have excess capacity to ingest and/or process extra information, nor do we ever sell your personal information to any provider for a fee. All of our sensitive data is maintained behind very robust firewalls, and thus very secure and highly private.

Cookies – Cookies are small files contained on your personal device, computer, laptop, table, smart phone, etc. that are particular to specific web pages you visit. Cookies are processed by the web page to maintain your connections and your identity as you browse across web pages (the web is stateless, meaning that the. web by itself will not remember who you are as you browse through pages, “cookies” are required for this purpose). You have complete control of cookies on your device and you can choose to disable them. However, if you do so, you may then be unable to receive services from CSU, especially ones that require your identity and maintaining your place in the hierarchy of the web.

System and network logs – CSU is required by several laws (referenced above) to maintain system and network logs for specified periods of time. In most cases the retention period for the data is determined by the software/application, and we have little or no say in that. As these logs are a legal requirement, we cannot support the “right to be forgotten” in these logs. However, we can assure you that these logs are only used by us internally for purposes of analyzing and tuning (optimizing) our service delivery. We never distribute these, so that are extremely secure and very private.

Privacy Areas and Controllers

Below, we indicate separately for each system and/or service the Privacy Controller (the “Controller”) for the system and/or service. Each Controller has reviewed the data collected for their system and/or service, removed from collection any data items not needed for reporting or business purposes, established a data retention period, and agreed to serve as the point of contact for individuals who may have questions about Privacy compliance.

Table 1 Privacy Controllers by System and/or Service
Controller Name & Contact Info	General Area	General Description of PII Data Collected	PII Data Elements Collected
State of Colorado Chief Information Security Officer	Supervisory Authority	N/A	N/A
Steve Lovaas, Steven.lovaas@colostate.edu, 970.297.3707	General University Controller for GDPR	None for this purpose	None for this purpose
Suzi White, suzi.white@colostate.edu 970.491.7890	CSU Libraries	Libraries Catalog – User Information	Users, materials checked out (only while they are checked out, so they can be tracked for return)
Suzi White, suzi.white@colostate.edu 970.491.7890	CSU Libraries	Opt-in scholarly communication information
Greg Redder Greg.Redder@colostate.edu, 970.491.7222	Networking	Logins and IP addresses, for debugging and support purposes	Username, time and date, login success
Joe Volesky, Joe.Volesky@colostate.edu, 970.491.3752	Central IT “academic” systems and services	System logs	Username, IP addresses, services accessed, time stamps
Josh Clark, josh.clark@colostate.edu, 970.491.7169	Central IT “administrative” systems and services	System logs	Username, IP addresses, services accessed, time stamps
James Graham, James.Graham@colostate.edu, 970.491.4803	Environmental Health Services	Access information	First, middle, last name, CSUID, birthdate, EHSID
Sally Alexander, sally.alexander@colostate.edu, 970.491.7726	Office of Risk Management & Insurance	Workers Compensation (WC)	Name, date of birth, address, and SSN. For WC: medical treatment plans, impairment ratings, physical ability assessments, marriage status, date of termination, wages, medical treatment plans, impairment ratings. With consent: medical information, hospital records, and medical bills. Description of incidents
Tyler Clayton, tyler.clayton@colostate.edu, 970.491.5620	International Student and Scholar Services	International education exchange information; US Student and Exchange Visitor Program, INTO CSU program	Names, birthdates, contact information, immigration documents, passport information, financial documents, travel plans, confidential notes about immigration issues. For students: admission, academic, and enrollment information; confidential notes about academic issues. For employees: employment and salary information.
“	“	Departmental database for collecting, storing, and processing data about international students
Sarah Olson, Sarah.Olson@colostate.edu, 970.491.1393	Office of International Programs	Information in an internal CSU database necessary for enrolling individuals in programs, with contact information obtained for communications, including life and safety alerts.	Name, title, and possibly (for some programs) mailing address, email address, telephone number, specific information regarding their research, secure digital signature.
Laura Thornes, laura.thornes@colostate.edu, 970.491.2964	Office of International Programs – Education Abroad	Information relevant to a study abroad experience. Company was thoroughly vetted for IT security. CSU activated a GDPR Consent Setting in May 2018, giving them an opportunity to opt out prior to applying.	Names, gender, date of birth, emails, SID, passport info, major, personal demographic data.
Mike Brake, mike.brake@colostate.edu, 970.491.7095	Collaborative for Student Achievement	Information provided by participants to assist advisors of students in their academic career at CSU.	Names, demographic information, academic history information provided by participants to assist in their academic career at CSU.
“	“	Academic Major investigation at CSU	Name, DOB, email opt-in for students.
“	“	Scholarship and academic progress reporting information.	Names of Scholarship recipients and academic progress/status.
“	“	Taking Stock Information, for student advising	Names, email addresses, hall, international status, student type. Student may provide some personal information as a result of taking the assessment.
“	“	Online orientation	Name, college, completion information
“	“	Scholarship/Award candidate information to encourage students to apply for those opportunities	Names, email addresses, cum_gpa
“	“	Applications for Key Communities, a student position with Orientation and Transition Programs, or apply for a scholarship	Names, emails, demographic information, personal essays, resumes, and other information necessary to apply.
“	“	Student Advising Network	Names, emails, demographic information, personal information, academic plans, advising comments.
Jordan Schroeder, Jordan.Schroeder@colostate.edu, 970.492.4750	CSU Online	Various information for CSU Online students	Student identities, transactions, academic history, demographics, IP addresses,
“	“	CSU online Student registration and associated services, web services, learning analytics service, surveys, fileshare	CSU Online internal data set necessary for receiving CSU Online services
Josh Clark, Josh.Clark@colostate.edu, 970.491.7169	Information Systems: Online Shop Catalog Financial Feeds Sent to CSU Pueblo. Cell phone billing Transaction and new card information from Mastercard Allows Accounts Payable reconciliation of checks Financial feed to the State 1099 Reporting Manages lab equipment & billing for lab equipment. Shipping insight software. Time Clock and Leave Management System. User, Position, New Hire. Employee information. State Classified employee information. payroll data, benefits data Employee information, payroll data, benefits data Employee information and deduction information Employee and deduction information Employee, user, payroll data Employee data Faculty Evaluation System Ticket/Project Management System Workflow Application Documentation Repository Degree Auditing and Evaluation Degree Auditing and Evaluation Transfer Course Management International Students/ESL/College Prep Feed data to SAS Mobile Application Scholarship Management Student Health Insurance Learning Management System Report student status ADA Scheduling System Import SAT and AP Test Scores Academic Catalog Management Analytics & Counseling/Athletics Haven/Alcohol EDU Training for Students Workstudy Mgmt Analytics & Counseling Conflict Resolution, for managing behavior records Transcript Printing and Distribution Federal Government Admissions System Health Insurance Management Internaitional Office (FSA Atlas Replacement) Studio Abroad Analytics & Counseling	Name, CSUID, Phone Number, ename, dept. number, email address, credit card number, salary, supplemental pay, HR ID, federal tax ID, user, position new hire, employee information, state classified, payroll deduction information, user, payroll data Employee data Payroll data Name, Email, Phone Number, supplemental pay, HR ID Name, Email Address Most Student Data (All Pii)	Name, Phone Number, Email, Address, Department, CSUID, Phone number, credit card number, federal tax ID, User, Position, New Hire Employee information, State Classified employee information, Employee information, payroll and deduction data, benefits data. Employee and deduction information Employee, user, payroll data Employee data Payroll data Name, Email, Phone Number Names, Email Addresses, CSUID, Phone Number, Department Number, ename, email, address, salary, supplemental pay, HR ID, Most Student Data.
“	“		All PII Data, including: Name, CSUID, Email, Position, Phone Number, Department Name, Parent/Sponsor
Steve Burn, Steve.Burn@colostate.edu, 970.491.7770	Central Receiving:	Shipping information, allows departments to ship packages from their desks.	Name; CSU Id#; Dept – Name, Number; Kuali Account #; Address Information
Joe Rymski, joe.rymski@colostate.edu, 970.430.5757	Web Communications	Web site cookies are used in a wide variety of sites.	Users may clear their cache of cookies, and configure their browsers not to accept cookies.
David Leathers David.Leathers@colostate.edu 970.491.5509	Business and Financial Services	To record SSN’s for students and employees.	Name, address, CSUID, SSN
Suzanne Zimmerer Suzanne.Zimmerer@colostate.edu, 970.491.3001	Business and Financial Services	Information necessary to notify individuals of monies due to CSU.	Name, address, CSUID, amount owed or due.
Grant Polzer, Grant.Polzer@colostate.edu, 970.491.2040	Business and Financial Services	I-10 form information	Name, address, Individual Taxpayer Identification Number (ITIN)
Jordan Fritts, Jordan.fritts@colostate.edu, 970.491.5626	Admissions	Captures PII data for any person applying for admission and/or attending classes at CSU, degree-seeking or not.	SSN, DOB, address, email address, birth place, immigration information, eName, URLs visited, browsers/IP addresses, photos, parent information criminal/legal documents.
Jamie Yarbrough Associate Registrar Jamie.Yarbrough@colostate.edu 970-491-7470	Registrar	All data, PII, and metadata, for students; all identity information for students, faculty, staff affiliates and CSU Online.	SSN, CSU ID, PIDM, State Assigned Student ID, Slate ID, Common Application ID, Electronic Prospect ID, Semester at Sea ID, Shipboard ID, INTO ID, INTO Internal ID, Alumni ID, HR Employee ID, Duplicate Purged ID, ISIS ID, SARS ID, Visa Type, Visa Number, Names, Addresses, Phone Numbers, Email Addresses, Birth Date, Sex, Gender Identity, Sexual Orientation, Race/Ethnicity, Deceased Date, Emergency Contacts, Parent Names, Parent Addresses, Parent Phone Numbers, Parent Email Addresses, First Generation, GI Bill, Veteran Info, Planned Leave, Programs of Study, Dates Enrolled in Each Program of Study, Registration Activity, Class Schedules, Grades, GPAs, Comments, Holds, High School Graduated From, Year of High School Graduation, High School GPA, High School Class Rank, Other Institutions Attended, Dates of Attendance at Other Institutions, Courses Taken at Other Institutions, Grades Received at Other Institutions, Degrees Awarded, Dates Degrees Awarded, Academic Honors, Sports, Fraternity/Sorority Membership, Advisors, Withdrawal Info, Bankruptcy Status, Collection Agency Assignment, Third Party Sponsor, Repeat/Deleted Courses, Fresh Start
William Mills, William.Mills@colostate.edu, 970.491.3803	Office of Financial Aid	Data used to award scholarships, and include student employment in the financial aid calculations.	Personal and Academic data, basic person information, Class Schedule, and Work Study awards.
Kathleen Harward, Kathleen.Harward@colostate.edu, 970.491.1482	Student Legal Services	Data used to provide student legal services	CSU ID, Name, Phone #, Address, email, DOB, Year in School, summary of legal case with names of adverse parties, Client doc’s, e.g. leases, police tickets, contracts, insurance doc’s, lawsuits, med records, collection notices, bank records.
Shaun Geisert, Shaun.Geisert@colostate.edu, 970 430.5858	Division of Student Affairs	Data used to inform students in a variety of ways that enhances their success as students.	Name, gender, ethnicity, email, contact information, system logs, CSUID, DOB, appointments, phone, arrest records, appointments, nominations, quiz grades and performance information, bicycle use, homebuyer, fraternity or sorority membership, health information,
Lori Lynn, Lori.Lynn@colostate.edu, 970.491.1752	CSU Health Network	Health information	Name, CSUID, password, email, department, course status, prescriptions, insurance, diagnosis, scans and images, lab results, demographics, counseling records,
Melissa Emerson, Melissa.Emerson@colostate.edu, 970.491.7165	Student Resolution Center		Name, address, phone, DOB, CSUID, parent name, conduct history with dates, parties involved, hearing notes, rationale, outcomes, findings, sanctions, action items, holds, deadlines, police reports, Clery reports, appointments
Cody Frye, Cody.Frye@colostate.edu, 970.491.2301	Campus Recreation		Name, CSUID, DOB, Email, eName, Address, Gender, Phone, Gender,
Laura Giles Laura.Giles@colostate.edu, 970.491.4748; or Shane Vigil, Shane.Vigil@colostate.edu, 970.491.3156	Housing & Dining Services		Email, phone, on-campus address, package notifications, housing assignments, roommates, employment agreements, eRezLife), student job postings, applications, sign-ups for interviews, position assignments, and all application status notifications, items, employee information, job descriptions, compensation ranges, PII of applicants.
Jason Huitt, Jason.Huitt@colostate.edu, 970.491.2511	Lory Student Center		First name, last name, appointments
Royce Lahman, Royce.Lahman@colostate.edu, 970.491.4687	Residential Dining	Information used to provide and improve dining services.	Name, ID Number (CSUID), phone number, address.
Dezarai Brubaker, Dezarai.Brubaker@colostate.edu, 970.491.1378	Conference and Event Services	Information is collected from opt-in participants for provided access to events and conferences.	Name, address, phone number, email, IP address. Credit card payment information is collected through a secure on-line porta, authorize.net, for opt-in services and payments.
Neal Luján, neal.lujan@colostate.edu, 970.491.5119	RAMCard	The RAMCard office stores information necessary to produce, maintain and verify CSU identity cards, and participate in University-sponsored events.	Collected: CSUID, DOB, phone, Email Address, Photographs (RamPix Submission/In-Office), Customer Signature, Photo copy of Government-issued ID (Distance Students), RamCash Account History, Name and Preferred Name University Data Used: Personal and Demographic Information From Banner: AriesWeb Enrollment and Employment Status
Kirk Wilkinson, Kirk.Wilkinson@colostate.edu, 970.491.4759	Apartment Life	Information necessary to operate, manage and support apartment residents.	Name, DOB, Phone Number, Email Address, Nationality, ADA Accommodation, Family Member Names and Ages, Guest Names and Ages, CSUID, Police Reports, Doctor’s Notes, Charges Applied to Resident, Eviction Records, Conduct Records, Printed Emails, Employee Photos, Apartment Address, Dates of Occupancy in Apartments, Signatures, Financial Information
Shane Vigil, Shane.Vigil@colostate.edu, 970.491.3156	HDS Admin	Information of electronic signatures, tutorials for language learners, ID card photographs and associated metadata,	Name, DOB, phone, email address, campus mail address, home mail address, CSUID, I9 documentation (social security number, driver’s license, birth certificate, work authorization), preferred name, bank information, Tax withholding information, pay information. eName, Gender, Ethnicity, DOB, Major; occasionally also facilitate uploads of documents with personally-identifiable information, such as resumes, Photos, video, surveys, job applications, resumes
Laura Alexander, Laura.Alexander@colostate.edu, 970.491.0863	HDS Facilities	Information to support staff work orders.	Name, phone, and/or email.
Shane Vigil, Shane.Vigil@colostate.edu, 970.491.3156	HDS Technology Services	Complete profile information relevant to delivering student services, including technology support, in housing and dining. All data are kept on campus, and backed up on a secure Azure site. No data are shared.	Name, CSUID, location, (username, IP address, MAC address), physical location, resume. Full name, preferred name, DOB, phone, email, physical addresses ename, major, student level, class standing, program of study, academic standing, anticipated graduation date, credits (earned, transfer, CE, other), GPA, holds, college, department, university employment status, assignment history, university employment department, job title, gender, ethnicity (if supplied), country of citizenship, lifestyle preferences, preferred living options, ADA concerns, ADA accommodations, meal plans, meals used, RamCash balances, RamCash transactions, billing amounts due, collection status, account balance, deposit amounts
TBD	Student Case Mgmt.	Information necessary to manage student cases.	name, CSUID, DOB, location, other factors: medical/mental health info, economic, cultural, social identity info
Kylan Marsh, Kylan.Marsh@colostate.edu, 970.491.7187	Development and Advancement	Information on CSU’s constituents – e.g. alums, faculty/staff, parents, donors, friends, etc., for the purposes of fund raising, tax reporting, etc.	External systems: name, address, email, phone, gift/event details; Internal systems: name, title, address, email, phone, gift/event registration info., scholarship info., CSUIDs, Displays elements of donor record. Normal IIS tracking occurs, degree information, tracking of responses, seating information.
Joe Rymski, Joe.Rymski@colostate.edu, 970.491.5757	University Communications	Web cookies are specified to facilitate a user’s browsing experience, for example, transferring “state” between web page views. In almost all cases, they cannot be disables	Web cookies are stored on the user’s device, and are essential to provide a seamless, robust user experience. The University accesses these in a highly secured manner, only upon a user requesting a web page, and neither stores hem nor distributes them elsewhere.
Nick Cummings, Nick.Cummings@colostate.edu 970.491.2856	Human Resources	Benefits management, BenefitSolver, benefitsolver.com; COBRA insurance and DCP premium refund, Healthsmart, healthsmart.com; Dental insurance, Delta Dental, deltadental.com; Employment verification, The Work Number, theworknumber.com; Flexible spending accounts and commuter transit benefit, Discovery, discoverybenefits.com; Form I-9 completion and ACA insurance management, Equifax, equifax.com; Health insurance, Anthem, anthem.com; Life insurance, Hartford, thehartford.com; Retirement accounts, Voya, voya.com; Retirement accounts, PERA, copera.org; Retirement accounts, TIAA, tiaa.org; Retirement accounts, Valic, valic.com; Retirement and HSA accounts, Fidelity, fidelity.com; Search, application, and hiring process; peopleadmin.com; Vision insurance, VSP, vsp.com; payroll deposits to various banks (opt in by employee).
Controller Name & Contact Info	General Area	General Description of PII Data Collected	PII Data Elements Collected
Colleges
N/A	Agricultural Sciences, Soil and Crop Sciences
N/A	Engineering
Bryan Gillispie Bryan.Gillispie@colostate.edu 970.491.2223	Liberal Arts	– Audition applications; – Travel forms; – Search committee and P&T materials; – Used for locker registrations, signups, prospective students events, marketing; – University Tickets, Ticket Sales; Project/Program Management Tool, Copies and subscriptions to Colorado Review, contest entries; Sending digital subscriptions of Colorado Review to subscribers, notifying previous entrants to contests that current contest is open;	Contact info Curricular vitas Names, contact info; Names and CSU contact information Names, addresses, email, phone
Kacie Reed, Kacie.Reed@colostate.edu, 970.491.6104; and Stefan Tonazzi, Stefan.Tonazzi@colostate.edu, 970.491.5810	College of Veterinary Medicine and Biomedical Sciences	VTH patient management, Medical records; CVMBS payment processing CVMBS software consulting – DVM application data, – Student & Employee data, Client data Proposals and sponsor attached to it. – Facebook and Instagram Analytics – Course evaluations.	Medical treatment plans Names, addresses, phone numbers, emergency contacts, CSUID, DOB, email address, personal medical treatment, worker’s compensation, leave time, employee salary and benefits, employee evaluations, mobile device information, language, IP address, classes taken
Richie Nelsen, Richie.nelsen@colostate.edu 970.492.4929, and Zeel Patel, zeel.patel@colostate.edu 503.784.1533	College of Business	– Applicants’ data	Student data; prospective student’s data
Gary Senseman, gary.senseman@colostate.edu, 970.491.0676	Warner College of Natural Resources	– Backup system -STEM education support Management of internal resources, all internal systems	name, username, ip_address name, username, ip_address, dept affiliation, software downloaded name, username, csuid, title/class, department, ip address, photo, bio, publications, google scholar id, certifications, education, interests, dept affiliations, articles, websites, CV, email address, phone number, various attachments that may contain sensitive information, salary, research proposals, purchase, or travel information, program usage name, username, email address, student major
Ty Boyack, Ty.Boyack@colostate.edu 970.491.1186	Natural Resource Ecology Laboratory	Credit card processing Accounting information Internal management of people and resources	We supply shopping cart data, authorize.net collects payment data. Accounting data may include salaries, funding, expenditures, travel, etc. Name and contact information of customers for analytical laboratory services; System activity logs; Contact information, Registration data
Erica Fleishman, Erica.Fleishman@colostate.edu, 970.491.2673	Center for Environmental Management of Military Lands	File backups, Maps, and Users’ files Internal management of people and resources	name, username, ip address, file contents name, username, ip address, work data, file names

Abbreviations and Acronyms

ADA               American with Disabilities Act

CE                   Continuing Education

CCPA              California Consumer Protection Act

CSU                Colorado State University

DOB               Date of Birth

EHS                Environmental Health Services

EU                   European Union

GDPR             General Data Protection Regulation

GPA                Grade Point Average

HDS                Housing and Dining Services

HR                  Human Resources

N/A                 Not Applicable

PII                   Personally Identifiable Information

SEVIs             US Student and Exchange Visitor Program

SSN                Social Security Number

WC                  Worker’s Compensation

URL                Uniform Resource Locator, or web address

[1] GDPR Art. 3(1) and Recital 22
[2] Rec. 23
[3] Art. 4(2)(b) and Rec. 24
[4] The California Consumer Privacy Act of 2018.
[5] Rec. 30 states:

“Natural persons may be associated with online identifiers provided by their devices… such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

[6] Art. 85(2), Rec. 153
[7] Art. 89(1), Rec. 159
[8] CSU Financial Rules, Rule 10; Retention of Student Records Policy
[9] Art.47, Rec.108