Kansas State University

  1. K-State home
  2. »Policies
  3. »PPM
  4. »3400 Computing and Information Technology
  5. »PPM Chapter 3440: Data Privacy

Policies

Questions relating to the information in each chapter of the Policies and Procedures Manual should be directed to the office issuing the chapter.

That information is usually located at the end of each chapter.

For policy update questions, please contact policy@ksu.edu.

Data Privacy

Chapter 3440
Created February 14, 2025

Table of Contents

.010 Purpose
.020 Scope
.030 Definitions
.040 Policy
.050 Roles and Responsibilities
.060 Exception Process
.070 Policy Violations
.080 Periodic Review and Policy Updates
.090 Related Regulations and Laws

This Data Privacy Policy establishes standards and practices to be communicated to the community, ensuring that Personally Identifiable Information is handled consistently with expectations and legal requirements; boundaries are respected around the use of data, gaining consent, and maintaining the confidentiality of the personal data; individuals at K-State feel empowered to make informed choices about the use of their personal information.

.010 Purpose

The purpose of the Data Privacy Policy is to clearly define the University’s approach to data privacy and how the University will manage the usage and protection of PII. With today’s reliance on electronic platforms, personal data is readily available and used across the institution. This Policy should be used accordingly to govern and communicate consistent and appropriate practices of how the University governs personal data.

.020 Scope

This Policy applies to all individuals affiliated with the University, including faculty, staff, student workers, contractors, third-party service providers and other affiliates, who access or utilize university data, records or documents in paper or electronic formats containing PII. This Policy is not intended to replace or supersede other University policies, procedures and standards relating to the use of specific types of sensitive information, such as FERPA, HIPAA, PCI and GLBA.

.030 Definitions

For clarity and to ensure a common understanding of terms used in this policy, please refer to the Glossary of Defined Terms which provides detailed definitions for all key concepts and terminology.

.040 Policy

  1. Privacy Principles

    Data privacy is focused on protecting individuals’ privacy rights and ensuring the lawful and ethical handling of personal information. Privacy ensures individuals have understanding and control over how their data is collected, used, shared, and stored ​and that data is only used by authorized parties for clearly defined and organizationally accepted purposes.

    1. The University’s approach to data privacy considers the following principles:

      1. Lawfulness, Fairness and Transparency: Personal data must be processed lawfully, fairly and transparently with respect to the data subject.

      2. Purpose Limitation: Personal data must be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

      3. Data Minimization: Personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

      4. Accuracy: Personal data must be accurate and, where necessary, kept up to date. Inaccurate data should be rectified or erased without delay.

      5. Storage Limitation: Personal data should be retained for only as long as necessary to meet the stated purposes.

      6. Integrity and Confidentiality: Personal data must be processed in a manner that promotes appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage.

      7. Accountability: The data controller (the entity determining purposes and means of processing personal data) shall be responsible for, and be able to demonstrate compliance with, the GDPR principles, to the extent applicable.

    2. The University is committed to promoting protection of individual privacy and confidentiality of its employees and students while also committing to following common and core privacy practices as applicable by law, ethics, business necessity, and individual rights.

      1. Lawfulness, Fairness and Transparency: The University will provide notice, when reasonably knowable, of data that intends to be collected and its intended use. The University will ensure that data is collected, processed and disclosed in a manner consistent with what is permitted by law and its regulatory obligations. Data that is collected and shared may include data used for research, administrative and educational purposes.

      2. Purpose Limitation: Personal data collected and used by the University with be collected for specific, explicit and legitimate purposes and not further processed in ways that are incompatible with those purposes. Individuals will be informed of the reason the data is being collected and the purposes for which the data will be used.

      3. Data Minimization: The University will only collect personal data adequate, relevant and limited to what is necessary to provide services and conduct normal business operations. Access to the data will only be granted to internal users with business or educational needs to perform this service or business operation.

      4. Accuracy: The University will ensure that personal data is accurate, complete and up-to-date. Inaccurate data will be rectified or erased without delay.

      5. Storage Limitation: Personal data will be retained by the University as long as necessary to provide services and conduct normal business operations, as applicable by regulations, laws and standards. Please refer to the University’s Data Retention and Disposal policy for additional information on data storage.

      6. Integrity and Confidentiality: The University will employ security measures and mechanisms to protect against unauthorized access, disclosure, alteration and destruction of personal data in accordance with data protection standards approved by the University including physical, technical and administrative safeguards. Access to personal data will be granted to those who require access to conduct research, fulfill job duties or conduct normal business operations. Any data breach will be addressed immediately and in accordance with applicable regulatory requirements.

      7. Accountability: Data Stewards will be accountable and responsible for their respective data and must demonstrate compliance with this policy.

  2. Rights of Data Subjects

    Individuals have rights regarding their personal data, including the right to access, correct, delete, transfer or restrict the processing of their data (when applicable or reasonably possible). Data users have the opportunity to exercise these rights by completing a process through [insert policy or appropriate party]. It should be known this does not guarantee an automatic approval and the individual is subject to provide justification for exercising these rights.

    Individuals will be offered the opportunity to provide consent (opt-in) when personal data is intended to be used by the University. This consent will ensure that the personal data can be collected and used in a free and informed manner. Individuals also have the right to opt-out when consent is not given for data sharing.

  3. Monitoring and Enforcement 
    The University Division of Information Technology will be the main point of enforcement and monitoring the implementation and utilization of this policy. The policy may be modified over time to account for changes in laws, regulations or University standards. 

.050 Roles and Responsibilities

The Associate Vice President for Information Technology and Chief Information Officer (CIO) is responsible for the oversight and maintenance of this policy. The Vice President for Administration and Finance is responsible for the final approval of this policy.

Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the Associate Vice President for Information Technology and Chief Information Officer.

.060 Exceptions

Exceptions from this policy must be approved as described in the Security Exceptions Management Policy. Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the Chief Information Officer.

.070 Policy Violations

To report any alleged violation of this policy or overall questions regarding this policy should be sent to the Chief Information Officer.

Failure to comply may result in sanctions as defined in the K-State Sanctions Policy. Violations may lead to disciplinary actions, up to and including discharge, dismissal, suspension or expulsion, legal actions, and criminal investigation or prosecution.

.080 Periodic Review and Policy Updates

To ensure relevance and compliance with evolving regulatory, technological, and operational standards, this policy should undergo a comprehensive review at least annually in accordance with the requirements described in the Policy on Policies. During this review, necessary updates will be made to reflect any new legal requirements, organizational changes, or external factors impacting policy efficacy.

.090 Related Regulations and Laws

  • State of Kansas, ITEC Information Technology Policy 7230 Enterprise Security Policy
  • State of Kansas, ITEC Information Technology Standards & Guidelines 7230A IT Security Standards