Information Privacy Office

The Information Privacy Office

Information Privacy is the principle that a person should have control over their personal data or personal information, including the ability to decide how organizations collect, store and use their data.

At Utah State University, we manage a wide range of institutional data to support academic, administrative, and operational functions. A portion of this includes personal information—data about students, employees, prospective students, and other members of the USU community.

What Counts as Personal Information?

At USU, personal information is anything that can identify someone—like their name, contact details, date of birth, or government ID numbers. It also includes student and employee IDs (like A-numbers), work or class details tied to a person (such as schedules, grades, job titles, or office locations), and sensitive records like health, disability, financial aid, or payroll information. Even digital data—like usernames, login activity, swipe card use, or device and IP addresses—counts if it can be linked back to an individual.

Each type of data managed at USU carries its own set of risks, legal obligations, and handling requirements. As a result, privacy protections vary depending on the nature of the information, the individuals it pertains to—such as minors or international students—the reasons it is collected, and where and how it is processed. These factors determine which privacy laws apply and what safeguards are necessary to ensure proper data protection. 

The Information Privacy Office supports faculty, staff, and university departments by helping them recognize and apply appropriate privacy standards across systems and services. This work is guided by a principles-based framework focused on three key areas: information management, vendor management, and incident management. Each area aligns with USU’s Data Classification Standards to ensure that all data is protected based on its sensitivity and the potential risks involved.

USU Privacy Principles

The USU Privacy Principles establish guidelines for ethical and responsible handling of personal data at Utah State University, applicable to university operations. All external partners, consultants, and vendors must comply with these standards when processing data for USU. Adherence to these principles doesn't exempt any party from other legal or regulatory obligations related to privacy and data protection. These principles are dynamic and will be updated as privacy laws evolve.

1. Transparency, Notice, and Choice
   Inform individuals clearly and accessibly about the collection, use, and sharing of their personal data. Where feasible, provide meaningful choices, including obtaining informed consent for certain uses.
   
   
2. Minimization
   Collect and use only the personal data necessary to accomplish a specific, legitimate purpose.
   
   
3. Responsible and Ethical Use
   Use personal data strictly for communicated purposes or as permitted by law. Manage information with integrity, accountability, and fairness.
   
   
4. Need to Know
   Restrict access to personal data to individuals who require it to perform authorized university functions
   
   
5. Security and Protection
   Implement administrative, technical, and physical safeguards to protect personal data from unauthorized access, use, disclosure, or loss.
6. De-Identification and Anonymization
   Where possible, remove personal identifiers or apply de-identification techniques to reduce risks to individuals.
   
   
7. Data Stewardship and Accountability
   Assign clear responsibility for managing data. Data owners must ensure compliance, assess risks, and respond to privacy inquiries or concerns.
   
   
8. Third-Party Management
   Share personal data only with partners who meet or exceed USU’s privacy and security requirements, governed by formal agreements.
   
   
9. Retention, Deletion, and Disposal
   Keep personal data only as long as necessary for operational or legal reasons. Delete, archive, or securely dispose of data when it is no longer needed.
   
   
10. Geospecific Compliance
    Comply with privacy laws and regulations specific to the jurisdictions where data is collected, stored, accessed, or transferred.
    
    
11. Incident Response and Reporting
    Promptly report suspected or confirmed privacy incidents to the appropriate university office for immediate investigation and resolution.