Policies

University Administered Security Policies

To protect data and assure that information technology at OSU is available and secure, the university has developed policies in four key areas. 

University Data Management, Classification and Incident Response

This policy aims to improve data access, accuracy, and integrity, while applying appropriate security controls and protection to manage risk.

Acceptable Use of University Information

This policy explains how we share OSU-specific information, and the obligations held by individuals with this information to use and secure it appropriately.

Data Access and Governance

In aligning with the priorities established for Oregon State University, the mission of the Data Governance Program is to allow for and facilitate campus-wide data-driven decision making.

University Network Administration

The integrity and availability of the Oregon State University network is critical to the continued operation of the university. This policy regulates the use of the wired and Wi-Fi networks used to access the university network.

Privacy Notice for Oregon State University

Oregon State University (OSU) is committed to safeguarding the privacy of personal information. This privacy notice outlines the collection, use, and disclosure of personal information provided to OSU by students, applicants for admissions and employment, volunteers, and research subjects. When information is submitted to OSU, or you use the OSU's website or other services, you consent to the collection, use, and disclosure of that information as described in this privacy notice.

Updates to This Privacy Notice

We may update or change this notice at any time. Your continued use of OSU’s services and applications after any such change indicates your acceptance of these changes. Please note that this document is merely informational; it doesn’t create any new or additional rights.

What is Personal Information?

Oregon State University includes personal information in its highest data classification level, confidential information. confidential information includes but isn't limited to: Social Security Numbers, Driver’s License or State-Issued ID Numbers, and Visa or Passport Numbers. OSU also includes personal information in both the sensitive and unrestricted categories

Please visit the Data Classification by Date Element page to see a full comprehensive list of confidential information, sensitive information, and unrestricted information. 

Securing Your Information

Information technologies are rapidly evolving and as such, there is no way to guarantee that data transmitted over the internet is completely secure. This said, we are committed to protecting the privacy of individuals who access our systems, and once we receive information we deploy reasonable safeguards consistent with prevailing industry standards and commensurate with the sensitivity of the information. We will also comply with any and all applicable federal, state, and local laws regarding the privacy and security of your information.

Use of Personal Information

In order to perform our role as a public institution of higher education, OSU collects and processes information, including personal information, from individuals who are students or who are applying to become students. OSU also collects and processes information from individuals who are research subjects in the exercise of scientific and historical research. Additionally, OSU collects and processes personal information from individuals who are applicants for faculty and staff positions in order to enter into or administer a contract for employment.

Personal information is collected and shared with internal and external parties to register or enroll persons in OSU, provide and administer housing to students, manage a student account, provide academic advising, develop and deliver education programs, track academic progress, analyze and improve education programs, recruitment, regulatory reporting, auditing, maintenance of accreditation, for recruitment of employees, to enroll employees in benefit programs, to track volunteers, and other related OSU processes and functions. OSU also uses information to conduct general demographic and statistical research to improve OSU programs. Personal information is collected, processed and shared internally and externally, as necessary, applicable and appropriate, to identify appropriate support services or activities, provide reasonable accommodations, enforce OSU policies or comply with applicable laws. Finally, information may be shared by OSU with third parties who have entered into contracts with OSU to perform functions on our behalf; we assure that such sharing carries an obligation of confidentiality and is safeguarded from unauthorized disclosure.

Disclosure of Personal Information

We may disclose your personal information as follows:

• Consent: We may disclose your personal information if we have your consent to do so.
• In event of an emergency: We may share your personal information when necessary to protect your interests if you are physically or legally incapable of providing consent.
• As required as part of an employment contract: We may share your personal information when necessary.
  • An example of such sharing would be for administering employment or social security benefits in accordance with applicable law and/or any applicable collective bargaining agreement.
• Public Information: We may share your personal information if you have agreed to make it public.
• Archiving: We may share your personal information for archiving purposes in the public interest, and for historical research, and statistical purposes.
• Performance of a Contract: We may share your personal information when necessary to administer a contract you have with OSU.
• Legal Obligation: We may share your personal information when the disclosure is required or permitted by international, federal, and state laws and regulations.
• Service Providers: We use third parties who have entered into a contract with OSU to support the administration of OSU operations and policies. In such cases, we will require those third parties have appropriate safeguards in place to prevent unauthorized disclosure.
• OSU Affiliated Programs: We may share your information with parties that are affiliated with OSU for the purpose of contacting you about goods, services, charitable giving, or experiences that may be of interest to you.
• De-Identified and Aggregate Information: We may use and disclose personal information in de-identified or aggregate form without limitation.

Your Rights

You have the right to request access to a copy of, to correct errors in, to restrict the use of, or to erase your information in accordance with all applicable laws. The erasure of your information is subject to any retention periods required by applicable state and federal laws. If you have provided consent to the use of your information, you have the right to withdraw consent without affecting the lawfulness of OSU’s use of the information prior to receipt of your request.

Information created in the European Union may be transferred out of the European Union to OSU. If you feel OSU has not complied with applicable foreign laws regulating such information, you have the right to file a complaint with the appropriate supervisory authority in the European Union.

Retention and Destruction of Your Information

Your information will be retained by OSU in accordance with applicable state and federal laws; if there are no such legal, or contractual obligations requiring us to retain your data, your information will be destroyed upon your request. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of your information given the level of sensitivity.

For particular questions about your rights, please contact OSU’s Data Protection Officer (DPO).

European Union's General Data Protection Regulation (EU-GDPR)

The European Union's General Data Protection Regulation (EU-GDPR) is a data privacy and security regulation designed to shield EU residents (as well as residents from any European Economic Area [EEA] nations) from the impact of data breaches and improper use of data. It replaces previous EU data privacy and security regulations and is much broader in scope and presents a greatly expanded definition of personal data than used in US regulations.

Oregon State University is subject to the regulations set in motion by the EU-GDPR. As a result, we’re obligated to implement appropriate technical and organizational controls in an effective way to protect and observe “Data Subject Rights” for individuals with permanent or temporary residency within EU nations.

The European Union General Data Protection Regulation went into effect on May 25, 2018.

Learn more about EU-GDPR Full EU-GDPR (PDF)