80 Institution Privacy Policies COLORADO STATE UNIVERSITY Information Collection and Personal Records Privacy http://policylibrary.colostate.edu/policyprint.aspx?id=493 education records. These photos are not “directory information” under the FERPA policy, and may not be released to anyone without permission of the student, except in accordance with this policy. They must be secured using the same safeguards as other private and sensitive information. Employees also have a reasonable expectation of privacy with respect to their RamCard ID photos. POLICY PROVISIONS De Minimis Access: The amount of sensitive personal information collected and stored shall be the minimum amount required for the efficient and effective conduct of business and academic functions. Access to sensitive personal information shall be limited to only those needing access for legitimate business or academic purposes. Periodically, individual access shall be reviewed to be in conformance with this policy. 1. Units are responsible for ensuring that all of their paper, non-paper and electronic records containing sensitive personal information are secured as required under the CSU IT Security Policy and protected from unauthorized access. 2. Periodically, units shall review their policies, operations, forms, archives and other associated functions to ensure they are in conformance with this policy. 3. Reasonable and prudent efforts shall be made to isolate and protect sensitive personal information in physical form from unauthorized access, for example in locked filing cabinets, behind locked doors, suitable IT security measures, etc. 4. Social security numbers (SSNs) shall not be used as the primary numeric identifier for individuals. This particular policy applies to all forms of information, both electronic and non-electronic, including identification cards. See the University Policy on Social Security Numbers. 5. RamCard ID Photos: Access to and use of official RamCard ID photos are permitted for legitimate educational and business purposes only. Access or use for personal reasons, and any unauthorized access or use, or redistribution, is not permitted. 1. Direct access to the University’s electronic systems that store digital ID photos must be pre-approved in writing by the Vice President for Information Technology, who shall constitute a small, ad hoc committee to review such requests. Requests must be made to the Advisory Committee for Administrative Applications (ACAdA) using the application for such access provided in Appendix A. Considerations for approval will include the business need for access, 2. 6.