Data Privacy

It is the responsibility of all data users to protect Personally Identifiable Information (PII) at TU. In addition to TU’s Data Classification and Data Use Standards, the following principles will help guide decisions regarding collection, storage, and use of Personally Identifiable Information (PII).   

1. Accuracy: Everyone has a role in ensuring data quality and integrity.  PII should be kept accurate, and where necessary, up to date.  
2. Collection Relevancy: Only collect information that is relevant for a specific purpose.
3. Minimization: Only collect the minimal amount of information that is necessary for a specific purpose and dispose of any PII when no longer needed for a previously authorized purpose.
4. Participation: Everyone has a role in supporting the privacy program in support of individuals rights related to their PII.  
5. Responsibility: Whomever requests PII has the responsibility to ensure that the collection, storage, and use of such data follows the appropriate university policies, standards, and guidelines as well as federal and state laws and regulations.
6. Security: Protect personally identifiable information (PII) from unauthorized access and misuse by applying the principle of least privilege and applying appropriate information security safeguards commensurate with risk of harm of the data.
7. Transparency: The university is committed to being transparent about the information we collect and how it is used.  
8. Use Relevancy: Only use information for its intended purpose. 

Towson University defines its Systems of Record (SoR) as structured information systems that require strong protection of confidentiality, integrity, and availability that widely support the campus community.     

The university has made available the contact details for data subjects/individuals to submit requests regarding data privacy, along with the processes to manage such inquiries. 

As required by the Maryland Higher Education Privacy Law, the university has designated the following information systems as “Systems of Record”: 

• Human Resources Information System: used for employment records.    
• Relationship Management System: used for university engagement activities.
• Student Admissions System: used for students applying to the university.  
• Student Information System: for student records.  

As an institution of higher education, Towson University’s Systems of Record (SoR) may collect and retain relevant personal information related to educational and student records (e.g., admissions applications, financial aid information, etc.), administrative purposes (e.g., payroll, background checks for employment, etc.) and university engagement (e.g., newsletters, university event attendance, etc.).  

The information may be collected directly (e.g., applying for an employment opportunity, signing up for a newsletter, etc.) or indirectly (e.g., transcripts for admissions purposes).   

Examples of personally identifiable information stored in TU’s Systems of Record include, but are not limited to the following: 

• Name
• Date of birth
• Email addresses
• Financial aid  
• Identification numbers
• Payroll data
• Phone numbers  
• Transcripts 

TU inventories its Systems of Record for the types of data stored. Before adding any new data types, data usage approval must be obtained through data governance processes. Additionally, TU follows access control procedures before authorizing the use of data. 

The university reserves the right to disclose any relevant information, including Personally Identifiable Information (PII), when required by law enforcement or to comply with a court order, law, or legal process, including responding to a government or regulatory request. Personal Information from a System of Record may be shared with local, state, and federal organizations as required such as the Maryland Higher Education Commission (MHEC), U.S. Department of Education and Middle States Commission on Higher Education (MSCHE).  

TU will not disclose PII to third parties, other than those third parties processing PII on behalf of TU, unless the Data Subject consents to the disclosure, or TU determines that disclosure of PII is in the best interest of TU.

Some PII may be subject to disclosure under the Maryland Public Information Act or other federal and state laws or regulations.

The university reserves the right to access and use PII in its sole discretion when university staff believe there is a risk to safety or to investigate actual or suspected instances of misconduct or risk to the university, students, faculty, staff, and third parties, subject to applicable law and university policy.

The university may disclose aggregated, disaggregated, anonymized, or de-identified personal information about our community.

An individual may submit data privacy requests concerning Personally Identifiable Information (PII) relating to the individual held and processed by TU. The data subject (the individual to whom the PII relates) may seek access to the PII, correction or deletion of the PII, or to opt out of sharing PII with third parties. Data subjects may submit their requests to TU’s Office of Information Security and Privacy (see the Privacy Statement for current submission instructions).  

To protect the data subject’s privacy, TU will take precautions to verify the data subject’s identity and use appropriately secure communication methods. 

TU may deny a data privacy request if it reasonably concludes that it has a legitimate basis for processing the PII or if the request is infeasible. If the data subject disagrees with TU’s decision regarding a request to change PII, the data subject will be given the option to leave a record of their change request with the original record.  

The above procedures only apply to PII within a designated System of Record.