Policy Profile


Effective Date: January 29, 2014
Approved By: President Bruce D. Benson
Responsible University Officer: Vice President, Employee and Information Services
Responsible Office: Office of Information Security
Policy Contact: privacy@cu.edu
Last Reviewed/Updated date: March 1, 2019
Applies to: System Administration

Commitment to Individual Privacy

The University of Colorado System Administration (“System Administration” or “we”) supports the protection of individual privacy and is committed to ensuring the confidentiality of personal information provided by its employees, students and other members of the University community.  This privacy policy provides a general description of the ways we collect information about individuals, how we may use or disclose this information and how we safeguard this information. This policy covers the business practices of the System Administration for the University of Colorado. The System Administration includes several departments that provide services to all of the University of Colorado campuses. For more information on what parts of the University are in System Administration, visit www.cu.edu.

What information does the University collect?

You may access most System Administration websites without providing personal information, however you may need to provide personal information to use certain services. The amount and type of personal information required to use these services varies. It is the practice of System Administration to collect the least amount of personal information necessary to provide services to you and to meet any legal obligations. 

The personal information that System Administration collects about you may include: name, e-mail address, mailing address, phone number, date of birth, social security number (or other national ID), academic records, employment records, work history, past military service, state/country of residence, criminal history, ethics/disciplinary  history, age, race, ethnic origin, native language, gender, preferred name, test scores, social media account information, athletic achievements, engagement with CU, financial and banking information, information from public records, billing information, passport information, etc.

System Administration automatically collects non-personal usage information for website administration purposes when you visit University of Colorado System Administration websites. Usage information includes: number of visitors, number of page views, IP address, website pages visited prior to visiting the site(s), browser information, technical information about your device, etc.

How does System Administration collect this information?

You provide most of the personal information that System Administration collects when you use our services.  However, in some cases, we may collect publicly available information and/or information from a third party that has the authority to share your personal information with the University. For example, System Administration may receive personal information about you through the Common App college application system.

The collection of non-personal usage information occurs automatically when individuals use System Administration websites and applications. This information may be collected using third-party services like Google Analytics and using techniques including web browser cookies.

How does System Administration use this information?

Examples of how System Administration uses personal and usage information include:

  • Providing and improving services to our students, employees and other community members. This includes, but is not limited to, the accessing and processing of:
    •   Personal information related to services and tools that support admission applications, online learning, student and employee self-service, course and degree management, financial aid management, personnel management, research administration, event management and ticketing, academic advising, housing and dining services, public safety, communication with employees and students, etc.
    • Usage Information to help identify and diagnose service problems, monitor service performance, identify popular and unpopular aspects of services, improve service designs, better understand which technologies are used to access services, etc.
  • Communicating with the members of our community.
  • Meeting regulatory and contractual obligations as an institution of higher education and employer - for example, required reporting to the Department of Education, the Department of Homeland Security and the Internal Revenue Service.
  • Measuring and analyzing collected information to better understand and improve the experiences of our community members. For example, student academic data may be analyzed to identify key factors in graduation rates that can be used to improve future graduation rates.
  • Engaging the community and attracting private support to enhance the university’s academic, research and public outreach efforts.
  • Protecting the health and safety of our community – Information may be used to contact community members about health and safety issues and, as required, work with government agencies on these issues.
  • Fulfilling the University of Colorado’s legal obligations - For example, responding to authorized legal requests and appropriate open records requests.
  • Compliance with laws and regulations, e.g., EEO and affirmative action requirements, ADA, FMLA, etc.
  • Tailoring content on System Administration’s websites and target advertising.
  • Advancing System Administration’s legitimate interests.
  • Determining eligibility for benefits - For example, sick leave, short and long term disability, medical, retirement plans, etc.

If System Administration collects your information based on your consent, System Administration will conform to the processes outlined in any applicable consent form. If you provide information based on consent, you may generally withdraw your consent at any time. However, withdrawal will not affect the processing based on such consent prior to withdrawal.

In general, information is used and stored within the United States. In some cases, third-party services may require the use and storage of information outside of the United States.

How does System Administration share my information?

System Administration may share personal information within the University of Colorado (including with University of Colorado campuses) and with the University of Colorado's third-party partners. However, the University restricts access to personal information to individuals and groups who have a legitimate need to access the data.

When appropriate, System Administration may share your personal information with third parties. To the extent possible, we require these individuals and organizations to protect your information through contracts and may perform our own security assessments or rely on third-party assessments.

Some examples of situations when System Administration may provide personal information to third parties include:

  • When using the services from third-party vendors, consultants and other service providers who do work for the University and need access to your information to do that work.
  • If you request that someone within the University of Colorado shares your information.
  • To report information to government or accrediting agencies that regulate the University’s business.
  • With the University of Colorado Foundation for the purposes of fundraising or processing donations.
  • To comply with applicable law and our legal obligations, such as to comply with a subpoena or similar legal process.
  • To comply with an appropriate request under the Colorado Open Records Act.
  • When the University of Colorado believes in good faith that disclosure is necessary to protect its rights, your safety or the safety of others.
  • To investigate potential crimes, fraud or to respond to a government request. 

Public Records Law.  As a public institution, the University must comply with the Colorado Open Records Act (CORA).  Information we handle, including your personal information, may be available for request under CORA if it is not protected under other law or specifically exempt from disclosure under CORA.  We will not disclose information protected by law in response to a public records request. 

How does System Administration protect my information?

System Administration has security policies and standards regarding the protection of personal information. These standards include both administrative and technical requirements to appropriately protect personal information. System Administration has an information security officer and team who assist departments in providing appropriate protection for personal information. This includes active monitoring and assessments to detect potential security issues. Additionally, the University of Colorado has an internal audit team that periodically performs security related audits.

When third parties handle your information, System Administration relies on a combination of contractual requirements, third-party audits, security reviews and assessments and as assurances that personal information is appropriately protected. 

For more information on the policies and standards used by System Administration in protecting data, you can visit this site: https://www.cu.edu/ois/policies-and-resources.

The University of Colorado has a data retention policy and schedule that instructs departments on their obligations to keep different types of information for different periods of time. You can review this policy and the retention schedules here: https://www.cu.edu/ope/aps/2006.

What rights do I have regarding my personal information?

The rights you have regarding the use and disclosure of your personal information depend on the nature of your relationship to the University of Colorado, applicable law, and the type of the information the University holds about you.  Please be aware that personal information rights under international, United States, and Colorado information and privacy laws may differ. Upon request, System Administration will make an effort to:

  • Provide a list of the types of the personal information System Administration has about you within its primary systems.
  • Correct inaccurate information about you (For example, updates to your name, contact information, etc.)
  • Delete information about you stored in one of System Administration’s primary systems. (Depending on your role at and relationship with the University of Colorado, the information the University of Colorado stores about you, applicable law, and the University of Colorado’s record retention requirements, the University of Colorado may not delete your information.)
  • Stop processing your information. (For example, you may ask that the University stop sending you emails or physical mailings.)

You should direct all requests to exercise these rights to the contact information provided in the Comments and Feedback section.

Children’s Privacy

System Administration websites are intended for adults and young adults. If you are a child under applicable law, you should not register to use any portion of the System Administration website or provide any personal information through the website. It is not the University's intent to collect and store any personal information from any child. If the University is made aware that it is collecting information from a child, it will delete this information.

Student Records Privacy

In general, the Family Education Rights and Privacy Act (“FERPA”) protects the privacy of students’ educational records.  Students may restrict public disclosure of University-designated directory information by contacting the office of the registrar on the campus where they are or have been enrolled. For more information about student rights and choices under this law and related University policy, contact your campus registrar’s office.

How do I opt out of personalized Google Ads?

Google provides information on their advertising processes, including controlling preferences on this page: https://policies.google.com/technologies/ads. This information includes a link to their online tool that will allow you to disable personalized advertising from Google. You can access that tool here: https://www.google.com/ads/preferences.

Privacy Policy Changes

System Administration reserves the right to modify this Privacy Policy at any time. Changes will apply to personal information the University already holds, as well as to new information we create or receive after the change occurs. To stay informed about changes to the privacy policy, revisit this page periodically.

Comments and Feedback

Please send comments, questions, concerns or inquiries about this Privacy Policy or the University’s privacy practices to the Office of Information Security at privacy@cu.edu.  Please do not send attachments with the message.

Disclaimer

The information provided in this privacy statement should not be construed as business, legal or other advice, or as guaranteeing the security of information provided through the University of Colorado or System Administration’s websites.

Update History

Privacy Statement: Effective January 29, 2014 - February 28, 2019

Additional Resources

Electronic Communications APS