Collection of Personal Data from Students and Customers

This policy sets forth requirements for the collection of personal data from students, including medical residents, and customers for use in various business and regulatory processes, including but not limited to Internal Revenue Service reporting, collection efforts, and student insurance and medical services  It further sets forth requirements that must be followed by organizational units when conducting business with students, including medical residents, and other customers of the university.

1. Required and Preferred Personal Data
   
   The following are considered to be required personal data that must be collected in accordance with these procedures:
   1. Individual's legal name;
   2. Social Security Number and/or Federal Employer Identification Number;
   3. Permanent address; and
   4. Date of birth.

The following data is encouraged (but not required) to be collected where applicable and cost-effective to do so:

1. Current home and work address;
2. Current home and work phone number; and
3. Name and address of nearest relative or guardian not living with customer/student.

2. Collection Requirements
   
   The collection of personal data from students​, including medical residents, and customers of the university is a sound business practice and is required per this policy for:
   1. students and customers with either a formal credit relationship​ or informal credit relationship with the university;
   2. medical residents providing training services at a medical affiliate​; and,
   3. students applying for federal financial aid for which the university is the creditor and state financial aid1.

The required personal data will be collected when an individual initiates the credit relationship, financial aid request, or medical resident training agreement.

The required and preferred personal data (identified in section A, above) will be maintained in accordance with the IT Administrative Policy Statement (APS) referenced in Section III.A., below.

1. Related Administrative Policy Statements
   
   APS 6005 – IT Security Program (Section III: IT Security in University Operations, Continuity, and Contracting)
    
2. Educational Resources
   
   Educational resources including guides, training announcements, and newsletters are announced and available on Office of University Controller and Office of Information Security websites.
3. Related Policies and Laws

1. The Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit Reporting Act
2. Gramm-Leach-Bliley Act of 1999

Italicized terms used in this APS are defined in the APS Glossary of Terms.

The appropriate campus Controller, consulting with the University Controller as appropriate, will respond to questions and provide guidance regarding interpretation of this policy.  Any exceptions to this policy must be approved by the University Controller.

• • Adopted: July 1, 2007.
  • Revised: July 1, 2009, April 1, 2026.
  • Last Reviewed: April 1, 2026.