Privacy

Op12.02-8 Privacy

Background

As an educational institution, Missouri State University encourages its students, faculty, staff and guests to advance learning and understanding through information collection, communication and collaborative teamwork. Missouri State acknowledges that these functions require a certain level of privacy and protection, and it strives to provide a safe and secure information systems environment for the processing of information collected on the university’s information systems.

Policy statement

The university takes reasonable precautions to protect accounts, personal information collected by the university, and personal communications from unauthorized access or disclosure. Except as required by law or authorized by university policy, the university does not share personal information with any third-party. The university may process personal information internally and through external services providers in furtherance of its mission and university normal operations; otherwise, the university will, when reasonably practicable, seek the consent of the subject of personal information before transmitting that information to a third-party for processing. The university does provide information on graduates for use by the Missouri State Alumni Association and Missouri State Foundation so that graduates can receive regular information about their alma mater.

Pursuant to the Family Educational Rights and Privacy Act (FERPA), the university may disclose “directory information” as defined in FERPA and set forth in the FERPA/Confidentiality of Student Education Records policy.

University websites that collect personal information will only collect information reasonably necessary for the intended purpose, and will where reasonable provide the user with the intended purpose of personal information being collected. University websites that display personal information, such as the My Missouri State website, will only display an individual's personal information after the individual has been authenticated. These sites will also ensure information communication security by using server authentication, encryption and data/message integrity.

If the chief information officer believes a system has been compromised, the university will notify the authorized users and appropriate State authorities as outlined in the Information Security Incident Management policy.

Authorized users should not share their passwords with others. Also, they should close their web browser every time they finish using a web application that requires a password for access and logoff their accounts when they finish using a computer.

University access to electronic information

The university does not routinely seek out, examine, disclose, use or modify the contents of individually assigned accounts, personal communications, records or university computers. The university does reserve the right to view, scan, or otherwise access any file, hardware, software or communication on university computers/systems or transmitted over university networks in the following conditions:

  • When information custodians, university auditors, legal counsel or information technology employees access information as part of their employment, and then only to the extent as necessary to perform work activities.
  • When the Board of Governors, president, director of internal audit and risk management or applicable vice president/chancellor (or designee if the vice president/chancellor is unavailable) has authorized a review because the university has reasonable cause to believe that an individual may be violating the law or university policy. Any request for a review must follow the appropriate procedures. University employees will not disclose information accessed during a review other than to university administrators and/or proper authorities investigating the matter.
  • As permitted by applicable policy or law. For example, the university may be required to disclose public records, including electronic versions such as email, when requested under the Sunshine Law (chapter 610 of the Missouri Revised Statutes). The university may also be required to disclose closed records or personally identifiable educational records to comply with a court order or subpoena.

Electronic information may be quickly deleted or modified. As such, the university will notify an individual about a review/disclosure after the university accesses the individually assigned electronic information.

Additionally, if the university has reason to believe a system security breach has occurred or could occur, the university retains the right to access any university system and, upon evaluation of the situation, shut down any system and/or require its modification to mitigate any perceived risk.