Home / Best Practices / Privacy at ASU

Privacy at ASU

ASU Privacy Team

The ASU Privacy Team consists of professionals and subject matter experts representing various colleges, organizations, and departments within ASU. The members of this team strive to provide knowledgeable input on privacy matters. The common goals of the Privacy Team are to codify our structure for sharing privacy matters within ASU and streamline our approach for improving ASU privacy policy statements as needed. For a list of current participants, click here. Contact privacy@asu.edu for questions or concerns.

 

ASU Focus Areas

Embed  Privacy by Design in our culture

Complete privacy reviews of existing and new processes

Inventory assets in CMDB

 

Privacy by design and Default      

 

Effective Practices:

When developing, designing, selecting, and using Goods/Services for processing PII, Supplier will, with due regard to the state of the art, incorporate and implement data privacy best practices.

  • Data Minimization – Collect only PII ASU truly needs

    • Example: collect month and year of birth instead of DOB

    • Example: request salutation (e.g., Ms., Mr., Mx., Dr., Esq.) instead of gender

  • Retain PII for the minimum amounts of time necessary

  • Anonymize or pseudonymize PII when possible

  • Communicate specifically what PII is being collected and how it will be used

  • Use secure systems, programs, networks and devices

  • Limit access to PII, both within and outside of ASU

  • Require third parties (vendors and contract partners) to use information security best practices 

  • Restrict use of PII to the specific purposes for which it was collected and the data subject consented

  • Ensure that if a data subject exercises any rights, ASU can comply

  • Do not precheck “yes” or automatically opt in anyone on any PII use consents

  • Ensure third parties have obtained necessary consents before purchasing PII from them



Framework - NIST Privacy Framework -

Identify - Inventory and Mapping (ID.IM-P): Data processing by systems, products, or services is understood and informs the management of privacy risk. 

Complete Privacy Reviews

Inventory Assets in CMDB

Govern - GOVERN-P (GV-P): Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.

Control - CONTROL-P (CTP): Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.

Communicate - COMMUNICATE-P (CM-P): Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.

Protect - Protect (PR-P): Develop and implement appropriate data processing safeguards.

 

Regulatory

 

Resources 

If you have any questions, please contact privacy@asu.edu