RA-8: Privacy Impact Assessments
Privacy Baseline: Yes
Not Required by DIR or TAMUS (Discretionary)
Review Date: 07/31/2024
- Information resource owners and/or custodians, in coordination with the Tarleton State University (Tarleton) Chief Information Security Officer (CISO), are responsible for ensuring that privacy impact assessments for any applicable systems, programs, or other activities are conducted before:
- Developing or procuring information technology that processes personally identifiable information (PII); and
- Initiating a new collection of PII that:
- Will be processed using information technology; and
- Includes PII permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.
- Third-party security and privacy documentation, like a vendor’s provided Higher Education Community Vendor Assessment Toolkit (HECVAT), can be important documentation for the Tarleton CISO and/or Office of Innovative Technology Solutions (OITS) – Security Team to review during the software and/or information resource procurement process to assist in reviewing the protections the third-party software has in place to protect PII.
- Ensure compliance with any applicable Family Educational Rights and Privacy Act (FERPA) privacy requirements for information resources in coordination with the Tarleton State University (Tarleton) Office of the Registrar, as applicable.