Privacy Policy

Post
Last Revised: Effective January 30, 2024

The Commission recognizes the importance of safeguarding the privacy of an individual’s personal information the Commission collects and maintains. This policy describes the Commission’s privacy practices regarding information collected from users of this website. This policy describes what information is collected, how the information is used, and the Commission’s procedures for safeguarding that information.

The Information Practices Act (IPA; Civil Code section 1798, et seq.) governs the Commission’s collection and management of personal information. In addition, due to the nature of the Commission’s work, the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C.A. 1232g; 34 CFR Part 99) and the Higher Education Act (HEA, 20 U.S.C.A., Chapter 28, Section 1001, et seq.) govern student educational records collected and maintained by the Commission. The IPA, FERPA, and HEA place specific requirements on the Commission regarding the collection, use, maintenance, and dissemination of personal information about individuals.

The Commission collects personal information to assist in the management of state financial aid programs administered by the Commission. Personal information collected and maintained by the Commission shall not be disclosed, made available, or otherwise used for purposes other than those specified in this policy or at the time the information is collected, except with the consent of the subject of the data, or as authorized by law or regulation. The Commission will collect personal information relevant to the specific purposes enumerated at or prior to the time of collection, in a privacy notice included on or with the form used to collect personal information. The Commission may disclose personal information to other government entities or other organizations for purposes related to the Commission’s management of state financial aid programs. These purposes may include research projects and outreach efforts that assist the Commission in meeting its objectives, consistent with the IPA, FERPA, and HEA, and the statutory provisions that govern each of the Commission’s programs.

To protect against loss of data, unauthorized access to personal information, use modification or disclosure, the Commission secures all personal information against loss, damage, modification, unauthorized access, or disclosure as required by federal and California Law. Information voluntarily provided by you will be protected by the appropriate computer, network, and Internet technical security controls to prevent unauthorized access. Some of these security controls include password and user identification verification, data encryption, confidential transmissions, secure storage areas, and audit trails.

Specific policy requirements regarding the collection, protection, and disclosure of personal information by the Commission in compliance with applicable law are as follows:

  • All Commission employees, contractors, and third-party service providers responsible for the operation, disclosure, or maintenance of records containing personal information shall comply with these rules of conduct:
  • Commission employees, contractors, and third-party service providers responsible for the collection, maintenance, use and dissemination of personal information about individuals shall comply with the provisions of the IPA, FERPA, and HEA, as applicable. Personal information is defined as information that identifies or describes an individual, including, but not limited to, his or her name, Social Security Number, physical description, home address, home phone number, education, financial matters and medical or employment history.
  • Commission employees, contractors, and third-party service providers shall not require individuals to disclose personal information which is not necessary and relevant to the lawful State function for which the employee is responsible.
  • Commission employees, contractors, and third-party service providers shall only disclose personal information, maintained by the Commission, to those individuals or government entities to whom the release of this information is authorized, as defined under the conditions of disclosure.
  • Commission employees, contractors, and third-party service providers shall keep an accurate record of the disclosures of personal information authorized in 3.1.3 above, which shall include the individual’s and institution’s names, title, date, nature and purpose the information was disclosed.
  • Commission employees, contractors, and third-party service providers shall assist individuals who seek information on accessing records pertaining to themselves in making their inquiry sufficiently specific and descriptive so as to facilitate locating the records requested.
  • Commission employees, contractors, and third-party service providers shall make every reasonable effort to see that inquiries and access requests, by individuals, for their personal records are responded to within 30 days of receipt of request of active records and 60 days of receipt of request for inactive records that have been archived.
  • Commission employees, contractors, and third-party service providers shall not disclose personal information relating to individuals for their own interest or advantage. The intentional violation of this policy shall be cause for disciplinary action, including dismissal, and possible civil action for invasion of privacy.
  • Commission employees, contractors, and third-party service providers responsible for maintaining records which contain personal information shall take all necessary precautions to assure that proper administrative, technical, and physical safeguards are established and followed, in order to protect the confidentiality of records containing personal information and to assure that such records are not disclosed to unauthorized individuals or entities.

FEDERAL TAX INFORMATION (FTI)

It is unlawful for any Commission employees, contractors, and third-party service providers to access, view, use, or disclose FTI for any purpose. Violations of the Internal Revenue Code (IRC) can result in criminal and civil penalties that include:

  • The willful unauthorized disclosure of a tax return or return information is punishable as a felony by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution (Section 7213 of the IRC).
  • The willful unauthorized inspection of a tax return or return information is punishable by a fine of up to $1,000, or imprisonment of not more than 1 year, or both, together with the costs of prosecution (Section 7213A of the IRC).
  • A taxpayer may bring a civil action for damages against an officer or employee who has inspected or disclosed, knowingly or by reason of negligence, such taxpayer’s tax return or return information in violation of any provision of Section 6103 of the IRC (Section 7431 of the IRC).

Users that do not keep PII and/or FTI confidential, or allow or participate in inappropriate disclosure or access to PII/FTI, may be subject to immediate disciplinary or corrective action, up to and including dismissal or loss of access privileges to Commission property and facilities. Unauthorized access, use, or disclosure of PII may also violate federal law and state law and may result in criminal and civil penalties.

RECORD OF SOURCES OF INFORMATION

Whenever the Commission collects personal information, the Commission must maintain the source or sources of the information. Commission shall also maintain the source or sources of information in a readily accessible form, so as to be able to provide it to the data subject when they inspect any record pursuant to Section 1798.34 (Section 1798.16, IPA).

SAFEGUARDS FOR PERSONAL INFORMATION

Commission employees, contractors, and third-party service providers, who have responsibilities for safeguarding personal information, must take all precautionary measures to ensure that all records containing personal information are kept in a secure area or in locked storage equipment and that access is restricted to only those users who must have access in order to perform their assigned duties (Section 1798.21, IPA).

ELECTRONIC INFORMATION AND COOKIES

CSAC reserves the right to use browser ‘cookies’ (bits of data). These cookies are used to store information including visitors’ preferences, and the pages on the website that the visitor accessed or visited. The information is used to optimize the users’ experience by customizing our web page content based on visitors’ browser type and/or other information. When you provide us with personal information, cookies upload to your device to identify you and save your login information. You can delete the cookies after your browser session. If you choose not to submit the information the web site requests, you may be unable to access certain functions, however, you will still be able to use the site.

CSAC collects electronic information from people who visit our Internet website. If an individual simply browses our Internet website, CSAC automatically collects the domain name or Internet Protocol address that relates to the machine used to access the CSAC website, the type of browser and operating system used, the date and time when the website is visited, web pages displayed, and any forms that are uploaded. We do not collect home, business or e-mail addresses, or account information from persons who simply browse our Internet website. CSAC collects personal information about individuals through our website only if an individual provides such information voluntarily through forms or surveys. Electronically collected personal information is exempt from requests made under the Public Records Act.

CSAC uses Google Analytics to help understand how visitors interact with CSAC websites to improve each website. You can read Google’s security and privacy policies for Google Analytics. You can choose not to have your data used by Google Analytics by downloading its opt-out browser add-on. Selecting to opt out will not interfere with your ability to use the website.

CONDITIONS OF DISCLOSURE

Commission employees, contractors, and third-party service providers may not disclose any personal information in a manner which would link the information to the individual to whom it pertains (Section 1798.3, IPA). Examples of personal information are:

  1. Name
  2. Home address and/or home telephone number
  3. Social Security Number
  4. Medical or employment history
  5. Physical description
  6. Financial information
  7. Records marked (stamped, etc.) “confidential”

Commission personnel may disclose personal information to the public under any of the following criteria (Section 1798.24, IPA):

  1. To the individual to whom the information pertains;
  2. With the prior written, voluntary consent of the individual to whom the information pertains, but only in the time limit agreed to by the individual in the written consent;
  3. To the duly appointed guardian or conservator of the individual, provided it can be proven with reasonable certainty such person is the authorized representative of the individual;
  4. To those officers, employees, attorneys, agents, or volunteers of the Commission or institution, if the disclosure is relevant and necessary in the ordinary course of the performance of their official duties, and it is related to the purpose for which the information was acquired;
  5. To a governmental entity when required by state or federal law;
  6. Pursuant to the California Public Records Act, Chapter 3.5;
  7. To a person who has provided the institution with advance, adequate, written assurance that the information will be used solely for statistical research or reporting purposes, or for other purposes related to the Commission’s management of state financial aid programs, when the information to be disclosed is in a form that will not identify any individual, and the third party receiving the data has security practices and policies in place to the satisfaction of the Commission;
  8. To any person pursuant to a subpoena court order, or other compulsory legal process, if, before the disclosure, the institution reasonably attempts to notify the individual to whom the information pertains, and if the notification is not prohibited by law;
  9. To any person pursuant to a search warrant;
  10. To a law enforcement or regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law;
  11. To the Office of Information Practices when the information is necessary for that office to investigate a complaint it has received regarding an alleged violation or to perform its mediation functions.

MAINTAINING RECORDS OF DISCLOSURES

The Commission must maintain a record of each disclosure of personal information to an individual and institution outside of the Commission. The record must contain: 1) date of disclosure, 2) nature and purpose of disclosure, 3) name of person and institution to whom information is disclosed, and 4) business address of the person to whom information is disclosed (Section 1798.25, IPA) (see Attachment 1).

RETENTION PERIOD FOR RECORDS OF DISCLOSURES

Commission must retain records of disclosures for three years or until the record containing the personal information is destroyed, whichever is shorter (Section 1798.27, IPA).

COPIES OF RECORDS

The Commission will charge an agency fee of ten cents per page to an authorized individual or institution for making copies of a record (Section 1798.33, IPA).

REQUESTS FOR INSPECTION, AMENDMENT OR CORRECTION OF RECORDS

Except as provided by law, individuals who provide personal information to the Commission have the right to access their personal information maintained by the Commission and to request correction of any inaccuracies in such records.

The Commission has the responsibility to coordinate and respond, in writing, within 30 days from receipt to all written inquiries for access to, and amendment of, or correction of, Commission records by the subject individual. The Commission is required to review all written requests for access, amendment or correction of Commission records and approve, or deny, such requests within 30 days from receipt of the request.

If the Commission denies the request for access, amendment or correction of Commission records, the Commission must provide the reason for the denial and the procedures for the individual to request for a review (Sections 1798.34 – 1798.36, IPA).

INVASION OF PRIVACY

The Commission employee, contractor, or third-party service provider who intentionally discloses information, not otherwise public, which they know or should reasonably know was obtained from personal information, maintained by the Commission, may be subject to a civil action for invasion of privacy by the individual to whom the information pertains (P.L. 93-579) (Section 1798.53, IPA).

PRIVACY NOTICE

The Commission is required to inform an individual whose social security number is requested by the Commission whether disclosure is mandatory or voluntary, by what statutory authority the number is solicited, and what it will be used for. The Commission is prohibited from denying an individual any right, benefit or privilege, provided by law, based on that individual’s refusal to disclose his or her social security number (P.L. 93-579).

REPORTING REQUIREMENTS

The Commission is required to identify all record systems which contain personal information and submit a report to the Office of Information Practices, which identifies all new record systems, and all changes to existing record systems, containing personal information (Sections 1798.9, 1798.10, IPA).

The primary source of information for this Policy Memo comes from the publication, “The Information Practices Act of 1977,” published by the California Office of Information Practices, 1986. If there are any inconsistencies between the above-noted publication and the official Information Practices Act of 1977, the Act shall be controlling. If you have any questions regarding this policy memo, please direct your questions to your manager or the Commission’s Information Security Officer.

Site Contacts

For questions and approval process issues relating to www.csac.ca.gov

Identity Representative:

Information Security Office
California Student Aid Commission
(916) 464-7222

[email protected]

Privacy Policy Infographic Caution Logo  For more information on security and information privacy, please see the California Department of Justice website at https://oag.ca.gov/privacy/facts/online-privacy/computer-secure

 

Site Technical Management:  CSAC Help Desk  888-294-0153 or 916-464-7222

CSAC Privacy Policy Revised Date 2024