International Legislation

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all EU citizens and EU residents. The General Data Protection Regulations (GDPR) went into effect on May 25, 2018. The regulation is the most far-reaching change to data protection in a generation. Learn more about GDPR at LMU.

Federal Legislation

Federal Education Rights and Privacy Act (FERPA) 20 U.S.C §1232g; 34 CFR Part 99

FERPA is the leading federal privacy law for educational institutions. It prohibits the disclosure of "personally identifiable information" not listed as directory information by the institution. Learn more about FERPA at LMU.

Directory Information includes student's name, address, telephone number, date and place of birth, major field of study, participation in officially recognized sports and activities, weight and height of athletes, dates of attendance, degrees and awards received.

Financial Services Modernization Act of 1999, Gramm-Leach-Bliley Act, 15 U.S.C. §§6801,6809

Higher education institutions are tied to this federal legislation due to the processing of federal loans for financial aid. Read LMU's GLBA Policy.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA was enacted to protect the rights of patients and participants in health plans. In higher education there are two principles that higher education should consider when complying with HIPAA - the Privacy and Security Standards. The Privacy Standards were passed to ensure the privacy of individually identifiable information when transmitting between employers and providers. The Security Standards are organized in to three categories - administrative, physical, and technical safeguards.

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act).

A significant impact of the USA PATRIOT Act on higher education is its mandate to the INS requiring the INS to develop and implement the Student and Exchange Visitor Information System or "SEVIS." SEVIS is an Internet-based system that allows schools to transmit information on foreign students to the INS for purposes of tracking and monitoring. The system compiles students' personally identifiable information including admission at port of entry, academic information, and disciplinary information. FERPA's restrictions have been waived to allow schools to disclose this information, which must be maintained and updated for the duration of a student's stay in the United States.

Digital Millennium Copyright Act (DMCA) Notice

The Digital Millennium Copyright Act (DMCA), the No Electronic Theft Law (NET Act), and other federal laws make copyright infringement both a criminal offense and provides for civil penalties. You can be prosecuted in criminal court and/or sued for damages in civil court. Criminal penalties for first-time offenders can be as high as five years in prison and $250,000 in fines. Civil penalties can run into many thousands of dollars in damages and legal fees.

State Legislation

California's Security Breach Notification Act (SB 1386) Cal. Civil. Code §1798.82

California was the first state to enact a law requiring notification of a data breach. This law requires any state agency, person, or business that owns or licenses computerized personal information to disclose any breach of a resident's personal information. Person information defined by the Act include an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

  • Social security number.
  • Driver's license number or California Identification Card number.
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

As of September 2007, there are 35 other state security breach notification acts that are similar to California's. Federal breach notification legislation is pending.

California's Social Security Number Confidentiality Act Cal. Civil Code §1798.85 - 1798.86

This legislation restricts the use of social security numbers on id cards, posting SSNs on the Internet or requiring users to use their SSN to access a web site that is not encrypted and does not use another personal identification number such as a password to access the site.

California's Online Privacy Protection Act of 2003 (OPPA) Business and Professions Code §22575 - 22579

Any business that collects personally identifiable information through the Internet about individuals residing in California must post its privacy policy on their web site.

For more privacy laws pertaining to California, please visit California's Office of Privacy Protection.