Personal Data Protection

The University of South Alabama has established a Personal Data Protection policy which sets forth minimum requirements for the collection, use, maintenance, storage, sharing, and destruction of Personal Data of members of the University community (employees, contractors, students, patients, volunteers, alumni, etc.), in order to protect it from misuse or breach. Specifically, the policy outlines essential roles and responsibilities for members of the University community to assure we maintain an environment that safeguards Personal Data from breaches or other unauthorized access or use, and establishes a comprehensive data protection program consistent with applicable state, federal and international acts, standards, regulations and laws. University employees should be familiar with the Personal Data Protection policy. A summary of some of the more applicable state, federal and international regulatory standards is listed as follows.


In effect since August 21, 1974, the Family Educational Rights and Privacy Act (FERPA) protects the confidentiality of student educational records. The Act gives students the right to inspect and review their own education records, request corrections, control the release of personally identifiable information, and obtain a copy of their institution's policy concerning access to educational records. It also prohibits educational institutions from disclosing "personally identifiable information in education records" without the written consent of the student, with certain exceptions. Schools that fail to comply with FERPA risk losing federal funding. Exceptions may apply; consult with the USA Registrar. The University’s FERPA guidelines can be found here.


In effect since August 21, 1996, the Health Insurance Portability and Accountability Act (HIPAA) and the additional rules and acts since then [2003 adoption of the HIPAA Privacy, Security and Enforcement Rules; 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act; 2013 the HIPAA Omnibus (Final) Rule] protect the security and privacy of all information related to an individual’s past, present and future physical and mental health

USA is a “hybrid entity” that performs both covered and non-covered functions under HIPAA. The healthcare components and components acting as business associates within USA are required to comply with HIPAA. For purposes of compliance with HIPAA, USA has been designated as an Organized Health Care Arrangement (OHCA), which includes USA Health (Hospitals, Physicians Group, Mitchell Cancer Institute and University of South Alabama Health Care Authority (HCA)), USA Allied Health Speech and Hearing Center, USA Allied Health Physical Therapy, USA Radiological Sciences, USA Psychology Clinic, USA College of Nursing, and USA College of Medicine. These entities participate in a clinically and operationally integrated care setting in which it is necessary to share PHI for joint management and operations. Patients who obtain services within this OHCA have an expectation that they are integrated and jointly


In effect since May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) may have extraterritorial reach to any business or entity which collects information from European Union citizens and residents when the citizens or residents are on European Union soil. The regulation requires that any Personal Data collected from those individuals is (a) processed fairly, lawfully, and in a transparent manner, (b) kept for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes, (c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimization), (d) accurate and, where necessary, kept up to date, (e) retained for no longer than is necessary to meet the purposes for which the Personal Data are processed, (f) in accordance with Data Subjects’ rights, (g) processed in a way that ensures appropriate security of the Personal Data, and (h) not transferred to a third country or to an international organization if the provisions of GDPR are not complied with.


The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit payment card information maintain a secure environment. The Payment Card Industry Security Standards Council (PCI SSC) was created in September 2006 by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB) to manage the evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered by the PCI SSC.

USA adheres to the highest standards related to the security of Payment Card Data and must follow the guidelines set by the PCI SSC. The USA PCI Policy applies to any USA-related unit, department, or entity that accepts payment cards to conduct business.

Alabama Data Breach Notification Act

In effect since June 1, 2018, the Alabama Data Breach Notification Act of 2018 obligates each person, sole partnership, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive Personally Identifying Information to (a) implement and maintain reasonable security measures to protect Sensitive Personally Identifying Information against a breach of security, (b) conduct a good faith and prompt investigation into a breach of security that has or may have occurred in relation to Sensitive Personally Identifying Information of any individual, (c) notify each affected Alabama resident of a determined breach within forty-five days of discovery, (d) assure third-party agents notify the covered entity of a breach of security involving Sensitive Personally Identifying Information within ten days of discovery, and (e) notify the Alabama Attorney General and credit reporting agencies of a breach involving more than 1,000 Alabama residents.

The Gramm-Leach-Bliley Act (GLBA)

Also known as the Financial Modernization Act of 1999, the GLBA is a federal law that requires financial institutions to take steps to ensure the privacy and security of customer records. Because higher education institutions engage in financial activities, such as making Federal Perkins Loans, Federal Trade Commission regulations consider them financial institutions for GLBA purposes.

Colleges and universities are deemed to be in compliance with the privacy provision of the GLBA if they are in compliance with FERPA. However, institutions of higher education remain subject to the Safeguards Rule of the GLBA related to the administrative, technical, and physical safeguarding of customer information. The Safeguards Rule of the GLBA requires financial institutions to develop and maintain a security plan to protect the privacy and security of personal information.

The California Consumer Privacy Act

The California Consumer Privacy Act (CCPA), which became effective January 1, 2020, gives California consumers personal data protections. The CCPA grants the following consumer rights: (1) to know what personal data is being collected; (2) to know what personal data is being sold and/or shared with third parties; (3) to opt-out of the sale of his/her personal data; (4) to access his/her personal data; (5) to request the deletion of his/her personal data. If a consumer exercises one of the aforementioned rights, a business must respond within forty-five days
of the request.

In addition to these consumer rights, the CCPA also requires businesses to provide notice as to whether personal data is sold and instructions on how to opt-out of the selling or sharing of the personal data. Organizations must also allow consumers to exercise their right to opt-out through at a minimum, two methods, including a toll-free number and a URL.

Finally, the CCPA provides consumers with a “private right to action,” allowing them to seek damages in the event of a breach where a business has failed to implement reasonable security procedures and practices appropriate to the nature of the information. Damages resulting from a breach are limited to a maximum of $750 per incident.