Standard Number: 184.108.40.206.2
Category: Information Privacy
Owner: Information Technology Services
Effective: November 17, 2022
Revision History: Replaces University Identification Card Photo Use Standard originally effective September 2, 2018; updated December 2, 2020
Review Date: November 16, 2025
PURPOSE, SCOPE AND RESPONSIBILITIES
- The West Virginia University (“University”) Identification Card Policy establishes the University will issue a University Identification Card for Eligible Individuals to be used as the official electronic validation and Authentication method to authorize access to University Services and Facilities.
- Pursuant to the Identification Card Policy, this Standard identifies how the University will seek to limit the collection and distribution of Personal Data collected through the issuance and use of a University Identification Card.
- This Standard applies to all University organizational units and their faculty, staff, and students.
- The Chief Information Officer, supported by the Executive Director for Enterprise Support is responsible for the implementation and enforcement of this Standard. The University’s Chief Information Security Officer will make the final determination whether Personal Data will be shared when there is a dispute.
- The Card Services team will review all requests and determine if the requestor meets the requirements to access Personal Data associated with University Identification Cards. Campus Application Administration and Information Security Services will be consulted when there are questions or concerns about the security related to sharing of the Personal Data.
- The Office of General Counsel will determine if the classification of Personal Data should change under FERPA.
ID Card Data
- The University records data when an individual uses a University Identification
Card to access a facility or service on campus (“ID Card Data”) including:
- Card holder’s username;
- Card holder’s account balance, which varies according to transaction purpose (e.g., Mountie Bounty, meal plans, Dining Dollars);
- Card reader that scanned the card, which maps back to a location of facility/service/purchase; and,
- Whether access/service was permitted or denied.
- Details of specific services provided, activities conducted upon entering a building, or specific items purchased using a University ID Card are not recorded by the University.
- The University records data when an individual uses a University Identification Card to access a facility or service on campus (“ID Card Data”) including:
ID Card Data Access
- Pursuant to the Identification and Access Management Policy, access to ID Card
Data is based on the principle of Least Privilege and is limited to the following
- Law enforcement. The University Police Department (“UPD”) shall have unrestricted access to facilitate police investigations, campus security, or public safety in accordance with the UPD Access Control Standard and Protocols.
- Legal purposes. The Office of Legal Affairs shall be granted access when the University is compelled to disclose ID Card Data in response to a subpoena, litigation, or otherwise required by law.
- Student and employee misconduct . The Office of Student Rights and Responsibilities and Housing/Residential Education shall have access to ID Card Data to facilitate the investigation or documentation of a student violation of the Campus Student Code. Talent & Culture and the Division of Diversity, Equity, and Inclusion may also request and be granted information to support investigations into employee misconduct
- Information security. Information Security Services unit within Information Technology Services shall be granted access to ID Card Data to provide support for any of the above purposes as well as for audit or compliance purposes.
- Operations. Information Technology Services shall be granted access to ID Card Data for operations of CS Gold including troubleshooting issues with access security equipment, problems with the identification cards themselves, building maintenance, or to conduct facility access audits. Specific business units and/or programs (e.g., Dining Services, Housing, Up All Night) are also granted access to ID Card Data in CS Gold to run operational reports for administrative purposes.
- Access to or use of ID Card Data for purposes other than those identified above
(e.g., research project) may be granted only if the information does not
specifically identify the individual and does not include the following identifiers
- Telephone Numbers;
- Fax Numbers;
- Electronic mail addresses;
- Social Security numbers;
- Web Universal Resource Locators (“URL”);
- Internet Protocol (“IP”) address numbers;
- Biometric Identifiers, including finger and voice prints; or,
- Full face photographic images and any comparable images.
- Any other unique identifying number, characteristic, or code, except for the individual’s WVUID number.
- De-Identified ID Card Data provided to individuals must be appropriately protected to prevent Unauthorized Access.
- Other requests for ID Card Data that is not De-Identified requires review and approval of Information Security Services to ensure appropriate security measures are implemented.
- ITS will retain ID Card Data for a maximum of two (2) years.
- Pursuant to the Identification and Access Management Policy, access to ID Card Data is based on the principle of Least Privilege and is limited to the following instances:
- The University considers identification card photographs as Limited-Use Directory Information under FERPA, which it can share within the University for University Information Systems hosted by, on behalf, and for the benefit of the University.
- ITS will only release photographs from the identification card system (“CS Gold”) upon confirmation that the requesting system is hosted by, on behalf, or for the benefit of the University.
- Use of photographs must be for an approved, legitimate University use that requires visual identification of individuals such as class rosters, academic advising rosters, housing, or conduct violations.
- Requests that are for a University business purpose but for which photographs are not required for system functionality may be approved or denied on a case-by-case basis.
- Storing local copies of photographs is a security and privacy risk. Exceptions
allowing this practice will be rare. Approval of local storage must meet
the following requirements:
- Photographs may only be used for the purpose for which approval was granted;
- Photographs may not be retained for more than three (3) months. All local copies must be deleted and replaced quarterly;
- Access to local data must be granted on the principle of Least Privilege. Access lists must be reviewed annually and updated accordingly; and,
- Photographs must be maintained on up-to-date software and operating systems.
- Granting a third-party access to local storage of University Identification Card Photographs is strictly prohibited. Any requests for access to photograph files must be forwarded to ITS Campus Application Administration for review and approval.
- Two-factor authentication is required for all systems using photograph images from CS Gold.
- Photographs must not be shared outside of the University or on University public websites without approval from the individual. For example, photographs may not be used on class rosters that are distributed to non-University officials.
- Copying photo files from any University System and using them for another, unapproved purpose is strictly prohibited.
- Any other use of University Identification Card Photographs is prohibited.
- Systems or individuals found in violation of this Standard will have their access to University Identification Card Photographs removed and be subject to appropriate disciplinary action.
- “Authentication” means verifying the identity of a user, process, or device to allow access to a University Information System or facility.
- “Eligible Individuals” means the groups of individuals who are eligible to
be issued a University Identification Card. The following groups are Eligible Individuals:
- Students that are enrolled and attending the University.
- Employees with a full- or part-time appointments, retired employees, and individuals with Emeritus status.
- Sponsored Individuals who are authorized to be on-site, unescorted, and to use University Services and Facilities when administrative or academic systems do not otherwise grant appropriate access via roles within Banner or MAP (“Sponsored Accounts”) pursuant to the Identity and Access Management Policy.
- Other Authorized Individuals who are authorized to be temporarily on-site and unescorted to use University Services and Facilities.
- “Least Privilege” means granting the minimum system resources and authorizations needed to perform its function or restricting access privileges of authorized personnel to the minimum functions necessary to perform their job.
- “Personal Data” means information, or data collected, which can identify an individual either directly or indirectly, including but not limited to: location data, student or employee identification number, online identifiers, economic, any data the University may classify as Sensitive Data or a name combined with any of the following identifying information: Biographical information or current living situation; looks, appearance and behavior; workplace data and information about education; private and subjective data; or health, sickness, and genetics
- “Unauthorized Access” means when someone gains access to University Services and Facilities or the card holder’s personal information by using someone else’s University Identification Card.
- “University Identification Card Photograph” means the image found on a University Identification Card. Photographs for University Identification Cards are either taken at an approved University card issuing site or by the card holder uploading a personal image.
- “University Information System” means a software system designed to facilitate the academic, business, research, and outreach activities at the University such as STAR, Banner, and eCampus.
- “University Services and Facilities” means any facility or service owned, maintained, or offered by the University. These include, but are not limited to, dining hall meals, University-owned or controlled buildings, library and athletic facilities, entry to athletic events, certain on-campus and off-campus purchases, and any other facility or service so deemed by the University.
- “WVUID” means the University’s primary identifier for all information systems and electronic communications.