10.6 MGA Privacy Policy

MGA POLICY NUMBER: Records: 10.6

POLICY: MGA shall enact and maintain permanent data privacy processes and procedures which includes, but is not limited to, the following principles: 

  1. Personally identifiable information (PII) may only be obtained through lawful means or with the consent of the data subject.
  2. The purposes for which personally identifiable data are collected must be specified at or prior to the time of collection, and any subsequent use of the data shall be limited to and consistent with the fulfillment of those purposes previously specified. 
  3. Personal data may not be disclosed, made available, or otherwise used for a purpose other than those specified, except with the consent of the subject of the data, or as allowed by statute or regulation. 
  4. Personal data collected must be relevant to the purpose for which it is needed. 
  5. The general means by which personal data is protected against loss, unauthorized access, use, modification or disclosure must be posted, unless the disclosure of those general means would compromise legitimate USG entity objectives or law enforcement purposes.

MGA must implement this Data Privacy Policy by: 

  1. Designating the Registrar as the Chief Privacy Officer and Data Protection Officer responsible for the implementation of and adherence to the policy.
  2. Posting the policy prominently in offices and on the intranet website.
  3. Distributing the policy to each employee and contractor who has access to personal data.
  4. Complying with USG data privacy policies and standards and all other State and Federal laws pertaining to data privacy.
  5. Using appropriate means to successfully implement and adhere to the policy.

The Chief Privacy Officer, Chief Information Security Officer, and University Council are authorized to draft privacy policies, standards, procedures and guidelines for submission to the Data Governance Committee for approval.


This policy applies to

  • All MGA units
  • All MGA University employees, students, and third parties employed by or doing business with, Middle Georgia State University.


  • Short Title: “Privacy”
  • Original Draft Date: 10/12/21
  • Previous Version: 11/25/19
  • Oversight: Chief Privacy Officer, Chief Information Security Officer and University Council

Additional Resources:

  • University System of Georgia Board of Regents Policy Manual: Privacy Policy
  • USG Business Procedures Manual Section 12
  • University System of Georgia Business Records Management and Archives Policies
  • University System of Georgia Board of Regents Policy Manual: Cybersecurity
  • University System of Georgia Board of Regents Policy Manual: Ethics Policy
  • Board of Regents' Academic & Student Affairs Handbook, 3.10 "Social Security Number"
  • University System of Georgia Information Technology Handbook
  • Board of Regents' Information Technology Handbook, 5.15 "Identity Theft Prevention Standard “Red Flags Rule"
  • Federal Privacy Act of 1974
  • Georgia’s Open Records Act O.C.G.A. § 50-18-70
  • Family Education Rights and Privacy Act (FERPA)
  • U.S. Department of Health and Human Services Health Information Probability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • General Data Protection Regulation (GDPR)

Associated MGA Policies and Procedures:

  • MGA Data Stewardship and Access Standard
  • MGA Records Management Policy
  • MGA Data Goverance Charter 
  • MGA Open Records Procedures
  • MGA FERPA Policy
  • MGA HIPAA Procedures
  • MGA GLBA Standard
  • MGA GDPR Procedures
  • MGA Privacy Standard
Added: 12/19/2019
Revised: 10/21/2022
Last Reviewed: 01/07/2022
Effective: 03/02/2022