Original Date: 5/17/2006 * Last Revision Effective: 12/10/2025
Policy Contact: Vice President, Information Technology Services
Policy
The state of Washington requires that agencies who own or license computerized data which includes certain unencrypted personal information disclose any breach in the security of that data under certain circumstances (RCW 42.56.590). This policy is intended to ensure that all Bellevue College personnel are aware of the college’s responsibilities under the law.
This policy governs the actions of any Bellevue College school official who discovers or is notified of a breach or possible breach of the security of unencrypted personal information collected and retained by Bellevue College as computerized data. This breach can be the result of a compromise of a Bellevue College computing system or network, the loss or theft of any physical device in which personal information is stored, or the loss or theft of any storage medium upon which personal information is maintained.
This policy is intended to complement, not to supplant, Bellevue College procedure #2600P: Family Education Rights and Privacy Act (FERPA): Disclosure of Student Information (procedures).
Bellevue College maintains computerized data on various college systems which includes personal information. If the security of any Bellevue College system storing or processing computerized data that includes unencrypted personal information is compromised, the owner or licensee of that information must be notified by the college of the breach of the system if the information was, or is reasonably believed to have been, acquired by an unauthorized person.
This disclosure shall be made as expediently as possible following discovery or notification of the breach—without unreasonable delay and consistent with any measures taken to determine the scope of the breach and restore the integrity of the affected data system. This notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. In that case, the notification may be made after the law enforcement agency determines that such notification doesn’t compromise an ongoing investigation.
Good faith acquisition of personal information by a Bellevue College school official with a legitimate educational interest in the data or information is not a breach of the security of the system when the personal information is not used or subject to further unauthorized disclosure.
Bellevue College is not required to disclose a technical breach of system security which does not seem reasonably likely to subject the owners of personal information stored on those systems to a risk of criminal activity.
Responsibilities
All school officials have a duty to comply with and to understand their responsibilities as expressed in this policy. Certain Bellevue College administrative units also have additional responsibility for maintenance and for execution of this policy. These additional responsibilities include:
Policy Maintenance
- Information Technology Services (ITS)
Primary responsibility for maintenance and administration of this policy rests with the vice president of information technology services or designee. ITS is responsible for drafting any updates and changes to the policy and procedures. After appropriate campus review and final approval by the college president, ITS will publish the new or revised policy to the campus, providing a brief description of the policy and its implications for employees and other affected individuals or groups.
- Human Resources (HR)
The vice president of human resources is responsible for reviewing any updates or changes to this policy and for providing input on the policy and its implications for employees and other affected individuals or groups.
Definitions
All definitions pertaining to information security policies, procedures and standards are centralized in the 220 – Information Security Definitions standards document.
Relevant Laws and Other Resources
- Bellevue College Procedures #2600P: Family Education Rights and Privacy Act (FERPA): Disclosure of Student Information (procedures)
- RCW 42.56.590
- Bellevue College IT Security Standard: Intrusion Detection and Incident Response
- Bellevue College Procedure #5260P Security Breach Notification
Revision History
Original 5/17/2006
Revised 5/21/2009; 9/13/2012; 5/7/2015; 12/10/2025
Approved By
Board of Trustees
Last Updated December 15, 2025