CE Provider Policies: Privacy and Security

A Privacy and Security Policy outlines how personal data and sensitive information related to learners, instructors, and staff are collected and processed. Routine reevaluation of your Privacy and Security Policy ensures compliance with current privacy laws and demonstrates your commitment to safeguarding personal information.

What It Looks Like

Privacy systems aim to manage and enforce policies related to personal data collection, storage, sharing, and use. Data security systems focus on protecting data from unauthorized access, breaches, and cyber threats.

Privacy systems govern who can access data and how such data should be used, whereas data security systems protect data itself from theft, loss, or tampering.

When crafting your Privacy and Security Policy, consider the following details:

What types of information (e.g., personal, educational, or technical) does your organization collect?
Why does your organization collect the information?
- For educational purposes?
- For communication?
- For payment processing and compliance?
When is your organization sharing data with third parties?
How is your organization protecting data, and what security measure is it implementing? Examples might include encryption, access controls, and/or data backup and recovery.
How is your organizationa informing users of their rights and controls? Can users access their information and make corrections? Can they opt out of communications?
How is your organization ensuring compliance with privacy laws?
How do users reach out to the Provider with questions and concerns?

When It Happens

Aim to have this policy in place before you collect any data—and clearly communicate it to learners, instructors, and staff. The policy should be accessible during enrollment and throughout the course to ensure transparency and awareness of data-handling practices. Providers should have a process in place that addresses regularly updating their Privacy and Security Policies to account for evolving security threats and compliance with regulatory changes.

How It Supports Compliance

Standard 1 requires that all Providers establish a Privacy and Security Policy and share it with course instructors and planners—as well as learners, when appropriate.

What is the difference between data privacy and data security? Data privacy ensures that the individual controls how others access, use, or share their data (e.g., by indicating their intent to earn ASHA continuing education units [CEUs], the participant knows that their data will be shared with ASHA CE). Data security protects the individual’s data from unauthorized use or misuse.

Why It Matters

Having a Privacy and Security Policy in place—coupled with staff adherence to the policy—ensures the participant that their sensitive information is protected and treated respectfully. It helps the Provider comply with state and federal privacy laws and regulations, thus mitigating legal and financial risks.

A strong Privacy and Security Policy establishes clear guidelines on how an organization collects, uses, and safeguards data. It also helps build a secure learning environment where learners feel that the Provider protects their privacy against unauthorized access, data breaches, or misuse.