SUNY Compliance Roles

SUNY Compliance Roles

Various State and Federal laws, as well as SUNY Policies, require that SUNY campuses officially designate an employee (whether by name or title) to fill a particular compliance function or responsibility. The following is a list of roles that SUNY campuses are required to have officially designated, as well as details of the role, responsibilities, and scope for the employee designated to fill the role. 

It is important to note that this list is not representative of all the compliance roles and responsibilities that must occur throughout a campus.  Instead, this list is ONLY comprised of the compliance roles that require a formal designation per a law or policy that states a designation must be formally given.

Note that there are still many other compliance roles and responsibilities that exist throughout our campuses that are not included in the list below of those roles that must be formally designated.  The compliance mandates and responsibilities that SUNY is subject to as a result of federal and state law, SUNY Policy, and other sources is much more extensive than the list of roles outlined on this page.  You can learn more about many of these other compliance subject areas in the Compliance Topics section of this site.  The Higher Education Compliance Alliance maintains a comprehensive Federal Compliance Matrix of the federal laws and regulations governing colleges and universities. 

Note that campuses can also elect to make certain compliance roles a formal designation at their institution, even if they are not required to do so by law or policy.  This is a best practice for compliance because it clearly designates who has responsibility over a specific compliance function or task.  As an example, higher education institutions are not required by federal law to have a 'Clery Act' coordinator, but many campuses have formally designated a person on their campus as the 'Clery Coordinator' to ensure clarity over who is responsible for overseeing compliance with the Clery Act at their campus. 

Federal Compliance Roles

Federal Compliance Roles for HIPAA Covered Entities

New York Compliance Roles (from New York State law and SUNY Policy)

Federally Mandated Compliance Roles

Title IX Coordinator - Federal Law

“All educational institutions receiving Federal financial assistance must designate at least one employee to coordinate their efforts to comply with and carry out their responsibilities under Title IX of the Education Amendments of 1972, which prohibits sex discrimination in education programs and activities.  These designated employees are generally referred to as Title IX coordinators. A school’s Title IX coordinator or coordinators are expected to play a critical role in helping a school ensure that every person affected by its operations—including faculty, staff, and students—are aware of their legal rights under Title IX, and that the school and all of its employees, through its policies, procedures, and practices, complies with its legal obligations under Title IX. A school should ensure that the Title IX coordinator is given the visibility, training, authority, and support necessary to fulfill these responsibilities. The coordinator should not have other job responsibilities that may create a conflict of interest. Designating a full-time Title IX coordinator will minimize the risk of a conflict of interest.”

Source:, Role of a Title IX Coordinator, URL:

ADA Coordinator - Federal Law

Designating an ADA Coordinator
If a public entity has 50 or more employees, it is required to designate at least one responsible employee to coordinate ADA compliance. A government entity may elect to have more than one ADA Coordinator. Although the law does not refer to this person as an “ADA Coordinator,” this term is commonly used in state and local governments across the country and will be used in this chapter.

The ADA Coordinator is responsible for coordinating the efforts of the government entity to comply with Title II and investigating any complaints that the entity has violated Title II. The name, office address, and telephone number of the ADA Coordinator must be provided to interested persons.”

Source: ADA Best Practices Tool Kit for State and Local Governments, Chapter 2: ADA Coordinator, Notice & Grievance Procedure: Administrative Requirements Under Title II of the ADA


Campus Security Authorities - required by the Clery Act  - Federal Law

Campus Security Authority (CSA) are defined by the Clery Handbook to include campus police/security and affiliated offices, those designated by the institution, and faculty and staff with significant responsibility for students and campus activities. 

The following description of the Campus Security Authority (CSA) and their role and designation comes from the NACUA Note on International Clery Act Obligations, written by SUNY Office of General Counsel Associate Counsel Joseph Storch, and publicly available on the Higher Education Compliance Alliance website:

"Campus Security Authorities include police or security personnel, others with responsibility for security, and personnel with “significant responsibility for student and campus activities, including, but not limited to, student housing, student discipline and campus judicial proceedings.”  “Official” is defined rather broadly as “any person who has the authority and the duty to take action or respond to particular issues on behalf of the institution.” The individuals included above must be given the responsibilities of Campus Security Authorities. Institutions may also designate other personnel as Campus Security Authorities, by listing those individuals in the Annual Security Report as “an individual or organization to which students and employees should report criminal offenses.”  Pastoral and professional counselors who are so practicing when they receive a report of a crime are exempt from any requirements of Campus Security Authorities, even if they otherwise meet the requirements.

"Institutions must request statistics from all Campus Security Authorities each year to be included in the institution’s Annual Security Report.  Campus Security Authorities must forward to the individual or office responsible for Clery Act incident collection (usually Campus Police, Security, or Student Affairs) any allegations of Clery Act crimes that they believe were made in good faith.

"At a minimum for Clery Act purposes, the Campus Security Authority should disclose the details of the crime and the location where the crime occurred. The Campus Security Authority may disclose the name and contact information for the victim or individual reporting the crime, or may agree to keep that information confidential at the request of the victim or individual reporting the crime. All Campus Security Authorities should be trained in the obligations of Campus Security Authorities. In overseas programs, institutions may wish to designate all personnel working frequently with students as Campus Security Authorities, even if they do not meet the technical requirements. In that way, students abroad can feel they can speak to any institutional official overseas to report a crime. This is not a requirement, but is simply a good practice."

Federally Mandated Compliance Roles for HIPAA Covered Entities Only

Privacy Officer (for purposes of HIPAA - pertains to HIPAA Covered Entitles ONLY)

The SUMMARY OF THE HIPAA PRIVACY RULE HIPAA Compliance Manual published by the United States Department of Health and Human Services states the following with regard to the designation of a privacy administration position:

Privacy Personnel. A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.  The HIPAA Privacy regulations (45 CFR Part 164.530(a)(1) require the designation of a privacy official who is responsible for the development and implementation of the entity's privacy policies and procedures.  45 CFR Part 164.530(a)(1)(ii) further requires that a covered entity must "designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by §164.520.  Each SUNY campus should designate an individual to serve as the Privacy Official for that campus. 

The Campus Privacy Official role is to:

  1. Oversee the HIPAA compliance activities of the campus, including the development, implementation and monitoring of campus HIPAA policies and procedures and workforce training;
  2. Serve as the campus resource for issues relating to HIPAA privacy;
  3. Work in concert with the Campus Security Official;
  4. Serve as the campus contact for issues/complaints relating to HIPAA privacy and be listed as the contact person on the campus' Notice of Privacy Practices; and
  5. Oversee campus responses to inquiries from patients and other outside parties. When the campus suspects that a HIPAA privacy violation has occurred, the University Privacy Officer should be notified of: (a) the suspected breach; (b) the investigation process that will be utilized; (c) the findings of the investigation; and (d) the remediation steps that will be taken to prevent future incidents.

Security Officer (for purposes of HIPAA, pertains to HIPAA Covered Entities ONLY)

STANDARD § 164.308(a)(2) requires assigned security responsibility.

In a SUMMARY OF THE HIPAA SECURITY RULE document published by the United States Department of Health and Human Services (HHS), covered entities must designate a Security Personnel.  The summary states that “A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.

The details of this designation are further detailed in an HHS/ DOJ Guidance document on the HIPAA Security Rule which discusses the security standards and administrative standards of the rule.  The document states the following with respect to STANDARD § 164.308(a)(2) and the assigned security responsibility requirement: 

The second standard in the Administrative Safeguards section is Assigned Security Responsibility. There are no separate implementation specifications for this standard. The standard requires that covered entities:

This requirement is comparable to the Privacy Rule standard at §164.530(a)(1), Personnel  Designations, which requires all covered entities to designate a Privacy Official.  The Security Official and Privacy Official can be the same person, but are not required to be.   While one individual must be designated as having overall responsibility, other individuals in the covered entity may be assigned specific security responsibilities (e.g., facility security or network security).  When making this decision covered entities should consider some basic questions.  Sample questions for covered entities to consider:

New York State Compliance Roles

Affirmative Action Officer - State law

“New York State's policy is that equal opportunity will be assured in the State's personnel system and that affirmative action will be provided in the administration of that system in accordance with the requirements of the State's Human Rights Law, the mandates of Title VII of the Federal Civil Rights Act of 1964 as amended, and Executive Order No. 6 (1983). The Department of Civil Service is responsible for enforcing the Executive Order and for developing comprehensive statewide affirmative action policies, goals, objectives, and implementation strategies.

Executive Order No. 6 requires that each agency designate a full-time affirmative action officer and develop a written affirmative action program that includes specific goals and timetables for the prompt achievement of full and equal employment opportunities for minorities, women, disabled persons, and Vietnam era veterans at all occupational levels of State government.

Source: Governor’s Office of Employee Relations, Handbook For Management/Confidential Employees,

Chief Diversity Officer (CDO) – SUNY Policy

The Chief Diversity Officer role is established by SUNY Policy the Diversity, Equity, and Inclusion Policy, Document No. 7809.  The Policy requires that each campus, both State-operated and Community College campuses, as well as System Administration, appoint a Chief Diversity Officer ("CDO").

Chief Diversity Officer Role:

Enterprise Risk Management Role - SUNY Policy

The Enterprise Risk Management role was established by SUNY Policy, the Enterprise Risk Management Program Policy, Document No. 7502.  Each campus was required to designate an ERM role at their campus, and report to System Administration on the designation.  

Efforts to identify the specific dutie of the campus Enterprise Risk Management role are currently ongoing as the policy is developed into procedures for the campuses to follow.

Internal Controls Officer - State Law and SUNY Policy

Each campus location must designate an Internal Control Officer.  This Officer must coordinate with their campus each year to ensure compliance with the New York State Internal Controls Act, and to report to System Administrations System-wide Internal Controls Officer.

Ethics Officer - State requirement by JCOPE, NYS ethics oversight agency, to comply with State Law

While no provision of New York law says that we must have an Ethics Officer, the role is recognized by the oversight authority, the Joint Commission on Public Ethics, and Ethics Officers have many roles to ensure compliance with the laws that are within JCOPE’s jurisdiction.

“The Joint Commission on Public Ethics (“JCOPE”) administers and enforces the ethics laws that apply to appointees, officers and employees of New York State agencies, public authorities, public benefit corporations, and commissions ("Agency" or "Agencies"). The ethics laws apply to all of these covered persons, even those appointees who serve on an unpaid or per diem basis. Each Agency must designate an Ethics Officer to serve as the primary liaison to JCOPE.


Records Management Officer - SUNY Policy

The Records Management Officer role is established by SUNY Policy 6609, Records Retention and Disposition, pursuant to NYS Arts and Cultural Affairs Law Section 57.05 and Commissioner’s Regulations 8 NYCRR Part 188.  The policy requires a Records Management Officer at each location, and states as follows:

“Each campus should designate a local records management officer and notify the SUNY RMO of such designation. It is the responsibility of the campus RMO to report annually, by September 1 of each year, to the SUNY RMO on disposition actions taken by such campus during the previous academic year and to maintain the campus inventory of records. Requests for approval of retention schedules with shorter retention periods should be submitted by a campus through their local RMO to the SUNY RMO for transmittal to State Archives.”

Records Access Officer/ FOIL Officer - SUNY Policy and State Law

In accordance with SUNY Procedure, Document No. 6601, Compliance with the Freedom of Information Law (FOIL), the law, and the procedure codifying the law, “requires each campus and the system administration of the University to designate records access officers. Requests for information from the campus or the system administration should be directed to the respective records access officer at each location, as appropriate.” 

The term ‘Records Access Officer’ is synonymous with the term ‘FOIL Officer.’  The two roles are one in the same.

Responsible University Official (Child Protection Policy) - SUNY Policy

Pursuant to the SUNY Child Protection Policy, No. 6505, each campus must ‘Designate a Responsible University Official for each Covered Activity’ under the policy.  The Responsible University Official is the employee of the University or University-affiliated organization, who has been designated by the Campus.

Information Security Officer - SUNY Policy

SUNY’s Information Security Procedure, Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality, requires that each campus establish an Information Security Officer, whose role is defined as “an assigned person (Officer) or group (Office) or coordinated function (Oversight) that understands the Campus’s information security risk, the Program, and the meaning and intent of the University standards for information security and who presents professionally and legally sound and timely advice to executive management regarding appropriate action, ensuring the Program is exposed to outside, professional perspective, especially that of the University’s central information security oversight function.”

Privacy Compliance Officer - New York State law

The New York State Personal Privacy Protection Law (Public Officers Law §§91-99), with corresponding regulation 8 NYCRR Part 315, requires that SUNY System Administration and the SUNY State-Operated campuses each designate a Privacy Compliance Officer in order to comply fully with the provisions of article 6-A of the Public Officers Law, the Personal Privacy Protection Law. The regulation states as follows: "A privacy compliance officer shall be designated by the chief administrative officer of each State- operated campus.  The name, title and business address of the campus privacy compliance officer may be obtained from the office of the chief administrative officer of each campus." SUNY's Compliance with the Personal Privacy Protection Law Policy (Document Number 6603) codifies 8 NYCRR Part 315 by requiring that the University "designate a University employee who shall be responsible for ensuring that the agency complies with all of the provisions of the PPPL (the Privacy Compliance Officer)."

The regulation also states that the "Privacy compliance officers are responsible for ensuringappropriate responses to requests for access to and for amendment or correction of recordsin accordance with the Personal Privacy Protection Law. The designation of privacy compliance officers shall not be construed to prohibit officials who have in the past beenauthorized to make records available or to amend or correct such records from continuing todo so. Privacy compliance offices shall ensure that personnel: (1) assist a data subject inidentifying and requesting personal information, if necessary; (2) describe the contents ofsystems of records orally or in writing in order to enable a data subject to learn if a system of records includes a record or personal information identifiable to the data subject; (3) take one of the following actions upon locating the record sought: (i) make the record available for inspection, in a printed form without codes or symbols, unless an accompanying document explaining such codes or symbols is also provided; (ii) permit the data subject to copy the record; or (iii) deny access to the record in whole or in part and explain in writing the reasons therefor; (4) upon request for copies of records, make a copy available upon payment of 25 cents per page; (5) upon request, certify that a copy of a record is a true copy; or (6) upon request, certify that: (i) the university or campus does not have possession of the record sought; (ii) the university or campus cannot locate the record sought after having made a diligent search; or (iii) the information sought cannot be retrieved by use of the description thereof, or by use of the name or other identifier of the data subject without extraordinary search methods being employed by the university or campus."

Domestic Violence Liaison - SUNY Policy to comply with  the New York State law on Domestic Violence

New York State Executive Order # 19, which was adopted in 2007, required that all State Agencies, including SUNY, adopt a Domestic Violence in the Workplace Policy. Each state agency was required to formulate and issue a Domestic Violence in the Workplace Policy by August 1, 2008, all while using the Office for the Prevention of Domestic Violence (OPDV) Model Domestic Violence and the Workplace Policy as a guide. Each SUNY Campus is required to review their policy ANNUALLY, and to submit any changes to the the SUNY System Affirmative Action Officer.

The SUNY Model Domestic Violence Policy that was written to serve as a model for campus local policies, required that each campus location designate a Domestic Violence liaison who would serve as a point person at the campus for resporting to System Administration on Domestic Violence issues.  The Model Domestic Violence and the Workplace Policy template, available on the SUNY Compliance website Domestic Violence page, states the following with regard to the Domestic Violence campus role:

I.  Workplace Safety Plans

By means of a domestic violence workplace safety response plan, [CAMPUS] shall make employees aware of their options and available resources and help employees safeguard each other and report domestic violence to designated officials.
a. The designated liaison between  [CAMPUS]  and SUNY System Administration is  [NAME OR OFFICE TITLE OF DESIGNATED AGENT]. This liaison will ensure campus wide implementation of this policy, and serve as the primary liaison with System Administration regarding this policy. The System Administration designated liaison will communicate with the Office for the Prevention of Domestic Violence (OPDV) on behalf of campuses as it relates to reporting.

Project Sunlight Liaison - New York Law

Project Sunlight, a component of the Public Integrity Reform Act of 2011 (Ch. 399, Part A, §4, L. 2011), is a New York State online database that provides the public with an opportunity to see what entities and individuals are interacting with government decision-makers at the various State entities. Effective January 1, 2013, State entities (including SUNY & SUNY State-operated campuses) are required to report to the OGS database 'appearances' by individuals/firms who 'appear' before State decision-makers or persons who advise decision-makers (decision makers and decision advisors are considered 'covered individuals' under the law). The Project Sunlight database, hosted by the NYS Office of General Services, aggregates the inputted data and makes it available to the public for viewing. A New York State Project Sunlight Policy was developed to clearly define what 'appearances' must be reported under the law.

Through Project Sunlight and the SUNY plan to outline compliance with the law, each campus is required to ‘Designate one/several individuals responsible for entering data in the OGS Project Sunlight database.’

∧ Back to Top  

The information contained on the SUNY Compliance website is for general campus guidance only and is not intended, nor can be relied upon, as legal advice or the imposition on SUNY campuses of specific policies or requirements. The site is intended to be an informational-only clearinghouse for some of the laws, rules, and regulations that may impact the State University of New York’s campuses. Additionally, given the rapid, changing nature of laws, rules and regulations, there may be delays or omissions contained on this site which therefore cannot be relied upon as complete. For complete compliance information, consult your campus compliance officials. For legal advice, consult your lawyer.