Governance, Ethics and General

Personally Identifiable Information Privacy Policy

Section: Governance, Ethics, and General Policies
Policy Name: Personally Identifiable Information Privacy Policy
Policy Owner: Vice President and General Counsel
Responsible University Office: Office of General Counsel
Origination Date: February 2022
Revisions: March 2024, December 2024
  1. SCOPE OF POLICY
    Interactions between the University and the community (employees, students, faculty, staff, and the general public) generate information that identifies the individuals involved. These interactions occur electronically, through written correspondence, orally, and by virtue of a person’s physical presence on campus. The University is committed to protecting the privacy of this information to the extent reasonably practicable and in accordance with applicable laws. This Policy explains how the University collects and handles this identifiable information. This Policy applies to all members of the University community, including but not limited to, students, faculty, and staff. 
  2. DEFINITIONS
    1. Personally Identifiable Information” means any information identifying anyone related to the University including students, employees, patients, clients, research subjects, customers, visitors, donors, and trustees that can be used, directly or indirectly, to identify an individual. Personally Identifiable Information includes a person’s name; street address; phone number; email and IP addresses; geolocation; social security, driver’s license, passport, or other government-issued identification number; race, gender, ethnicity, political, and religious identifiers; family information; payment card and financial account numbers; IT systems access credentials; photographs and other biometric identifiers; health and genetic information; geolocation data; and background check results.
    2. Privacy” refers to rules governing the collection and handling of Personal Identifiable Information, including the right of individuals to control how their Personally Identifiable Information may be collected, used, or disclosed, if at all.
  3. POLICY STATEMENT
    The University will limit its collection and handling of Personally Identifiable Information to that which reasonably serves the University’s academic, research, or administrative functions as specified in this Policy and in accordance with applicable federal, state, or international laws and in accordance with the standards adopted in this Policy
  4. POLICY STANDARDS AND PROCEDURES
    1. Privacy Best Practices
      The University adopts the following standards as best practices applicable to the University’s collection and subsequent handling of Personally Identifiable Information (the “Best Practices”) to the extent practicable and while recognizing the University’s academic, research, and administrative functions and the information requirements necessary to carry out those functions. The Best Practices apply to all facets of the University’s operations involving Personally Identifiable Information.With respect to Personally Identifiable Information, the University will:

      1. Limit the collection and use of Personally Identifiable Information to the minimum that is directly relevant and necessary to accomplish the University’s academic, research, or administrative purpose.
      2. Remove Personally Identifiable Information from datasets to the extent possible or use aggregation, tokenization, or other anonymizing techniques.
      3. Use Personally Identifiable Information only for the specific purposes for which it was collected (or otherwise with the explicit consent of the individual or as authorized by law).
      4. Limit access to Personally Identifiable Information to only those with legitimate need-to-know.
      5. Before collecting Personally Identifiable Information, provide a notice that clearly and simply describes how the University plans to use the information, including the specific purposes for collection.
      6. To the extent practicable, give individuals explicit choice and control as to how their Personally Identifiable Information will be used and disclosed, and provide individuals with the ability to review the collected Personally Identifiable Information and the opportunity to correct, supplement, or delete it.
      7. Transfer Personally Identifiable Information only to/from third parties that meet or exceed these Best Practices, under a written agreement to that effect, and when consistent with other legal or regulatory requirements.
      8. Understand where Personally Identifiable Information will be collected, stored, transferred, and made accessible geographically throughout its lifecycle, both by the University and its third parties. Ensure adherence to pertinent international and local laws.[1]
      9. Retain Personally Identifiable Information only as long as needed or as required by law or agreement. Delete or archive Personally Identifiable Information when no longer needed.[2]
      10. Comply with Information Technology’s security and data governance policies and procedures.
    2. Privacy Requirements Imposed by Law
      Personally Identifiable Information may also be subject to state, federal, and international privacy laws based on (i) the subject of the information (e.g., medical, educational, financial, etc.); or (ii) where the person was located at the time the information was collected. In the event the privacy requirements imposed by law are more stringent or give the subjects of the information more rights than the Best Practices, the legal requirements apply.
    3. Response to Request to Exercise Privacy Rights                                          Data subjects may exercise rights applicable to their Personally Identifiable Information by submitting the request to the University’s Chief Privacy Officer at PrivacyOfficer@udel.edu or in writing to the Office of General Counsel, Chief Privacy Officer, 112 Hullihen Hall, Newark, DE 19716. Requests will be responded to within the timeframes required by applicable law. In the event no action is taken on a request, the requestor will be notified and allowed to appeal. Appeals will be processed in accordance with applicable law.
    4. Roles and Responsibilities
       The University’s Chief Privacy Officer will coordinate the University’s efforts to comply with this Policy. The Chief Privacy Officer will address questions about the University’s collection and handling of Personally Identifiable Information and will respond to complaints and requests from individuals about the Personally Identifiable Information the University has about them or the University’s compliance with this Policy and other applicable privacy laws. The Chief Privacy Officer will work with other University personnel designated in the University’s policies as appropriate.Members of the University community who are aware of, or reasonably suspect, a violation of this Policy must report such a violation to the Chief Privacy Officer.
    5. Compliance
      Violations of this Policy may result in disciplinary action.

[1] Please contact the Chief Privacy Officer to assist in navigating questions related to pertinent international and local laws.

[2] Please also refer to the Archives and Records Management Policy.