Governance, Ethics and General

Personally Identifiable Information Privacy Policy

Section: Governance, Ethics, and General Policies
Policy Name: Personally Identifiable Information Privacy Policy
Policy Owner: Vice President and General Counsel
Responsible University Office: Office of General Counsel
Origination Date: February 2022
Revisions: March 2024
    Interactions between the University and the community (employees, students, faculty, staff, and the general public) generate information that identifies the individuals involved. These interactions occur electronically, through written correspondence, orally, and by virtue of a person’s physical presence on campus. The University is committed to protecting the privacy of this information to the extent reasonably practicable and in accordance with applicable laws. This Policy explains how the University collects and handles this identifiable information. This Policy applies to all members of the University community, including but not limited to, students, faculty, and staff. 
    1. Personally Identifiable Information” means any information identifying anyone related to the University including students, employees, patients, clients, research subjects, customers, visitors, donors, and trustees that can be used, directly or indirectly, to identify an individual. Personally Identifiable Information includes a person’s name; street address; phone number; email and IP addresses; social security, driver’s license, passport, or other government-issued identification number; race, gender, ethnicity, political, and religious identifiers; family information; payment card and financial account numbers; IT systems access credentials; photographs and other biometric identifiers; health and genetic information; geolocation data; and background check results.
    2. Privacy” refers to rules governing the collection and handling of Personal Identifiable Information, including the right of individuals to control how their Personally Identifiable Information may be collected, used, or disclosed, if at all.
    The University will limit its collection and handling of Personally Identifiable Information to that which reasonably serves the University’s academic, research, or administrative functions as specified in this Policy and in accordance with applicable federal, state, or international laws and in accordance with the standards adopted in this Policy
    1. Privacy Best Practices
      The University adopts the following standards as best practices applicable to the University’s collection and subsequent handling of Personally Identifiable Information (the “Best Practices”) to the extent practicable and while recognizing the University’s academic, research, and administrative functions and the information requirements necessary to carry out those functions. The Best Practices apply to all facets of the University’s operations involving Personally Identifiable Information.

      With respect to Personally Identifiable Information, the University will:

      1. Limit the collection and use of Personally Identifiable Information to the minimum that is directly relevant and necessary to accomplish the University’s academic, research, or administrative purpose.
      2. Remove Personally Identifiable Information from datasets to the extent possible or use aggregation, tokenization, or other anonymizing techniques.
      3. Use Personally Identifiable Information only for the specific purposes for which it was collected (or otherwise with the explicit consent of the individual or as authorized by law).
      4. Limit access to Personally Identifiable Information to only those with legitimate need-to-know.
      5. Before collecting Personally Identifiable Information, provide a notice that clearly and simply describes how the University plans to use the information, including the specific purposes for collection.
      6. To the extent practicable, give individuals explicit choice and control as to how their Personally Identifiable Information will be used and disclosed, and provide individuals with the ability to review the collected Personally Identifiable Information and the opportunity to correct, supplement, or delete it.
      7. Transfer Personally Identifiable Information only to/from third parties that meet or exceed these Best Practices, under a written agreement to that effect, and when consistent with other legal or regulatory requirements.
      8. Understand where Personally Identifiable Information will be collected, stored, transferred, and made accessible geographically throughout its lifecycle, both by the University and its third parties. Ensure adherence to pertinent international and local laws.[1]
      9. Retain Personally Identifiable Information only as long as needed or as required by law or agreement. Delete or archive Personally Identifiable Information when no longer needed.[2]
      10. Comply with Information Technology’s security and data governance policies and procedures.
    2. Privacy Requirements Imposed by Law
      Personally Identifiable Information may also be subject to state, federal, and international privacy laws based on (i) the subject of the information (e.g., medical, educational, financial, etc.); or (ii) where the person was located at the time the information was collected. In the event the privacy requirements imposed by law are more stringent or give the subjects of the information more rights than the Best Practices, the legal requirements apply.

      The University has policies addressing Personally Identifiable Information subject to Privacy requirements imposed by law which can be accessed through the University’s Privacy Program Web Page available at [link will be available soon].

    3. Roles and Responsibilities
      The University’s Chief Privacy Officer will coordinate the University’s efforts to comply with this Policy. The Chief Privacy Officer will address questions about the University’s collection and handling of Personally Identifiable Information and will respond to complaints and requests from individuals about the Personally Identifiable Information the University has about them or the University’s compliance with this Policy and other applicable privacy laws. The Chief Privacy Officer will work with other University personnel designated in the University’s policies as appropriate.

      Members of the University community who are aware of, or reasonably suspect, a violation of this Policy must report such a violation to the Chief Privacy Officer.

    4. Compliance
      Violations of this Policy may result in disciplinary action.

[1] Please contact the Chief Privacy Officer to assist in navigating questions related to pertinent international and local laws.

[2] Please also refer to the Archives and Records Management Policy.