The University’s Privacy Program: A Compliance Resource for Handling Personally Identifiable Information
By: Patricia Shea, Chief Privacy Officer, UD
While information “security” focuses on safeguarding information once you have it, information “privacy” addresses, among other things, whether you can collect information in the first place, especially personally identifiable information. Personally identifiable information broadly includes any information that can identify a person as well as data elements that, when combined with other available information, can be used for identification. Collecting and using personally identifiable information must comply with state, federal, and international privacy laws. Combined, these privacy laws create a complicated compliance landscape with the potential for unintended violations and costly fines, penalties, and reputational damage.
Beginning in 2022, the University will be centralizing its privacy compliance efforts and adding resources to its overall privacy program (the “UD Privacy Program”) to help staff, faculty, and students navigate the privacy landscape.
The Legal Landscape
Deciphering privacy laws can be complicated. In some cases, state and federal laws both address personally identifiable information; often, state laws add protections not included under federal laws. As long as the state law only adds requirements that do not conflict with the federal law, both laws apply, and it would be a mistake to look only to the federal law. For example, the federal Health Insurance Portability and Accountability Act (“HIPAA”) applies to most health information, but states, including Delaware, also have laws that add protections to certain kinds of health information, such as personal information about mental health, substance use disorder, and sexually transmitted diseases. If more than one law addresses the personally identifiable information, the underlying circumstances determine the one that applies.
To make matters more confusing, international laws increasingly apply to the University’s collection and use of personally identifiable information. For example, the General Data Privacy Regulation (“GDPR”) in the European Economic Area (“EEA”) applies when collecting or using personally identifiable information about people located there. China recently passed its version of the GDPR called the Chinese Personal Information Privacy Law (“PIPL”), and other countries are preparing or have already passed similar laws. Whenever the University engages in cross-border data processing activities, such as when it recruits foreign students or faculty, these international privacy laws must be considered.
The UD Privacy Program
Given the existing landscape, any organization that plans to collect or use personally identifiable information must identify existing applicable laws and build compliance with them into the strategy for handling the information (often referred to as “privacy by design”). Consideration should also be given to pending legislation that could impose additional requirements.
To aid in this effort, the University is centralizing privacy compliance efforts into the UD Privacy Program. The UD Privacy Program will make available a variety of resources to help inform students and employees about applicable legal requirements. For example, a new webpage will soon be available to collect helpful resources, such as links to the applicable laws, guidance regarding those laws, FAQs, and contact information for individuals at the University who can help you decipher compliance obligations, including the chief privacy officer. As a key part of the UD Privacy Program, the chief privacy officer will also periodically survey compliance with the University’s policies and procedures and make recommendations to leadership for improvements. The UD Privacy Program, including the resource webpage, will be fluid with new information being added throughout the year.
If you have any questions about the UD Privacy Program, or suggestions for additional resources or other improvements, please contact Patricia Shea, Chief Privacy Officer, at pcshea@udel.edu.