At the University of Delaware, Privacy is Everyone’s Business
By PC Shea, UD Chief Privacy Officer
Our personally identifiable information may be one of our most valuable assets. We use it to confirm our identity when we conduct commercial transactions, travel, and obtain and pay for appropriate health care, among other things. It includes our name, address, telephone numbers, email addresses, as well as more sensitive information such as social security numbers, account numbers, passport numbers, health information, and passwords, to name a few. We keep it safe and secure and share it sparingly because if misused or stolen, the consequences can haunt us for years. Moreover, reestablishing and repairing our identity is a time-consuming and complicated task. We therefore expect, and sometimes the law mandates, that those with whom we choose to share our personally identifiable information tell us why they need it, how they will use it, and how they will protect it from misuse or unauthorized access or disclosure.
Students, faculty, staff, business partners, trustees, donors, patients, research participants, and members of the public expect the same thing from the University of Delaware. The University obtains their personally identifiable information in a variety of ways including when they visit our website, call us, enroll in programs, make donations, or when they participate in University research projects. As we are stewards of the personally identifiable information we collect and maintain, we must protect that information and be strategic about what we collect and how we use it, both to safeguard individuals and to mitigate the costs of securing the information or potential implications should security fail.
Recognizing these obligations, in 2022 the University’s executive team approved the Personally Identifiable Information Privacy Policy which adopts updated industry best practices for handling personally identifiable information throughout its lifecycle with the University – from identifying what information should be collected in the first place to using, maintaining, and ultimately deleting the information when the purpose for collecting it has been achieved. The policy applies to all members of the University community, including but not limited to students, faculty, and staff.
The Personally Identifiable Information Privacy Policy requires the University community to think critically about what information is needed and to limit the collection of personally identifiable information to the minimum that is directly relevant to the approved academic, research, or administrative purpose – nothing more. (e.g., although it may be easier to download an entire file as opposed to specific data elements, this is contrary to the Privacy Policy). Access to the information must also be restricted and limited to only those with a legitimate need to know.
Once collected, use of the information needs to correspond with the purpose for which it was collected to comply with statements we made to individuals when we obtained their information, as well as any legal requirements. For example, if an entity collects cell phone numbers to contact people in the event of an emergency, expanding the use of the information to send marketing communications via text messages would not be permitted under federal law and might result in fines and penalties for the entity.
The policy also acknowledges that certain data subjects have rights regarding their personally identifiable information including the explicit choice and control as to how it will be used or disclosed, including the ability to review the collected information and the opportunity to correct, supplement, or delete it (subject to applicable law). As explained in the policy, we must think about how to accommodate these rights.
In short, before personally identifiable information is requested, those responsible for its collection need to have a plan for all of its lifecycle stages: collection, use, access, disclosure, correction, protection, and deletion. In many cases, this plan must address state, federal, and international laws. Everyone at the University of Delaware has a stake in this effort. It is everyone’s business.