The University will create, maintain and abide by a Master Privacy Statement applicable to all record keeping systems and will amend it with any required unit specific privacy statements.
Note that the line above is University Institutional Policy and that what follows, including the Master Privacy Statement, is University Operational Policy. Both are approved by the Information Strategy and Policy Committee (ISPC). Adopted by the Cabinet 2/25/2008.
Confidential information - Confidential Information is defined by The University's Information Management Policy and repeated here for convenience:
- Confidential Information is the strictest data classification used by the University and requires maximum control. Depending on the nature or contents of the Confidential Information, disclosure or alteration of this type of information could cause great harm to an employee, student or the University. Confidential Information requires safeguarding, either due to the requirements of law or because of the mandates of prudent and reasonable practices.
The University's Computing and Communications Confidentiality Policy states: The University will treat all of its individual User information, User activity, and User communications as Confidential Information as defined in its Information Management Policy.
Restricted Information - Information with access restricted to individuals who have been explicitly granted authorization to do so.
Private Information - Information owned or controlled by the individual, not the institution.
Personally Identifiable Information - Private information stored with personally identifiable names or numbers. All Personally Identifiable Information is Confidential Information.
Protected Health Information - The Privacy Rule provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
Privacy - The expectation that Personally Identifiable Information will not be disclosed to anyone other than its owner. Privacy is traded for the ability to do business with strangers. Practically speaking, consumers convert their private information to restricted information in return for goods and/or services.
Privacy Statement - The detailed, documented, public face on the University's stewardship of user information.
Master Privacy Statement - The operational privacy principles the University uses that pertain to all cases.
Master Privacy Statement Addendum - The special or exceptional operational privacy principles the University uses that pertain to a specific case.
Computers - this means desktop, laptop, servers and all other computing hardware, media and communication devices or systems that can store data.
In 2004 the U.S. Department of Health and Human Services ("HHS") issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Privacy Rule standards address the use and disclosure of individuals' health information-called "protected health information" by organizations subject to the Privacy Rule - called "covered entities," as well as standards for individuals' privacy rights to understand and control how their health information is used.
It should also be noted that issues like identity theft and spam have become serious problems in daily life. As the University increasingly collects personal information as it moves toward its goals of customized and personalized service to its community, privacy concerns will be a significant roadblock unless they are directly and prominently addressed. The University must join the large number of commercial entities that provide comprehensive and visible privacy statements.
- The Master Privacy Statement applies to all data on individuals held by the University.
- Privacy Statement Addendums are and will be written:
a) when it is necessary to override and/or modify this Master Privacy Statement
b) when required by law or contract
c) when information falling under this Statement is supplied to third parties
d) when units provide health services subject to the HIPAA Privacy Rule
- The Master Privacy Statement is about documenting stewardship of information in record-keeping systems and does not cover ownership or copyright issues.
- It is the University's policy that there shall be no personal data record-keeping systems whose very existence is a secret.
- Each record-keeping system, as needed by contract, or required by law, will have an associated Privacy Statement Addendum conveniently available to its information contributors. In particular, as applicable and/or required, each online web page will have a Privacy Statement link that covers the personally identifiable information being solicited on that Page.
Where they exist, each Privacy Statement Addendum shall include:
- A unique name for the Privacy Statement Addendum that clearly identifies the Addendum for the intended purpose and/or audience. For example, Admission's Website Privacy Statement Addendum.
- The full name of the organizational unit sponsoring the Addendum and its current contact information.
- The date this Privacy Statement Addendum took effect and the date it was last updated.
- A statement that this is an Addendum to the University's Master Privacy Statement and a web reference link back to the Master Privacy Statement.
- What personally identifiable information of the information provider or third party personally identifiable information is being obtained or collected under this Addendum, directly or through, non-University third parties.
- How the information will be used and/or how it will not be used.
- If different from the provisions of the Master Privacy Statement, with whom the information may be shared and/or with whom the information will not be shared.
- What choices, if any, are available to the information provider regarding how information is or may be obtained, used and/or distributed.
- How the information provider can access, verify, amend the collected information and/or correct any inaccuracies in the collected information.
- The kind of security processes, procedures and policies that are in place to prevent the misuse, alteration or loss of the provided information.
- A statement that the University and/or the University organizational unit controlling the Privacy Statement Addendum reserves the right to change it at any time without prior notice or consent, but that if such changes are made, they will be prominently and widely communicated.
- For Privacy Statement Addendums covering information gathered online, a change history for That Addendum will be maintained off the Privacy Statement link on each page that gathers such information.
- In cases where a Business Associate Agreement as described in the HIPAA Privacy Rule is mandated, this should be documented in the Addendum.
Note: All Privacy Statements and Addendums should be reviewed by legal counsel. When providing paper copies to information providers, the information collector must provide the Master Privacy Statement and all the appropriate Privacy Statement Addendums relative to the information being collected.
Neither this master Privacy Statement nor any of its Privacy Statement Addendums are intended to address all, or fully and accurately prescribe, compliance steps required under the various applicable federal, state and local laws. It is expected that the University will comply with all such laws as determined to be applicable to the University by its legal counsel. Therefore, University compliance with this policy and/or statements should not be considered sufficient to comply with any particular law. The advice of expert counsel is recommended for all compliance issues.
Pacific's Master Privacy Statement:
Date this Master Privacy Statement went into effect: MM/DD/YYYY
Date this Master Privacy Statement was last updated : MM/DD/YYY
The University: The University of the Pacific and all its divisions, departments and officially sponsored organizations.
The General Public: Unrestricted readers of, University produced, Printed Materials and Web Site.
Personally identifiable information: Individually identifiable information including any of the following:
- A full or partial name
- A home address or other physical address
- An e-mail address or other electronic address
- A telephone number or other communications device number
- A social security number or other identification number
- A date of birth
- Drivers license number
- Credit card or Financial account number
- Any other identifier that permits the physical or online contacting of a specific individual
- Any information concerning an individual in combination with an identifier described above. In particular,
a) for students, this includes all information not designated as Directory information under FERPA.
b) for all, Protected Health Information (PHI). The Privacy Rule provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 define PHI as all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form of media, whether electronic, paper, or oral."
Does not include non-individual summary information used for statistical purposes. Does not include works of authorship, copyrighted information or electronic communications such as voicemail or email.
Record Keeping System: A system designed to collect, organize and store personally identifiable information. Record keeping systems may vary from a simple document, to a spreadsheet to a database and are primarily intended to facilitate administering activities related to the mission of the University.
Information Provider: The individual that provides the information.
Third Parties: Individuals or organizations, not a part of or affiliated with the University.
Provided information: Personally identifiable information given directly to the University by an individual. This information can be about themselves or another individual, like a parent or guardian.
Collected Information: Personally identifiable information that may include directly provided information and/or information obtained from a third party.
Directory Information: Personally identifiable information that: (1) For Students consists of elements defined as not confidential under FERPA. (2) For employees, information defined as not confidential by HR. (3) For everyone, information that the Information Provider explicitly designates as not confidential. Directory information may be freely provided to The University.
Privacy Flag: Students may request that Directory information not be shared with anyone, by asking the Registrar to set the Privacy Flag.
In the course of fulfilling its mission of teaching, learning and scholarship, the University employs a variety of record keeping systems and collects and uses a variety of information associated with its past, present and future customers, including faculty, staff and students. In addition to observing all applicable privacy and confidentiality laws, the University respects and protects individual privacy through this Master Privacy Statement and, where applicable, a series of Privacy Statement Addendums. Privacy Statement Addendums are specific to the information being collected and/or the specific academic or administrative units that collects it.
In all circumstances, the University will:
- a) Secure all personally identifiable information using appropriate and generally practiced security measures and technology.
- b) Except for Directory Information, consider all personally identifiable information as confidential under its Computing and Communications Confidentiality Policy, sharing it only on a need-to-know basis under the terms of this Master Privacy Statement and any applicable Privacy Statement Addendums.
- c) Directory Information will not be shared with the General Public without its owner's explicit permission.
- d) Practice good stewardship of Directory Information, using it appropriately under applicable laws, this Master Privacy Statement and any applicable Privacy Statement Addendums.
- e) If it is required to do so, comply with the law or with legal process and disclose personally identifiable information.
- f) Retain the right to use personal information in its systems to identify the source of any inappropriate usage of its electronic resources as outlined in its Information Technology Policies: Acceptable Use Policy.
- g) Change this Master Privacy Statement from time to time without prior notice or consent, but if changes are made, that fact will be prominently and widely communicated. A Change history for the Master Privacy Statement will be maintained off the Privacy Statement link on Pacific's Home Page.
- h) Accept and act on all allegations of Privacy Statement violations addressed to firstname.lastname@example.org.
Unless explicitly stated otherwise in a specific Privacy Statement Addendum, Pacific may:
- i) Share personally identifiable information, on a need to know only basis, with authorized third parties (non-Pacific entities) that provide service to the University and that have contractually agreed to point (a.) above.
- j) Share protected Health Information with authorized third parties as permitted under the HIPAA Privacy Rule solely for the purpose of treatment, payment, or and health care operations.
- k) Not provide personally identifiable information to third parties for any purpose unrelated to the mission of the University without the explicit permission of the information provider or as specified in the HIPAA Privacy Rule. This includes, but is not limited to the marketing of commercial goods or the provision of commercial services.
- l) Share personally identifiable information within Pacific in support of its mission of teaching, learning and scholarship and the administration thereof so long as the Privacy Statement Addendum (if any) under which the information was collected remains in force.
- m) Obtain personally identifiable information from third parties (collected information), solely as necessary to conduct the business of the University, and will treat that information as if it were directly obtained from the person in question.
- n) Request personally identifiable information for the purpose of obtaining access to and/or verifying authorization to use services or facilities of or sponsored by the University, especially by electronic means for electronic services.
- o) Add a consent line to information input sources, like forms or screens, stating that by their agreement their information will be managed under the University's Privacy Statement and/or a particular Privacy Statement Addendum(s). Failure to sign would halt the associated business process, perhaps resulting in the inability of the University to provide desired services or considerations.
Appendix I California Online Privacy Protection Act of 2003:
Below is the full text of the applicable parts of the California Online Privacy Protection Act of 2003. Because Pacific complies with all applicable law, this appendix is University Policy by reference. Note that this law is very prescriptive as to how privacy policies are to be posted on web sites. Those units to which this law applies, must write corresponding Privacy Statement Addendums.
BUSINESS AND PROFESSIONS CODE
An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.
- Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
- If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.
- Identify its effective date.
(a) Knowingly and willfully.
(b) Negligently and materially.
- For the purposes of this chapter, the following definitions apply:
(a) The term "personally identifiable information" means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
- (1) A first and last name.
- (2) A home or other physical address, including street name and name of a city or town.
- (3) An e-mail address.
- (4) A telephone number.
- (5) A social security number.
- (6) Any other identifier that permits the physical or online contacting of a specific individual.
- (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
- (A) Includes the word "privacy."
- (B) Is written in capital letters equal to or greater in size than the surrounding text.
- (C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
- (4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.
- (c) The term "operator" means any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes. It does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner's behalf or by processing information on behalf of the owner.
- (d) The term "consumer" means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.
This chapter shall become operative on July 1, 2004.