• Print

3.8.17 Privacy Policy

Policy:
The University will create, maintain and abide by a Master Privacy Statement applicable to all record keeping systems and will amend it with any required unit specific privacy statements.

Note that the line above is University Institutional Policy and that what follows, including the Master Privacy Statement, is University Operational Policy. Both are approved by the Information Strategy and Policy Committee (ISPC). Adopted by the Cabinet 2/25/2008.

Definitions:

Confidential information - Confidential Information is defined by The University's Information Management Policy and repeated here for convenience:

  • Confidential Information is the strictest data classification used by the University and requires maximum control. Depending on the nature or contents of the Confidential Information, disclosure or alteration of this type of information could cause great harm to an employee, student or the University. Confidential Information requires safeguarding, either due to the requirements of law or because of the mandates of prudent and reasonable practices.

The University's Computing and Communications Confidentiality Policy states: The University will treat all of its individual User information, User activity, and User communications as Confidential Information as defined in its Information Management Policy.

Restricted Information - Information with access restricted to individuals who have been explicitly granted authorization to do so.

Private Information - Information owned or controlled by the individual, not the institution.

Personally Identifiable Information - Private information stored with personally identifiable names or numbers. All Personally Identifiable Information is Confidential Information.

Protected Health Information - The Privacy Rule provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

Privacy - The expectation that Personally Identifiable Information will not be disclosed to anyone other than its owner. Privacy is traded for the ability to do business with strangers. Practically speaking, consumers convert their private information to restricted information in return for goods and/or services.

Privacy Statement - The detailed, documented, public face on the University's stewardship of user information.

Master Privacy Statement - The operational privacy principles the University uses that pertain to all cases.

Master Privacy Statement Addendum - The special or exceptional operational privacy principles the University uses that pertain to a specific case.

Computers - this means desktop, laptop, servers and all other computing hardware, media and communication devices or systems that can store data.

Background: 

According to Educause's white paper Privacy, "Traditionally, Congress has chosen not to pass any broad spectrum privacy laws, but to limit the government's power and target specific issues as they arise. As a result, we have a "quilt" of laws and regulations such as the Fair Credit Reporting Act, the Family Education Rights and Privacy Act, the Cable Communications Policy Act, [the Health Insurance Portability and Accountability Act,] and most recently the Children's Online Privacy Protection Act [and the Gramm-Leach-Bliley (GLB) Act]. However, what has developed is a standard. The Code of Fair Information Practices was originally developed in 1973 by the Department of Health, Education, and Welfare to limit the government's access to private information. It has evolved into the standard which both the government and private sectors use to measure privacy policy, and is comparable to international guidelines developed by the OECD (Organization for Economic Cooperation and Development)." The work below covers the requirements of that code. In California, The California Online Privacy Protection Act of 2003, is aligned with the code (alignment is bolded below).

In 2004 the U.S. Department of Health and Human Services ("HHS") issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Privacy Rule standards address the use and disclosure of individuals' health information-called "protected health information" by organizations subject to the Privacy Rule - called "covered entities," as well as standards for individuals' privacy rights to understand and control how their health information is used.

It should also be noted that issues like identity theft and spam have become serious problems in daily life. As the University increasingly collects personal information as it moves toward its goals of customized and personalized service to its community, privacy concerns will be a significant roadblock unless they are directly and prominently addressed. The University must join the large number of commercial entities that provide comprehensive and visible privacy statements.

Principles:

  1. The Master Privacy Statement applies to all data on individuals held by the University.
  2. Privacy Statement Addendums are and will be written:
    a) when it is necessary to override and/or modify this Master Privacy Statement
    b) when required by law or contract
    c) when information falling under this Statement is supplied to third parties
    d) when units provide health services subject to the HIPAA Privacy Rule
  3. The Master Privacy Statement is about documenting stewardship of information in record-keeping systems and does not cover ownership or copyright issues.
  4. It is the University's policy that there shall be no personal data record-keeping systems whose very existence is a secret.
  5. Each record-keeping system, as needed by contract, or required by law, will have an associated Privacy Statement Addendum conveniently available to its information contributors. In particular, as applicable and/or required, each online web page will have a Privacy Statement link that covers the personally identifiable information being solicited on that Page.

Addendum Principles:

Where they exist, each Privacy Statement Addendum shall include:

  1. A unique name for the Privacy Statement Addendum that clearly identifies the Addendum for the intended purpose and/or audience. For example, Admission's Website Privacy Statement Addendum.
  2. The full name of the organizational unit sponsoring the Addendum and its current contact information.
  3. The date this Privacy Statement Addendum took effect and the date it was last updated.
  4. A statement that this is an Addendum to the University's Master Privacy Statement and a web reference link back to the Master Privacy Statement.
  5. What personally identifiable information of the information provider or third party personally identifiable information is being obtained or collected under this Addendum, directly or through, non-University third parties.
  6. How the information will be used and/or how it will not be used.
  7. If different from the provisions of the Master Privacy Statement, with whom the information may be shared and/or with whom the information will not be shared.
  8. What choices, if any, are available to the information provider regarding how information is or may be obtained, used and/or distributed.
  9. How the information provider can access, verify, amend the collected information and/or correct any inaccuracies in the collected information.
  10. The kind of security processes, procedures and policies that are in place to prevent the misuse, alteration or loss of the provided information.
  11. A statement that the University and/or the University organizational unit controlling the Privacy Statement Addendum reserves the right to change it at any time without prior notice or consent, but that if such changes are made, they will be prominently and widely communicated.
  12. For Privacy Statement Addendums covering information gathered online, a change history for That Addendum will be maintained off the Privacy Statement link on each page that gathers such information.
  13. In cases where a Business Associate Agreement as described in the HIPAA Privacy Rule is mandated, this should be documented in the Addendum.

Note: All Privacy Statements and Addendums should be reviewed by legal counsel. When providing paper copies to information providers, the information collector must provide the Master Privacy Statement and all the appropriate Privacy Statement Addendums relative to the information being collected.

Limitations:

Neither this master Privacy Statement nor any of its Privacy Statement Addendums are intended to address all, or fully and accurately prescribe, compliance steps required under the various applicable federal, state and local laws. It is expected that the University will comply with all such laws as determined to be applicable to the University by its legal counsel. Therefore, University compliance with this policy and/or statements should not be considered sufficient to comply with any particular law. The advice of expert counsel is recommended for all compliance issues.

***********************************************

Pacific's Master Privacy Statement:

Date this Master Privacy Statement went into effect: MM/DD/YYYY
Date this Master Privacy Statement was last updated : MM/DD/YYY

Definitions:

The University: The University of the Pacific and all its divisions, departments and officially sponsored organizations.

The General Public: Unrestricted readers of, University produced, Printed Materials and Web Site.

Personally identifiable information: Individually identifiable information including any of the following:

  1. A full or partial name
  2. A home address or other physical address
  3. An e-mail address or other electronic address
  4. A telephone number or other communications device number
  5. A social security number or other identification number
  6. A date of birth
  7. Drivers license number
  8. Credit card or Financial account number
  9. Any other identifier that permits the physical or online contacting of a specific individual
  10. Any information concerning an individual in combination with an identifier described above. In particular,
    a) for students, this includes all information not designated as Directory information under FERPA.
    b) for all, Protected Health Information (PHI). The Privacy Rule provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 define PHI as all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form of media, whether electronic, paper, or oral."

Does not include non-individual summary information used for statistical purposes. Does not include works of authorship, copyrighted information or electronic communications such as voicemail or email.

Record Keeping System: A system designed to collect, organize and store personally identifiable information. Record keeping systems may vary from a simple document, to a spreadsheet to a database and are primarily intended to facilitate administering activities related to the mission of the University.

Information Provider: The individual that provides the information.

Third Parties: Individuals or organizations, not a part of or affiliated with the University.

Provided information: Personally identifiable information given directly to the University by an individual. This information can be about themselves or another individual, like a parent or guardian.

Collected Information: Personally identifiable information that may include directly provided information and/or information obtained from a third party.

Directory Information: Personally identifiable information that: (1) For Students consists of elements defined as not confidential under FERPA. (2) For employees, information defined as not confidential by HR. (3) For everyone, information that the Information Provider explicitly designates as not confidential. Directory information may be freely provided to The University.

Privacy Flag: Students may request that Directory information not be shared with anyone, by asking the Registrar to set the Privacy Flag.

Introduction:

In the course of fulfilling its mission of teaching, learning and scholarship, the University employs a variety of record keeping systems and collects and uses a variety of information associated with its past, present and future customers, including faculty, staff and students. In addition to observing all applicable privacy and confidentiality laws, the University respects and protects individual privacy through this Master Privacy Statement and, where applicable, a series of Privacy Statement Addendums. Privacy Statement Addendums are specific to the information being collected and/or the specific academic or administrative units that collects it.

Precepts:

In all circumstances, the University will:

  • a) Secure all personally identifiable information using appropriate and generally practiced security measures and technology.
  • b) Except for Directory Information, consider all personally identifiable information as confidential under its Computing and Communications Confidentiality Policy, sharing it only on a need-to-know basis under the terms of this Master Privacy Statement and any applicable Privacy Statement Addendums.
  • c) Directory Information will not be shared with the General Public without its owner's explicit permission.
  • d) Practice good stewardship of Directory Information, using it appropriately under applicable laws, this Master Privacy Statement and any applicable Privacy Statement Addendums.
  • e) If it is required to do so, comply with the law or with legal process and disclose personally identifiable information.
  • f) Retain the right to use personal information in its systems to identify the source of any inappropriate usage of its electronic resources as outlined in its Information Technology Policies:  Acceptable Use Policy.
  • g) Change this Master Privacy Statement from time to time without prior notice or consent, but if changes are made, that fact will be prominently and widely communicated. A Change history for the Master Privacy Statement will be maintained off the Privacy Statement link on Pacific's Home Page.
  • h) Accept and act on all allegations of Privacy Statement violations addressed to privacy@pacific.edu.

Unless explicitly stated otherwise in a specific Privacy Statement Addendum, Pacific may:

  • i) Share personally identifiable information, on a need to know only basis, with authorized third parties (non-Pacific entities) that provide service to the University and that have contractually agreed to point (a.) above.
  • j) Share protected Health Information with authorized third parties as permitted under the HIPAA Privacy Rule solely for the purpose of treatment, payment, or and health care operations.
  • k) Not provide personally identifiable information to third parties for any purpose unrelated to the mission of the University without the explicit permission of the information provider or as specified in the HIPAA Privacy Rule. This includes, but is not limited to the marketing of commercial goods or the provision of commercial services.
  • l) Share personally identifiable information within Pacific in support of its mission of teaching, learning and scholarship and the administration thereof so long as the Privacy Statement Addendum (if any) under which the information was collected remains in force.
  • m) Obtain personally identifiable information from third parties (collected information), solely as necessary to conduct the business of the University, and will treat that information as if it were directly obtained from the person in question.
  • n) Request personally identifiable information for the purpose of obtaining access to and/or verifying authorization to use services or facilities of or sponsored by the University, especially by electronic means for electronic services.
  • o) Add a consent line to information input sources, like forms or screens, stating that by their agreement their information will be managed under the University's Privacy Statement and/or a particular Privacy Statement Addendum(s). Failure to sign would halt the associated business process, perhaps resulting in the inability of the University to provide desired services or considerations.

***********************************************

Appendix I California Online Privacy Protection Act of 2003:

Below is the full text of the applicable parts of the California Online Privacy Protection Act of 2003. Because Pacific complies with all applicable law, this appendix is University Policy by reference. Note that this law is very prescriptive as to how privacy policies are to be posted on web sites. Those units to which this law applies, must write corresponding Privacy Statement Addendums.

BUSINESS AND PROFESSIONS CODE
SECTION 22575-22579

22575.

  • (a) An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577.
    An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.
  • (b) The privacy policy required by subdivision (a) shall do all of the following:
  1. Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
  2. If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.
  3. Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator's privacy policy for that Web site or online service.
  4. Identify its effective date.

22576.

  • An operator of a commercial Web site or online service that collects personally identifiable information through the Web site or online service from individual consumers who use or visit the commercial Web site or online service and who reside in California shall be in violation of this section if the operator fails to comply with the provisions of Section 22575 or with the provisions of its posted privacy policy in either of the following ways:

                   (a) Knowingly and willfully.
                   (b) Negligently and materially.

22577.

  • For the purposes of this chapter, the following definitions apply:
    (a) The term "personally identifiable information" means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
    • (1) A first and last name.
    • (2) A home or other physical address, including street name and name of a city or town.
    • (3) An e-mail address.
    • (4) A telephone number.
    • (5) A social security number.
    • (6) Any other identifier that permits the physical or online contacting of a specific individual.
    • (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
  • (b) The term "conspicuously post" with respect to a privacy policy shall include posting the privacy policy through any of the following:
    • (1) A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site.
    • (2) An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word "privacy." The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable.
    • (3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following:
      • (A) Includes the word "privacy."
      • (B) Is written in capital letters equal to or greater in size than the surrounding text.
      • (C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
    • (4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.
    • (5) In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.
  • (c) The term "operator" means any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes. It does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner's behalf or by processing information on behalf of the owner.
  • (d) The term "consumer" means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.

22578.

It is the intent of the Legislature that this chapter is a matter of statewide concern. This chapter supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the posting of a privacy policy on an Internet Web site.

22579.

This chapter shall become operative on July 1, 2004.