University Administrative Record
University Electronic Record
Notification Users should be notified that information is being collected and they should be informed of their rights. (e.g., all Web pages that collect personally identifiable information should include a privacy notice that specifies how the information will be used.)
Minimization The institution should gather as little information as possible for legitimate purposes and delete information when it is no longer needed or no longer required by law to be retained. (e.g., library records need not be kept for more than a certain limited period of time.)
Secondary Use Information should be used only for the purposes for which it was collected unless the individual gives additional consent. (e.g., a department should not share information with an administrative office for a separate purpose without the individual’s knowledge and consent.)
Nondisclosure and Consent Information should not be released to third parties external to the University without consent. (e.g., vendors, business, etc.)
Need to Know Only those with legitimate, official needs should have access to information. (e.g., a person’s position of authority in the University does not necessarily mean that they should be able to access information.)
Data Accuracy, Inspection, and Review Information must be accurate, and individuals should have the right to examine information about themselves and request changes. (e.g., employees should be able to review their records and make changes or follow a standard process for any information that is disputed.)
Information Security, Integrity, and Accountability Information should be secure and not vulnerable to unauthorized modification, and the handling of the data must be subject to accountability. (e.g., it should always be known who has access to information and changes to information should be documented.)
Education The University has the responsibility to educate its constituents concerning privacy rights and the proper handling of information. (e.g., all constituents should know whom to consult about these matters and all employees should understand their responsibilities for abiding by policies for information handling.)
The Data Stewards in consultation with the Office of University Counsel determine the confidentiality of the data. Data Stewards are representatives of the University who are assigned responsibility to serve as a steward of University data in a particular area. They are responsible for developing procedures for creating, maintaining, and using University data, based on University policy and applicable state and federal laws.
The classification Confidential Information covers sensitive information about individuals, including information identified in the Human Resources Manual, and sensitive information about the University. Information receiving this classification requires a high level of protection against unauthorized disclosure, modification, destruction, and use. Specific categories of confidential information include information about:
Current and former students (protected under the Family Educational Rights and Privacy Act (FERPA) of 1974), including student academic, disciplinary, and financial records and student works such as homework, term papers, and exams; and prospective students, including information submitted by student applicants to the University.
Medical Center patients (protected under the Health Insurance Portability and Accountability Act (HIPAA of 1996), Law Center clients, library patrons, and donors and potential donors.
Current, former, and prospective employees, including employment, pay, health, and insurance data, and other personnel information.
Research, including information related to a forthcoming or pending patent application (patents must be filed within a year of publication), and information related to human subjects.
Certain University business operations, finances, legal matters, or other operations of a particularly sensitive nature.
Information security data, including passwords.
Determining authorizations. Only those with legitimate, official need have the access to these classified electronic records. Data Stewards determine who is authorized to have access to their information. They should make sure that those with access have a need to know the information and know the security requirements for that information. For Confidential Information, they should also make sure that those given access have a need to know and have signed a confidentiality agreement that covers the information.