Wesleyan University Privacy Protection Policy
APPLICATION: All individuals on whom the University has or maintains personal information and all University associated individuals controlling or having access to personal information described herein
ISSUED: January 7, 2013
WESLEYAN DATA PRIVACY OFFICER: Steve Machuga, Director of Administrative Systems, ITS, Wesleyan University
- Purpose. Wesleyan University seeks to ensure that its treatment and use of personally identifiable information complies with all applicable federal and state statutes and regulations while demonstrating the University’s commitment to maximizing privacy. Personally identifiable information (“PII”) is considered information which can identify and provide information about an individual that can compromise their personal privacy or their financial information. PII includes social security numbers, driver’s license numbers and detailed financial account information. PII does not include information that is available to the general public, through governmental records or otherwise or information available through widely distributed media.
- Policy Statement.
- Scope. This policy governs only PII that the University collects from actual or prospective employees, students, alumni or other affiliates directly, in writing or electronically. This policy does not apply to the web sites or practices of other third parties who may collect or access PII, through advertisements in, or links to the University web site or University publications for example. The collection, retention and release of some PII may also be covered by other law or regulation, including but not limited to the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act (“HIPAA”) and this policy is not meant to supersede requirements related thereto.
- Permitted Collection. PII may only be collected by authorized University personnel where it is specifically needed for a legitimate University business requirement or to meet a statutory or regulatory requirement. The University strongly discourages the collection or retention of PII except where absolutely necessary and no other alternative exists.
- Routine Protection of PII.
- Any person in possession of PII shall safeguard the data and shall destroy, erase or make unreadable such data in whatever form it exists prior to disposal.
- PII will not, except by authorization of the Data Privacy Officer (the “Data Officer”), be removed from University Property or actively saved to personal computer memory.
- PII in written form shall be treated as highly confidential and shall be kept in closed, secured file cabinets to be routinely processed in accordance with the applicable University department’s document retention policy.
- PII in electronic form shall be treated as highly confidential and shall be:
- if on a personal computer, protected by appropriate steps including password access, encryption and appropriate safeguarding (e.g. not leaving laptops in automobiles or public locations); and
- if on another medium, kept in closed, secured file cabinets. Holders of such electronic PII shall work in conjunction with ITS to effectuate such security measures. All electronic PII shall also be routinely processed in accordance with the applicable department’s document retention policy.
- Permitted Releases. PII may only be released or provided to others on an authorized or need to know basis, and then, only to those persons authorized to use such information as part of their official duties. As a condition to receiving such information, all such recipients will acknowledge and further agree to the terms of this policy.
- Policy Enforcement.
- Any University employee, agent, vendor or student who discovers evidence of a violation of this policy or other breach or release or possible breach or release of PII shall immediately notify the Data Officer and take care to preserve any and all evidence of such incident.
- Upon discovery or a likely or verified incident of such breach or release, the Data Officer shall inform an appropriate group of University authorities which shall investigate and take appropriate action to resolve the issue, all as may be required by applicable law, rule or regulation.
- Gramm Leach Bliley Act
- Contacting Wesleyan Regarding Privacy: Questions or concerns regarding this policy or the protection of your PII may be directed to the Data Officer at firstname.lastname@example.org