Wesleyan University Privacy Protection Policy

1. Purpose. Wesleyan University seeks to ensure that its treatment and use of personally identifiable information complies with all applicable federal and state statutes and regulations while demonstrating the University’s commitment to maximizing privacy. Personally identifiable information (“PI”) is considered information which can identify and provide information about an individual that can compromise their personal privacy or their financial information. PI includes social security numbers, driver’s license numbers and detailed financial account information. PI does not include information that is available to the general public, through governmental records or otherwise or information available through widely distributed media.
    
2. Policy Statement.
    
   1. Scope. This policy governs only PI that the University collects from actual or prospective employees, students, alumni or other affiliates directly, in writing or electronically. This policy does not apply to the web sites or practices of other third parties who may collect or access PI, through advertisements in, or links to the University web site or University publications for example. The collection, retention and release of some PI may also be covered by other law or regulation, including but not limited to the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act (“HIPPA”) and this policy is not meant to supersede requirements related thereto.
   2. Permitted Collection. PI may only be collected by authorized University personnel where it is specifically needed for a legitimate University business requirement or to meet a statutory or regulatory requirement. The University strongly discourages the collection or retention of PI except where absolutely necessary and no other alternative exists.
   3. Routine Protection of PI.
      1. Any person in possession of PI shall safeguard the data and shall destroy, erase or make unreadable such data in whatever form it exists prior to disposal.
      2. PI will not, except by authorization of the Data Privacy Officer (the “Data Officer”), be removed from University Property or actively saved to personal computer memory.
      3. PI in written form shall be treated as highly confidential and shall be kept in closed, secured file cabinets to be routinely processed in accordance with the applicable University department’s document retention policy.
      4. PI in electronic form shall be treated as highly confidential and shall be:
         1. if on a personal computer, protected by appropriate steps including password access, encryption and appropriate safeguarding (e.g. not leaving laptops in automobiles or public locations); and
         2. if on another medium, kept in closed, secured file cabinets. Holders of such electronic PI shall work in conjunction with ITS to effectuate such security measures. All electronic PI shall also be routinely processed in accordance with the applicable department’s document retention policy.
   4. Permitted Releases. PI may only be released or provided to others on an authorized or need to know basis, and then, only to those persons authorized to use such information as part of their official duties. As a condition to receiving such information, all such recipients will acknowledge and further agree to the terms of this policy.
   5. Policy Enforcement.
      1. Any University employee, agent, vendor or student who discovers evidence of a violation of this policy or other breach or release or possible breach or release of PI shall immediately notify the Data Officer and take care to preserve any and all evidence of such incident.
      2. Upon discovery or a likely or verified incident of such breach or release, the Data Officer shall inform an appropriate group of University authorities which shall investigate and take appropriate action to resolve the issue, all as may be required by applicable law, rule or regulation.
          
3. Contacting Wesleyan Regarding Privacy. Questions or concerns regarding this policy or the protection of your PI may be directed to the Data Officer at smachuga@wesleyan.edu