Note that the line above is University Institutional Policy and that what follows, including the Master Privacy Statement, is University Operational Policy. Both are approved by the Information Strategy and Policy Committee (ISPC). Adopted by the Cabinet 2/25/2008.
Confidential Information is defined by The University’s Information Management Policy and repeated here for convenience:
Confidential Information is the strictest data classification used by the University and requires maximum control. Depending on the nature or contents of the Confidential Information, disclosure or alteration of this type of information could cause great harm to an employee, student or the University. Confidential Information requires safeguarding, either due to the requirements of law or because of the mandates of prudent and reasonable practices.
The University’s Computing and Communications Confidentiality Policy states: The University will treat all of its individual User information, User activity, and User communications as Confidential Information as defined in its Information Management Policy.
Information with access restricted to individuals who have been explicitly granted authorization to do so.
Information owned or controlled by the individual, not the institution.
Private information stored with personally identifiable names or numbers. All Personally Identifiable Information is Confidential Information.
The Privacy Rule provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI).”
The expectation that Personally Identifiable Information will not be disclosed to anyone other than its owner. Privacy is traded for the ability to do business with strangers. Practically speaking, consumers convert their private information to restricted information in return for goods and/or services.
The detailed, documented, public face on the University’s stewardship of user information.
The operational privacy principles the University uses that pertain to all cases.
The special or exceptional operational privacy principles the University uses that pertain to a specific case.
this means desktop, laptop, servers and all other computing hardware, media and communication devices or systems that can store data
In 2004 the U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used.
It should also be noted that issues like identity theft and spam have become serious problems in daily life. As the University increasingly collects personal information as it moves toward its goals of customized and personalized service to its community, privacy concerns will be a significant roadblock unless they are directly and prominently addressed. The University must join the large number of commercial entities that provide comprehensive and visible privacy statements.
The Master Privacy Statement applies to all data on individuals held by the University.
Privacy Statement Addendums are and will be written when:
The Master Privacy Statement is about documenting stewardship of information in record-keeping systems and does not cover ownership or copyright issues.
It is the University’s policy that there shall be no personal data record-keeping systems whose very existence is a secret.
Each record-keeping system, as needed by contract, or required by law, will have an associated Privacy Statement Addendum conveniently available to its information contributors. In particular, as applicable and/or required, each online web page will have a Privacy Statement link that covers the personally identifiable information being solicited on that Page.
Where they exist, each Privacy Statement Addendum shall include:
Neither this master Privacy Statement nor any of its Privacy Statement Addendums are intended to address all, or fully and accurately prescribe, compliance steps required under the various applicable federal, state and local laws. It is expected that the University will comply with all such laws as determined to be applicable to the University by its legal counsel. Therefore, University compliance with this policy and/or statements should not be considered sufficient to comply with any particular law. The advice of expert counsel is recommended for all compliance issues.
The University of the Pacific and all its divisions, departments and officially sponsored organizations.
Unrestricted readers of, University produced, Printed Materials and Web Site
Individually identifiable information including any of the following:
Does not include non-individual summary information used for statistical purposes. Does not include works of authorship, copyrighted information or electronic communications such as voicemail or email.
A system designed to collect, organize and store personally identifiable information. Record keeping systems may vary from a simple document, to a spreadsheet to a database and are primarily intended to facilitate administering activities related to the mission of the University.
The individual that provides the information.
Individuals or organizations, not a part of or affiliated with the University
Personally identifiable information given directly to the University by an individual. This information can be about themselves or another individual, like a parent or guardian.
Personally identifiable information that may include directly provided information and/or information obtained from a third party.
Personally identifiable information that: (1) For Students consists of elements defined as not confidential under FERPA. (2) For employees, information defined as not confidential by HR. (3) For everyone, information that the Information Provider explicitly designates as not confidential. Directory information may be freely provided to The University.
Students may request that Directory information not be shared with anyone, by asking the Registrar to set the privacy Flag.
In the course of fulfilling its mission of teaching, learning and scholarship, the University employs a variety of record keeping systems and collects and uses a variety of information associated with its past, present and future customers, including faculty, staff and students. In addition to observing all applicable privacy and confidentiality laws, the University respects and protects individual privacy through this Master Privacy Statement and, where applicable, a series of Privacy Statement Addendums. Privacy Statement Addendums are specific to the information being collected and/or the specific academic or administrative units that collects it.
Below is the full text of the applicable parts of the California Online Privacy Protection Act of 2003. Because Pacific complies with all applicable law, this appendix is University Policy by reference. Note that this law is very prescriptive as to how privacy policies are to be posted on web sites. Those units to which this law applies, must write corresponding Privacy Statement Addendums.
BUSINESS AND PROFESSIONS CODE
An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.
(1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.
(4) Identify its effective date.
(a) Knowingly and willfully.
(b) Negligently and materially.
22577. For the purposes of this chapter, the following definitions apply:
(a) The term "personally identifiable information" means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
(1) A first and last name.
(2) A home or other physical address, including street name and name of a city or town.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
(A) Includes the word "privacy."
(B) Is written in capital letters equal to or greater in size than the surrounding text.
(C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.
(c) The term "operator" means any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes. It does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner's behalf or by processing information on behalf of the owner.
(d) The term "consumer" means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.
22579. This chapter shall become operative on July 1, 2004.
Roles, Responsibilities, & Sanctions