Policy Steward:Vice President for Administration>
To establish a framework for compliance and responsibility regarding privacy and the protection of an individual's personal information.
Personally Identifiable Information (PII) – Information maintained by the University that can be used to distinguish or trace an individual's identity that specifically includes Social Security Numbers (SSNs), credit card numbers, bank account numbers, Driver's License numbers, state ID numbers, passport numbers, biometric data (including fingerprints, retina images, and DNA profile), or protected health information. These data elements are defined by the University as personally identifiable information.
Privacy Governance Board - The Privacy Governance Board shall consist of the Chief Ethics and Compliance Officer, the Chief Information Security Officer, the Privacy Officer and the Vice President for Human Resources or their delegees, as appropriate. The role of the Privacy Governance Board will be to advise the Executive Vice President and Provost on privacy related matters. Members from individual units may be consulted/added to the Privacy Governance Board on an ad hoc basis, as needed.
This policy is applicable to all members of The Pennsylvania State University community and visitors to the University, including but not limited to students, scholars, faculty, lecturers/instructors, staff, third-party vendors, and others with access to the University's campus and University PII. This policy also applies to all locations and operations of the University.
I. Information Privacy
a. General Privacy
The University shall limit the collection, use, disclosure or storage of PII to that which reasonably serves the University's academic, research, or administrative functions, or other legally required purposes. Such collection, use, disclosure and storage shall comply with applicable Federal and state laws and regulations, and University policies.
b. Information That May Be Disclosed to Third Parties
- Legal Requirements: The University may release records in response to a lawful subpoena, warrant, or court order or where such records could be required or authorized by law to be produced or lawfully requested for any other reason, including disclosure to a government agency.
- Authorized Persons: Records may be disclosed to University officials, and authorized individuals performing work for the University who require the information for the performance of their duties.
- Protection of University Interests: The University may disclose information contained in records to protect its legal interest when those records may be related to the actions of an individual that the University reasonably believes may violate or have violated his/her conditions of employment or threaten injury to people or property.
- Collective Bargaining Agreements: Information may be disclosed as required under the terms of a collective bargaining agreement.
- Emergencies: Information may be disclosed if, in the judgment of the designated custodian of such records, disclosure is necessary to protect the health, safety or property of any person.
c. Expectation of Privacy
In the interest of promoting academic freedom and an open, collegial atmosphere, the University recognizes the reasonable privacy expectations of its employees, affiliates, and students in relation to their personal information, including papers, confidential records, and communications by mail, telephone, and other electronic means, subject only to applicable state and federal laws and University policies and regulations, including the policy set forth herein. The University will not monitor such information without cause except as required by law or permitted by University Policy.
d. Applicable Principles
In invoking the exception clause (“subject only to applicable state and federal laws and University polices and regulations”), the following principles apply:
- Consultation – The exception clause may be invoked only by persons with responsibility and authority for administering the law or regulations within the University (e.g., computer security officer, University police) and, except for civil or criminal matters or proceedings, compliance with any other legal requirement, matters of public safety, or when conditions or circumstances exist that necessitate immediate access, only after consultation with an appropriate University Official, as defined in AD83, or the Privacy Governance Board. The Privacy Governance Board’s deliberations, when consulted, shall be kept confidential.
- Notification – Where practicable (and subject to the University’s legal obligations, the circumstances described in this and all other University policies, or conditions or circumstances exist that necessitate immediate access), the University shall provide advance notification to an individual prior to all other University access, for cause, to the content of an individual’s user files / systems / activity (and, if necessary, physical locations in order to access said files / systems / activity). In certain instances where an individual is, for any reason, unavailable to receive such advance notification and his or her individual data is to be accessed to accomplish legitimate University business, access may also be permitted without prior notification.
Executive guidance for the Privacy interests addressed by this policy and related guidelines of both the University and those individuals whose private data has been entrusted to its care shall be vested in the Executive Vice President and Provost.
II. Specific Categories of Information
The below are data use constraints related to certain types of data collected, processed, stored, or published by the University.
EMAIL ADDRESSES - E-mail addresses appearing on University web sites are published for the sole purpose of facilitating private, individual communication between University personnel and readers. The University will not distribute, sell, or otherwise transfer addresses on its website or online services to non-affiliated parties or individuals. The University reserves the right to use internal search functions to obtain specific email addresses for normal business operations. Information such as email addresses may also be displayed in online directories accessible by the general public, unless requested otherwise (see AD11, University Policy on Confidentiality of Student Records and HR58, Employee Office Address and Telephone Number Information).
INFORMATION COLLECTED FOR SERVICE PROVISION – On occasion, the University may collect information from and about users to synchronize systems or update the experience between the user and Penn State. Penn State will not sell, trade, or share the information collected per the University’s Web Privacy Statement. Information collected will be used solely for the purpose for which it was intended.
SOCIAL SECURITY NUMBER (SSN) AND PENN STATE IDENTIFICATION NUMBER (PSU ID) – A Penn State Identification Number (PSU ID) will be assigned to all students and employees of the University as the primary identification number for University purposes. The PSU ID shall be unique to the individual and is a lifetime assignment used for multiple and changing relationships with the University.
As a matter of University policy, and except as may be required by applicable federal, state or local laws or regulations, it is prohibited that, and in no case shall, any SSN be used as an identifier in a University hosted or developed system or applications, or transmitted electronically, unencrypted. The use of SSNs as an identification number within the University will be limited to the designated purposes outlined in ADG08 Collection, Storage and Authorized Use of Social Security Numbers (SSNs) and Penn State Identification Numbers. SSNs will only be requested and required in certain cases, such as when required by law or for business purposes with certain third party providers.
All records containing PII will be classified, at a minimum, as “High” pursuant to AD95 and must be secured appropriately. Other data elements not specifically classified as PII but that can otherwise be used to distinguish or trace an individual’s identity (e.g. Date of Birth) must to be classified, at a minimum, as “Moderate” pursuant to AD95, unless an exception is approved by the Chief Privacy Officer, email@example.com and/or the Chief Information Security Officer, firstname.lastname@example.org. (See Policy AD95, Information Assurance and IT Security and corresponding standards).
Disposal of the records must be done securely, and in accordance with Policy AD35, University Archives and Records Management.
HEALTH INFORMATION - Individuals have rights with respect to the privacy and security of their health information under Federal and state laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). These rights are outlined in University Policy AD22, Health Insurance Portability and Accountability Act (HIPAA).
INFORMATION COLLECTED FROM UNIVERSITY'S WEBSITE – Information collected on the University's website is governed by the University's Web Privacy Statement.
ELECTRONIC SECURITY SYSTEM INFORMATION - Access by University units and individuals to information gathered, processed, and archived through electronic security systems (e.g., card or other facility access systems, alarm systems, video surveillance systems) shall occur only in accordance with Policy AD65, Electronic Security and Access Systems.
III. Data Protection and Data Loss Prevention
In order to protect "High" or "Restricted" data entrusted to its care (See Policy AD95, Information Assurance and IT Security and its corresponding standards), the University reserves the right to monitor its networks to detect and respond to externally or internally generated attacks upon its systems, subject to the constraints of this Policy.
PROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION (PII) – All systems that house certain types of information classified as "High," such as PII, are subject to the Pennsylvania Data Security Breach Notification Laws, (PA Statutes, Title 73, Ch. 43, §2301 -2308, 2329) and/or other applicable data breach notification laws. University systems, regardless of the classification of information maintained, must be scanned appropriately to identify PII using University approved scanning procedures. Users of University systems shall utilize the results of required scanning to facilitate proper handling of any and all PII identified. Approved scanning procedures are defined in Administrative Guideline ADG08.
University approved scanning procedures will be developed to identify stored PII to facilitate proper handling. Users are responsible for remediating (i.e., securely removing, redacting) unauthorized instances of PII on their systems. If, however, the scanning identifies PII that also is subject to a litigation hold, please contact the Office of General Counsel before remediating. Subject to the constraints of this Policy regarding authorization, the University also reserves the right to perform automated checks to detect and respond to the possible exfiltration of PII over its computer networks. Periodic security scans for PII will be administered to detect unauthorized instances of PII, when necessary. Deliberate failure to remediate unauthorized instances of PII may result in disciplinary action.
VENDOR CONTRACTS – In the event that a unit, department, or individual seeks to enter into a contract that involves PII, that particular unit, department, or individual is responsible for ensuring that adequate and appropriate safeguards and contractual provisions are in place relating to the collection, access, use, dissemination, and/or storage of this PII before entering the contract. Moreover, before a unit, department, or individual enters into a contract that involves the use of PII, that unit, department, or individual must (1) notify and consult every other unit or department across the University involved, either directly or indirectly, about the necessity for PII in the performance of the contract, (2) seek approval from every other unit or department across the University whose interests in or records of PII may be disclosed or utilized in performance of the contract, and (3) seek approval from the Privacy Office. The applicable safeguards shall be documented in writing in an appropriate manner to ensure compliance.
For questions, additional detail, or to request changes to this policy, please contact the Privacy Office.
Other Policies should also be referenced, especially:
AD11, University Policy on Confidentiality of Student Records
AD22, Health Insurance Portability and Accountability Act (HIPAA)
AD35, University Archives and Records Management
AD65, Electronic Security and Access Systems (formerly SY33)
AD83, Institutional Financial Conflict of Interest
AD95, Information Assurance and IT Security
AD96, Acceptable Use of University Information Resources
ADG08, Collection, Storage and Authorized Use of Social Security Numbers (SSNs) and Penn State Identification Numbers
HR60, Access to Personnel Files
RA02, Addressing Allegations of Research Misconduct (Formerly RA10, Handling Inquiries/Investigations Into Questions of Ethics in Research and in Other Scholarly Activities)
RP07, HIPAA and Research at Penn State University
Effective Date: February 22, 2016
Date Approved: February 22, 2016
Date Published: February 22, 2016
Most recent changes:
- September 18, 2017 - Editorial changes and updates to the definition of PII.
Revision History (and effective dates):
February 22, 2016 - Major changes to the entire document to reflect the reorganization of University privacy policies.
- August 1, 2007 - Changes to POLICY section.
- August 28, 2003 - Significant rewrite emphasizing the balance between privacy issues and the need to observe state and federal laws and University regulations.
- February 22, 2000 - New Policy.