AD53 Privacy Policy

Contents:

• Purpose
• Definitions
• Scope
• Policy
• Implementation and Exceptions
• Policy Violations
• Further Information
• Cross References

PURPOSE:

To establish a framework for compliance and responsibility regarding privacy and the protection of an individual's personal information. 

DEFINITIONS:

Confidentiality - ensuring that information is not disclosed to unauthorized individuals.

Personally Identifiable Information (PII) - shall mean, for purposes of this Policy, an individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:

• Social Security Numbers (SSNs)
• Driver’s License numbers or state ID number issues in lieu of a driver’s license
• Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account
• Passport numbers
• Biometric data (including fingerprints, retina/facial images, and DNA profile)
• Individually identifiable health information
• Health insurance information
• Username or email address, in combination with a password or security question and answer that would permit access to an online account

Privacy Governance Board - The Privacy Governance Board shall consist of the Chief Ethics and Compliance Officer, the Chief Information Security Officer, the Privacy Officer and the Vice President for Human Resources or their delegates, as appropriate. The role of the Privacy Governance Board will be to advise the Executive Vice President and Provost on privacy related matters. Members from individual units may be consulted/added to the Privacy Governance Board on an ad hoc basis, as needed.

Protected Health Information (“PHI”) - shall mean individually identifiable health information that is collected from an individual, created or received by a health care provider, health plan, health care clearinghouse, or other employee of one of the designated Covered Components of the University and which is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191 (“HIPAA”). Protected Health Information relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual. PHI is classified as High (Level 3) data under University Policy AD95 and is separately governed by the University’s HIPAA Policy, AD22. For clarification purposes, not all health information is PHI.

SCOPE:

This policy is applicable to all members of The Pennsylvania State University community and visitors to the University, including but not limited to students, scholars, faculty, lecturers/instructors, staff, third-party vendors, and others with access to the University's campus and University PII, as well as information that the University collects from visitors to certain of its websites.  This policy also applies to all locations and operations of the University, except for Penn State Health and The Pennsylvania College of Technology, which will follow separate policies.

POLICY:

I. Information Privacy

a. General Privacy

The University shall limit the collection, use, disclosure or storage of PII to that which reasonably serves the University's academic, research, or administrative functions, or other legally required purposes. Such collection, use, disclosure and storage shall comply with applicable Federal and state laws and regulations, and University policies, guidelines and standards.

b. Privacy Principles

This Policy is supplemented by Penn State’s Privacy Principles that are modeled after the “Privacy by Design” approach and is designed to safeguard individuals’ privacy and personal information, maintained by the University, consistent across the Penn State community.  Penn State’s Privacy Principles can be located at https://psu.box.com/v/privacy-principles.

c. Information That May Be Disclosed to Third Parties

• Legal Requirements: The University may release records in response to a lawful subpoena, warrant, or court order or where such records could be required or authorized by law to be produced or lawfully requested for any other reason, including disclosure to a government agency. 
• Authorized Persons: Records may be disclosed to University officials, and authorized individuals performing work for the University who require the information for the performance of their duties.
• Protection of University Interests: The University may disclose information contained in records to protect its legal interest when those records may be related to the actions of an individual that the University reasonably believes may violate or have violated his/her conditions of employment or threaten injury to people or property.
• Collective Bargaining Agreements: Information may be disclosed as required under the terms of a collective bargaining agreement.
• Emergencies: Information may be disclosed if, in the judgment of the designated custodian of such records, disclosure is necessary to protect the health, safety or property of any person.

d. Expectation of Privacy

In the interest of promoting academic freedom and an open, collegial atmosphere, the University recognizes the reasonable privacy expectations of its students, employees, members of the Penn State community, and others accessing Penn State resources in relation to their personal information, including papers, confidential records, and communications by mail, telephone, and other electronic means, subject only to applicable state and federal laws and University policies and regulations, including the policy set forth herein. Except as required in the ordinary course of University business, the University will not access or monitor such information without cause except as required by law or otherwise permitted by University Policy, including without limitation University Policy AD96 (Acceptable Use of University Information Resources).

e. Applicable Guidelines

Access to personal information in a manner not otherwise permitted by this Policy shall be governed by the following guidelines:

1. Necessary Action – Exceptions to this Privacy Policy may be authorized only when reasonably necessary to protect the security and interests, legal or otherwise, of the University, its communications system, and the academic process, or when there is reason to believe that the individual has violated or may have violated applicable law or University Policy.
2. Consultation – The exception clause may be invoked only by persons with responsibility and authority for administering the law or University Policy (e.g., computer security officer, University police) and, except for civil or criminal matters or proceedings, compliance with any other legal requirement, matters of public safety, or when conditions or circumstances exist that necessitate immediate access, only after consultation with an appropriate University Official, as defined in AD83, or the Privacy Governance Board.  The Privacy Governance Board’s deliberations, when consulted, shall be kept confidential.
3. Notification – Where practicable (and subject to the University’s legal obligations, the circumstances described in this and all other University policies, or conditions or circumstances exist that necessitate immediate access), the University shall provide advance notification to an individual prior to all other University access, for cause, to the content of an individual’s user files / systems / activity (and, if necessary, physical locations in order to access said files / systems / activity).  In certain instances where an individual is, for any reason, unavailable to receive such advance notification and his or her individual data is to be accessed to accomplish legitimate University business, access may also be permitted without prior notification.

f. Responsibility

Executive guidance for the Privacy interests addressed by this policy and related guidelines of both the University and those individuals whose private data has been entrusted to its care shall be vested in the Executive Vice President and Provost.

II. Specific Categories of Information

The below are data use constraints related to certain types of data collected, processed, stored, or published by the University.

EMAIL ADDRESSES - E-mail addresses appearing on University web sites are published for the sole purpose of facilitating private, individual communication between University personnel and readers. The University will not distribute, sell, or otherwise transfer addresses on its website or online services to non-affiliated parties or individuals. The University reserves the right to use internal search functions to obtain specific email addresses for normal business operations. Information such as email addresses may also be displayed in online directories accessible by the general public, unless requested otherwise (see AD11, University Policy on Confidentiality of Student Records and HR58, Employee Office Address and Telephone Number Information).

INFORMATION COLLECTED FOR SERVICE PROVISION – On occasion, the University may collect information from and about users of Penn State online resources, including certain Penn State websites, to synchronize systems or update the experience between the user and Penn State.  Penn State will not sell, trade, or share the information collected, as more fully provided in the University’s Web Privacy Statement. Information collected will be used solely for the purpose for which it was intended. 

SOCIAL SECURITY NUMBER (SSN) AND PENN STATE IDENTIFICATION NUMBER ("PSU ID") – PSU ID will be assigned to all students and employees of the University as the primary identification number for University purposes. The PSU ID shall be unique to the individual and is a lifetime assignment used for multiple and changing relationships with the University. For more information on the PSU ID, refer to University Policy AD97.

As a matter of University policy, and except as may be required by applicable federal, state or local laws or regulations, it is prohibited that, and in no case shall, any SSN be used as an identifier in a University hosted or developed system or applications, or transmitted electronically, unencrypted. SSNs and/or PII must only be used to accomplish legitimate University business needs or requirements. SSNs will only be requested and required in certain cases, such as when required by law or for business purposes with certain third party providers.

All records containing PII will be classified, at a minimum, as High (Level 3) pursuant to AD95 and must be secured appropriately.  Other data elements not specifically classified as PII but that can otherwise be used to distinguish or trace an individual’s identity (e.g. Date of Birth) must be classified, at a minimum, as “Moderate” pursuant to AD95, unless an exception is approved by the Chief Privacy Officer, privacy@psu.edu and/or the Chief Information Security Officer, security@psu.edu.  (See Policy AD95, Information Assurance and IT Security and corresponding standards).

Disposal of the records must be done securely, and in accordance with Policy AD35, University Archives and Records Management.

INFORMATION COLLECTED FROM UNIVERSITY'S WEBSITE – Unless otherwise provided in a web privacy statement specific to a University-owned or controlled website, information collected from the University's websites is governed by the University's Web Privacy Statement.

ELECTRONIC SECURITY SYSTEM INFORMATION - Access by University units and individuals to information gathered, processed, and archived through electronic security systems (e.g., card or other facility access systems, alarm systems, video surveillance systems) shall occur only in accordance with Policy AD65, Electronic Security and Access Systems.

III. Data Protection and Data Loss Prevention

In order to protect High or Restricted data entrusted to its care (See Policy AD95, Information Assurance and IT Security and its corresponding standards), the University reserves the right to monitor its networks to detect and respond to externally or internally generated attacks upon its systems, subject to the constraints of this Policy.

PROTECTION OF PII– All systems that house certain types of information classified as High, such as PII, are subject to the Pennsylvania Breach of Personal Information Notification Act (73 Pa. Stat. § 2301 et seq) and/or other applicable data breach notification laws. University systems classified as High and Restricted must be scanned appropriately to identify PII using University approved scanning procedures. Users of University systems shall utilize the results of required scanning to facilitate proper handling of any and all PII identified.

University approved scanning procedures will be developed to identify stored PII to facilitate proper handling. Users are responsible for remediating (i.e., securely removing, redacting) unauthorized instances of PII on their systems. If, however, the scanning identifies PII that also is subject to a litigation hold, please contact the Office of General Counsel before remediating. Subject to the constraints of this Policy regarding authorization, the University also reserves the right to perform automated checks to detect and respond to the possible exfiltration of PII over its computer networks. Periodic security scans for PII will be administered to detect unauthorized instances of PII, when necessary. Deliberate failure to remediate unauthorized instances of PII may result in disciplinary action. Please see the following resource for specific guidance and direction as to current University approved scanning procedures.

Specific details on the permitted use, storage, and transmission of PII, as defined in this Policy, can be located in the below Standard:

PII Standard

This Standard will be enforced in the same manner as this Policy.

VENDOR CONTRACTS – In the event that a unit, department, or individual seeks to enter into a contract with a third party that involves University PII, the unit responsible for negotiating the contract must consult with Penn State IT Information Security, the Privacy Office, and such other offices as Information Security or the Privacy Office deem necessary to ensure that adequate and appropriate safeguards and contractual provisions are in place relating to the collection, access, use, dissemination, and/or storage of this PII before entering the contract.  The applicable safeguards shall be documented in writing in an appropriate manner to ensure compliance.

IMPLEMENTATION AND EXCEPTIONS

Any questions regarding the content of this Policy or supplemental Guidelines and Standards should be referred directly to the Chief Privacy Officer (privacy@psu.edu) who has responsibility to interpret. 

POLICY VIOLATIONS

Federal, state, and/or local governments have enacted various laws and regulations relating to privacy to which the University is bound.  Compliance with this Policy is designed, in part, to ensure that the University is complying with its various privacy-related obligations.

To the extent any violation of this Policy results in, leads to, or is responsible for a reportable incident or penalties imposed by government regulators or agencies, then that specific department or unit operating in violation of this Policy may be required to cover all University costs associated with the resulting reportable incident and/or associated government penalties.

University employees or students who violate this Policy and/or supplement Guidelines and Standards may be subject to disciplinary action.

FURTHER INFORMATION:

For questions, additional detail, or to request changes to this policy, please contact the Privacy Office.

CROSS REFERENCES:

Other Policies should also be referenced, especially:

AD11, University Policy on Confidentiality of Student Records

AD22, Health Insurance Portability and Accountability Act (HIPAA)

AD35, University Archives and Records Management

AD65, Electronic Security and Access Systems (formerly SY33)

AD83, Institutional Financial Conflict of Interest

AD95, Information Assurance and IT Security

AD96, Acceptable Use of University Information Resources

HR60, Access to Personnel Files

RA02,  Addressing Allegations of Research Misconduct (Formerly RA10, Handling Inquiries/Investigations Into Questions of Ethics in Research and in Other Scholarly Activities)

RP07, HIPAA and Research at Penn State University

Most recent changes:

• February 13, 2024 - The data elements defined by the University as PII have been updated to reflect revisions to the Pennsylvania Breach of Personal Information Notification Act. The definition section related to Protected Health Information (PHI) has been updated to include a reference to the regulation, related university policy, emphasis that it only applies to one of the designated covered components of the University, and clarification that not all health information is PHI.

Revision History (and effective dates):

• January 26, 2021 - Updated links to the PII standard and privacy principles (moved from Box to SharePoint).May 30, 2018 - Updates include incorporating a Standard, the adoption of the Privacy Principles, updates to language on PII scanning, addition of sections on Implementation and Exceptions and Policy Violations, and retiring ADG08.

• September 18, 2017 - Editorial changes and updates to the definition of PII.

• February 22, 2016 - Major changes to the entire document to reflect the reorganization of University privacy policies.

• August 1, 2007 - Changes to POLICY section.
• August 28, 2003 - Significant rewrite emphasizing the balance between privacy issues and the need to observe state and federal laws and University regulations.
• February 22, 2000 - New Policy.