AD53 Privacy Policy

Contents:

• Purpose
• Definitions
• Scope
• Policy
• Implementation and Exceptions
• Policy Violations
• Further Information
• Cross References

PURPOSE:

To establish a framework for compliance and responsibility regarding privacy and the protection of an individual's personal information. 

DEFINITIONS:

Confidentiality - ensuring that information is not disclosed to unauthorized individuals.

Personally Identifiable Information (PII) – Information maintained by the University that can be used to distinguish or trace an individual's identity that specifically includes Social Security Numbers (SSNs), credit card numbers, bank account numbers, Driver's License numbers, state ID numbers, passport numbers, biometric data (including fingerprints, retina/facial images, and DNA profile), or protected health information. These data elements are defined by the University as personally identifiable information. 

Privacy Governance Board - The Privacy Governance Board shall consist of the Chief Ethics and Compliance Officer, the Chief Information Security Officer, the Privacy Officer and the Vice President for Human Resources or their delegates, as appropriate. The role of the Privacy Governance Board will be to advise the Executive Vice President and Provost on privacy related matters. Members from individual units may be consulted/added to the Privacy Governance Board on an ad hoc basis, as needed.

Protected Health Information - Individually identifiable health information that is collected from an individual, created or received by a health care provider, health plan, health care clearinghouse, or other employee of one of the Covered Components of the University.  This PHI is confidential and must be treated as protected under HIPAA. Protected Health Information relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.

SCOPE:

This policy is applicable to all members of The Pennsylvania State University community and visitors to the University, including but not limited to students, scholars, faculty, lecturers/instructors, staff, third-party vendors, and others with access to the University's campus and University PII.  This policy also applies to all locations and operations of the University, except for Penn State Health and The Pennsylvania College of Technology, which will follow separate policies.

POLICY:

I. Information Privacy

a. General Privacy

The University shall limit the collection, use, disclosure or storage of PII to that which reasonably serves the University's academic, research, or administrative functions, or other legally required purposes. Such collection, use, disclosure and storage shall comply with applicable Federal and state laws and regulations, and University policies, guidelines and standards.

b. Privacy Principles

This Policy is supplemented by Penn State’s Privacy Principles that are modeled after the “Privacy by Design” approach and designed to safeguard individuals’ privacy and personal information, maintained by the University, consistent across the Penn State community.  Penn State’s Privacy Principles can be located at https://psu.box.com/v/privacy-principles.

c. Information That May Be Disclosed to Third Parties

• Legal Requirements: The University may release records in response to a lawful subpoena, warrant, or court order or where such records could be required or authorized by law to be produced or lawfully requested for any other reason, including disclosure to a government agency. 
• Authorized Persons: Records may be disclosed to University officials, and authorized individuals performing work for the University who require the information for the performance of their duties.
• Protection of University Interests: The University may disclose information contained in records to protect its legal interest when those records may be related to the actions of an individual that the University reasonably believes may violate or have violated his/her conditions of employment or threaten injury to people or property.
• Collective Bargaining Agreements: Information may be disclosed as required under the terms of a collective bargaining agreement.
• Emergencies: Information may be disclosed if, in the judgment of the designated custodian of such records, disclosure is necessary to protect the health, safety or property of any person.

d. Expectation of Privacy

In the interest of promoting academic freedom and an open, collegial atmosphere, the University recognizes the reasonable privacy expectations of its employees, affiliates, and students in relation to their personal information, including papers, confidential records, and communications by mail, telephone, and other electronic means, subject only to applicable state and federal laws and University policies and regulations, including the policy set forth herein. The University will not monitor such information without cause except as required by law or permitted by University Policy.

e. Applicable Guidelines

In invoking the exception clause (“subject only to applicable state and federal laws and University polices and regulations”), the following guidelines apply:

1. Necessary Action – Exceptions to the privacy policy may be authorized only when reasonably necessary to protect the security and interests, legal or otherwise, of the University, its communications system, and the academic process, or when there is reason to believe that the individual has violated or may have violated law or University regulations.
2. Consultation – The exception clause may be invoked only by persons with responsibility and authority for administering the law or regulations within the University (e.g., computer security officer, University police) and, except for civil or criminal matters or proceedings, compliance with any other legal requirement, matters of public safety, or when conditions or circumstances exist that necessitate immediate access, only after consultation with an appropriate University Official, as defined in AD83, or the Privacy Governance Board.  The Privacy Governance Board’s deliberations, when consulted, shall be kept confidential.
3. Notification – Where practicable (and subject to the University’s legal obligations, the circumstances described in this and all other University policies, or conditions or circumstances exist that necessitate immediate access), the University shall provide advance notification to an individual prior to all other University access, for cause, to the content of an individual’s user files / systems / activity (and, if necessary, physical locations in order to access said files / systems / activity).  In certain instances where an individual is, for any reason, unavailable to receive such advance notification and his or her individual data is to be accessed to accomplish legitimate University business, access may also be permitted without prior notification.

f. Responsibility

Executive guidance for the Privacy interests addressed by this policy and related guidelines of both the University and those individuals whose private data has been entrusted to its care shall be vested in the Executive Vice President and Provost.

II. Specific Categories of Information

The below are data use constraints related to certain types of data collected, processed, stored, or published by the University.

EMAIL ADDRESSES - E-mail addresses appearing on University web sites are published for the sole purpose of facilitating private, individual communication between University personnel and readers. The University will not distribute, sell, or otherwise transfer addresses on its website or online services to non-affiliated parties or individuals. The University reserves the right to use internal search functions to obtain specific email addresses for normal business operations. Information such as email addresses may also be displayed in online directories accessible by the general public, unless requested otherwise (see AD11, University Policy on Confidentiality of Student Records and HR58, Employee Office Address and Telephone Number Information).

INFORMATION COLLECTED FOR SERVICE PROVISION – On occasion, the University may collect information from and about users to synchronize systems or update the experience between the user and Penn State.  Penn State will not sell, trade, or share the information collected per the University’s Web Privacy Statement. Information collected will be used solely for the purpose for which it was intended. 

SOCIAL SECURITY NUMBER (SSN) AND PENN STATE IDENTIFICATION NUMBER (PSU ID) – A Penn State Identification Number (PSU ID) will be assigned to all students and employees of the University as the primary identification number for University purposes. The PSU ID shall be unique to the individual and is a lifetime assignment used for multiple and changing relationships with the University. For more information on the PSU ID, refer to University Policy AD97.

As a matter of University policy, and except as may be required by applicable federal, state or local laws or regulations, it is prohibited that, and in no case shall, any SSN be used as an identifier in a University hosted or developed system or applications, or transmitted electronically, unencrypted. SSNs and/or PII must only be used to accomplish legitimate University business needs or requirements. SSNs will only be requested and required in certain cases, such as when required by law or for business purposes with certain third party providers.

All records containing PII will be classified, at a minimum, as “High” pursuant to AD95 and must be secured appropriately.  Other data elements not specifically classified as PII but that can otherwise be used to distinguish or trace an individual’s identity (e.g. Date of Birth) must be classified, at a minimum, as “Moderate” pursuant to AD95, unless an exception is approved by the Chief Privacy Officer, privacy@psu.edu and/or the Chief Information Security Officer, security@psu.edu.  (See Policy AD95, Information Assurance and IT Security and corresponding standards).

Disposal of the records must be done securely, and in accordance with Policy AD35, University Archives and Records Management.

HEALTH INFORMATION - Individuals have rights with respect to the privacy and security of their health information under Federal and state laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). These rights are outlined in University Policy AD22, Health Insurance Portability and Accountability Act (HIPAA).

INFORMATION COLLECTED FROM UNIVERSITY'S WEBSITE – Information collected on the University's website is governed by the University's Web Privacy Statement.

ELECTRONIC SECURITY SYSTEM INFORMATION - Access by University units and individuals to information gathered, processed, and archived through electronic security systems (e.g., card or other facility access systems, alarm systems, video surveillance systems) shall occur only in accordance with Policy AD65, Electronic Security and Access Systems.

III. Data Protection and Data Loss Prevention

In order to protect "High" or "Restricted" data entrusted to its care (See Policy AD95, Information Assurance and IT Security and its corresponding standards), the University reserves the right to monitor its networks to detect and respond to externally or internally generated attacks upon its systems, subject to the constraints of this Policy.

PROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION (PII) – All systems that house certain types of information classified as "High," such as PII, are subject to the Pennsylvania Data Security Breach Notification Laws, (PA Statutes, Title 73, Ch. 43, §2301 -2308, 2329) and/or other applicable data breach notification laws. University systems classified as High and Restricted must be scanned appropriately to identify PII using University approved scanning procedures. Users of University systems shall utilize the results of required scanning to facilitate proper handling of any and all PII identified.

University approved scanning procedures will be developed to identify stored PII to facilitate proper handling. Users are responsible for remediating (i.e., securely removing, redacting) unauthorized instances of PII on their systems. If, however, the scanning identifies PII that also is subject to a litigation hold, please contact the Office of General Counsel before remediating. Subject to the constraints of this Policy regarding authorization, the University also reserves the right to perform automated checks to detect and respond to the possible exfiltration of PII over its computer networks. Periodic security scans for PII will be administered to detect unauthorized instances of PII, when necessary. Deliberate failure to remediate unauthorized instances of PII may result in disciplinary action. Please see the following resource for specific guidance and direction as to current University approved scanning procedures.

Specific details on the permitted use, storage, and transmission of PII, as defined in this Policy, can be located in the below Standard:

PII Standard

This Standard will be enforced in the same manner as this Policy.

VENDOR CONTRACTS – In the event that a unit, department, or individual seeks to enter into a contract that involves PII, that particular unit, department, or individual is responsible for ensuring that adequate and appropriate safeguards and contractual provisions are in place relating to the collection, access, use, dissemination, and/or storage of this PII before entering the contract.  Moreover, before a unit, department, or individual enters into a contract that involves the use of PII, that unit, department, or individual must (1) notify and consult every other unit or department across the University involved, either directly or indirectly, about the necessity for PII in the performance of the contract, (2) seek approval from every other unit or department across the University whose interests in or records of PII may be disclosed or utilized in performance of the contract, and (3) seek approval from the Privacy Office. The applicable safeguards shall be documented in writing in an appropriate manner to ensure compliance.

IMPLEMENTATION AND EXCEPTIONS

Any questions regarding the content of this Policy or supplemental Guidelines and Standards should be referred directly to the Chief Privacy Officer (privacy@psu.edu) who has responsibility to interpret. 

POLICY VIOLATIONS

Federal, state, and/or local governments have enacted various laws and regulations relating to privacy to which the University is bound.  Compliance with this Policy is designed, in part, to ensure that the University is complying with its various privacy-related obligations.

To the extent any violation of this Policy results in, leads to, or is responsible for a reportable incident or penalties imposed by government regulators or agencies, then that specific department or unit operating in violation of this Policy may be required to cover all University costs associated with the resulting reportable incident and/or associated government penalties.

University employees or students who violate this Policy and/or supplement Guidelines and Standards may be subject to disciplinary action.

FURTHER INFORMATION:

For questions, additional detail, or to request changes to this policy, please contact the Privacy Office.

CROSS REFERENCES:

Other Policies should also be referenced, especially:

AD11, University Policy on Confidentiality of Student Records

AD22, Health Insurance Portability and Accountability Act (HIPAA)

AD35, University Archives and Records Management

AD65, Electronic Security and Access Systems (formerly SY33)

AD83, Institutional Financial Conflict of Interest

AD95, Information Assurance and IT Security

AD96, Acceptable Use of University Information Resources

HR60, Access to Personnel Files

RA02,  Addressing Allegations of Research Misconduct (Formerly RA10, Handling Inquiries/Investigations Into Questions of Ethics in Research and in Other Scholarly Activities)

RP07, HIPAA and Research at Penn State University

Most recent changes:

• January 26, 2021 - Updated links to the PII standard and privacy principles (moved from Box to SharePoint).

Revision History (and effective dates):

• May 30, 2018 - Updates include incorporating a Standard, the adoption of the Privacy Principles, updates to language on PII scanning, addition of sections on Implementation and Exceptions and Policy Violations, and retiring ADG08.

• September 18, 2017 - Editorial changes and updates to the definition of PII.

• February 22, 2016 - Major changes to the entire document to reflect the reorganization of University privacy policies.

• August 1, 2007 - Changes to POLICY section.
• August 28, 2003 - Significant rewrite emphasizing the balance between privacy issues and the need to observe state and federal laws and University regulations.
• February 22, 2000 - New Policy.