The University of Alabama, Division of Finance and Operations

Privacy Policy

Unit:  Compliance, Ethics, and Regulatory Affairs
Contact: Dr. Marcy Huey
Title:  Executive Director of Institutional Compliance
Effective Date: 1/21/2022
Revision Date: 01/21/2022

 
 

Purpose

This Privacy Policy sets the framework and guiding principles for the collection, recording, organization, storage, adaptation, alteration, retrieval, use, treatment, handling, disclosure, correction, access, processing, erasing, and destruction of personal data by employees of The University of Alabama (UA, University). In keeping with applicable state, federal, and international legislation, the University safeguards the privacy of students, employees, patients, University business, and other matters by protecting electronic and physical records considered confidential or sensitive data or records containing personally identifiable information (PII) and/or personal data. In addition, the University should comply with the laws and regulations regarding the protection of personal data in the countries where we travel and conduct business or to which we send or receive personal data, to the extent that they apply, and to the extent there is no conflict with applicable US laws.  The University is committed to protecting the privacy of personal data within its control consistent with all applicable laws, regulations, and University policies.  Personal data need not be sensitive, confidential, or secret to require protection under this policy. 

Policy

The University of Alabama is committed to the privacy and security of the personal data it maintains on behalf of the University community.  The University will try to take reasonable precautions to maintain privacy and security within its operations and respond quickly to situations that may compromise that privacy and security.  

The following principles form the basis for Privacy Policy at UA.  These principles should be part of all personal data management activities. 
  • General Principle:  UA personnel should limit the collection, use, disclosure, access, or storage of information to that which reasonably serves the University's academic, research, or administrative functions or mission, or other legally required purposes. Information should be deleted when it is no longer needed for the stated business purpose or it is no longer required by law to be retained.  Such collection, use, disclosure, storage, and destruction should comply with applicable laws and regulations, and University policies, including the Public Universities of Alabama Functional Analysis & Records Disposition Authority Revision (RDA), 2017 edition and the Information Classification Policy.
  • Individual Access to Personal Data:  University personnel (individual end users) who are allowed to access personal data about data subjects must do so using their own individual UA credentials.  Accessing personal data with departmental credentials that are shared among multiple people is not allowed.
  • Other Privacy Policies:  Privacy Policies are University documents designed to instruct the internal campus departments on responsibilities and expectations related to privacy management.  Areas, divisions, colleges, departments, or programs may generate privacy policies governing their activities.  All such policies must be reviewed and approved in accordance with the UA Policy Development and Management Policy and Board Rule 108 for Divisional Policies. Additional privacy policies must refer to this Privacy Policy, cannot be less restrictive than this Policy, and cannot contradict the information included in this Policy.
  • Institutional Privacy Notices/Statements:  Institutional Privacy Notices or Statements are intended to inform the public about how UA will maintain personally identifiable information.  Individual programs or systems may have additional privacy statements associated with their use (see below).  All such statements must refer to the UA Privacy Statements and cannot contradict the information within. 
  • Individual Program or System Privacy Notice/Privacy Statement:  Users should be notified when their PII is being collected and they should be informed of their rights. All Web pages that collect PII should link to the UA Privacy Statements.  Any that collect additional PII beyond the categories covered in the UA Privacy Statements should include a custom privacy notice that specifies how the additional PII will be used. 
  • Review of Privacy Notices:  All Privacy Notices or Statements should be reviewed, cataloged for version maintenance and entry into the campus log, and approved by Compliance, Ethics, and Regulatory Affairs prior to posting.  These statements will:
    1. Identify the categories of PII collected through the commercial portions of its website or through its online service.
    2. Identify the categories of third parties with whom UA may share the PII.
    3. Provide a description of how an individual may make a request pertaining to PII collected through the website or online service and retained by UA.
    4. Describe the process by which UA will notify users of the commercial portion of UA's website or its online service of material changes to UA's Privacy Notice or Privacy Policy for that portion of the website or online service (it is sufficient to say that the policy will be updated online); and
    5. Identify the effective date of the notice and all updates.
  • Minimization:  The institution should gather only what PII is reasonably necessary for the legitimate business purposes and should delete such information when it is no longer needed for the stated business purposes or is no longer required by law to be retained (e.g., library records need not be kept for more than a certain limited period of time).
  • No Secondary Use:  PII should be used only for the purposes for which it was collected unless the potential usage of the information was disclosed to the individual at the time of data collection or the individual gives consent for the additional purposes. 
  • Nondisclosure and Consent:  PII should not be released to third parties external to the University without consent of the data subjects  and/or appropriate University contract agreements (e.g., vendors, business, etc.), unless required by law.
  • Consent:  When consent is used as a justification for collecting or processing PII, this consent must always be documented and tracked, and individuals must be informed who to contact or the process to follow to revoke their consent.
  • Need to Know:  Only those with legitimate, official UA business needs should have access to PII.  Each system storing PII should have a documented process for requesting, approving, and granting access to the information. This process should identify the person responsible for approving access, verifying completion of any training or orientation obligations prior to access, and documenting the justification for all decisions allowing or denying access. These procedures should be consistent with this Policy and the  Information Classification Policy according to the type of data involved. 
  • Data Accuracy, Inspection, and Review:  PII should be accurate and discrepancies should be corrected when they are discovered. Individuals should, with limited exceptions, have the right to examine information about themselves and request changes.
  • Data Mapping:  Information about data flows, data acquisition, transfers, or systems should be included in regular data mapping assessments. Updates to the data map should be made as necessary and reviews of the data map should be performed regularly.
  • Information Security, Integrity, and Accountability: Data should be classified and handled according to the  Information Classification Policy.
  • Training and Education:  The University complies with applicable laws, regulations and guidelines by providing training and education to its constituents concerning their own privacy rights as well as the proper handling of PII entrusted to them in order to carry out their required job functions. 
  • Legal and University Process:  The University may disclose information in the course of investigations and lawsuits, in response to subpoenas, in response to open records requests, for the proper functioning of the University, to protect the safety and well-being of individuals or the community, and as permitted by law.
  • Confidentiality:  Members of the UA community are subject to the confidentiality and privacy provisions in the Code of Ethical Conduct and other confidentiality requirements that may be placed on them as a result of the information they access.
  • Ephemeral Communications:  In accordance with federal guidance, UA departments, faculty, staff, or contracted vendors should not use ephemeral communications (e.g. SnapChat, Confide, etc.) for conversations about University business.  This includes conversations between colleagues, communications with current or prospective students, or any other type of conversation or communications that could be considered a “University record” or “official communication” that requires documentation or record retention.
  • Prohibited Information, including Social Security Number (SSN) and Driver’s License Number (DLN):  UA departments should not use an individual's SSN or DLN as a personal identifier unless required by law. To the extent possible, CWID or University email should be used as a primary form of identification.

Responsibilities

Executive Director for Institutional Compliance

The Executive Director for Institutional Compliance is responsible for the coordination and oversight of the University’s Privacy Program.  The ultimate goal of the Privacy Program is, as much as is practicable, a holistic privacy strategy, including a privacy breach response playbook, University-wide privacy and data management standards, comprehensive data mapping and risk assessment strategies, and inclusive coordination and oversight.

To carry out these responsibilities, the Executive Director for Institutional Compliance will collaborate with UA's Chief Information Security Officer, the Office of Counsel, other University subject matter Privacy Officers and University administration, as appropriate.

Privacy Officers

The University has designated certain officials with primary responsibility for establishing policies and procedures governing University compliance with certain specific privacy laws and regulations:
  • FERPAThe University Registrar has primary responsibility for establishing policies and procedures related to compliance with the Family Educational Rights and Privacy Act.
  • HIPAA: The University’s HIPAA Privacy Officer, in coordination with the University’s HIPAA Security Officer, has primary responsibility for establishing policies and procedures related to compliance with the Health Insurance Portability and Accountability Act of 1996 and providing guidance for other non-FERPA medical privacy requirements for UA's Covered Entities and health practices.
  • International Privacy Standards The Executive Director for Institutional Compliance has primary responsibility for establishing policies and procedures related to compliance with international privacy standards, including the EU General Data Protection Regulation (GDPR) and other international privacy standards.

Institutional Privacy Committee

The Institutional Privacy Committee (Committee) is charged with evaluating privacy policies, procedures, and operations to identify potential areas of vulnerability and risk and set strategic direction for privacy and data management programs at UA.

Data Stewards/Data Owners

Each Data Steward, each data owner, and anyone who retains custody of personally identifiable information is responsible for the application of this policy and all related University policies to the systems and information under their care or control. 

Violations

Failure to follow proper policies and procedures concerning access, storage and transmission of personally identifiable information may result in sanctions and disciplinary action up to and including termination of employment or other applicable administrative processes.  In less serious cases, failure to comply with this policy could result in denial of access or revoking access to personal data.  Violations of legal obligations may result in civil or criminal penalties. Violations of legal obligations may result in civil or criminal penalties.  

Members of the UA community who believe that these policies have been violated should report such violations to Compliance, Ethics, and Regulatory Affairs (privacy@ua.edu, 205-348-2334). Complaints or concerns may also be reported anonymously by calling the Compliance and Fraud Hotline at 1-866-362-9476, or reporting it online.

Any School, Department, or Authorized Agent of the University found to have knowingly and willfully violated this Policy may be held accountable for some or all the financial penalties and remediation costs that are a direct result of this failure.

Definitions 

  • Data Subjects:  Real persons.
  • Data Steward:  Representatives of the University who are assigned responsibility to serve as a steward of University data in an area.
  • Disclosure:  The release of, transfer of, provision of access to, or other communication of information outside of the University community.
  • Electronic Records: Electronic transmissions or messages created, sent, forwarded, replied to, transmitted, distributed, broadcast, stored, held, copied, downloaded, displayed, viewed, read, or printed by one or several electronic systems or services. This definition of electronic records applies equally to the contents of such records, attachments to such records, and transactional information associated with such records.
  • Ephemeral Communications:  Ephemeral messaging is the mobile-to-mobile transmission of multimedia messages that automatically disappear from the recipient's screen after the message has been viewed. The word "ephemeral" describes something that only lasts for a short period of time.
  • Personal Data:  Personal data means data that is
    • In electronic, paper, or any other form, whether oral or in writing, AND
    • That relates to a living individual (the data subject) who can be identified, directly or indirectly, from the data or from other information which is in the possession of or likely to come into the possession of UA or UA employees.
Personal data does not include data concerning a company, partnership, or association.  Personal data related to a person who is deceased shall be treated with these rules in mind, subject to applicable laws which may impose lower obligations with respect hereto.
  • Personally Identifiable Information (PII):  Personally identifiable information is any data that could potentially be used to identify a particular person, or to distinguish one individual from another.  Depending on the regulation in question, examples of this type of information can include full name, Social Security number, CWID, email address, bank account or tax information, etc.
  • Privacy Policy:  An internal statement that governs an organization or entity’s handling practices of personally identifiable information. It is directed at the users of such information inside the organization. A privacy policy instructs employees on the collection and the use of personal data, as well as any specific rights the data subjects may have.
  • Privacy Statement (AKA Privacy Notice):  A publicly available statement made to a data subject that describes how the organization collects, uses, retains, and discloses personal information. A privacy notice is sometimes referred to as a privacy statement, a fair processing statement or sometimes a privacy policy, although this practice is discouraged at UA. For the avoidance of confusion, UA uses Privacy Statement or Privacy Notice to refer to externally focused communications and Privacy Policy to refer to internally focused communications.  Special privacy notices are also mandated by specific laws such as the Gramm-Leach Bliley Act (GLBA) and the Children’s Online Privacy Protection Act (COPPA) in the United States.
  • Sensitive Personal Data:  Sensitive personal data is a specific set of “special categories” that must be treated with extra security. This includes information pertaining to:
    • Racial or ethnic origin.
    • Political opinions.
    • Religious or philosophical beliefs.
    • Trade union membership.
    • Genetic data; and/or
    • Biometric data (where processed to uniquely identify someone).
  • University Administrative Record: A University record (see definition below) that is directly related to the conduct of the University's administrative business.
  • University Record: By law, University records are any papers, books, photographs, tapes, films, recordings, or other documentary materials, or any copies thereof, regardless of physical form or characteristics, made, produced, executed, or received by any department or office of the University or by any academic or administrative staff member in connection with the transaction of University business, and retained by that agency or its successor as evidence of its activities or functions because of the information contained therein.
  • University Electronic Record: A University record in electronic form, whether or not any of the electronic communications resources used to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print the record are owned by the University. This implies that the location of the record, or the location of its creation or use, does not change its nature as a University electronic record for purposes of this or other University policy.  Until determined otherwise or unless it is clear from the context, any electronic record residing on university-owned or controlled telecommunications, video, audio, and computing facilities will be considered a University electronic record for purposes of this Policy.
  • University Data:  Data that are maintained in support of a functional unit's operation and meet one or more of the following criteria: 1) the data elements are key fields, that is, integration of information requires the data element; 2) the University must ensure the integrity of the data to comply with internal and external administrative reporting requirements, including institutional planning efforts; 3) the data are reported on or used in official administrative university reports; or 4) a broad cross section of users requires the data.

Scope

This policy applies to:
  • Personal data in records maintained in any form, including but not limited to, paper, electronic, digital, audio, or video.
  • Records created via The University of Alabama website including cookies or other tracking items.
  • All members of the UA community, including but not limited to students, post-doctoral scholars, faculty, lecturers, instructors, staff, third-party vendors, and others with access to personal data or UA information systems used or controlled by the University.
In addition, everyone who retains custody of PII, each Data Steward, and each information system owner is responsible for the application of this policy and all University policies related to the systems and information under their care or control. 
 
 

Office of the Vice President of Finance and Operations

Approved by Cheryl Mowdy, Assistant Vice President for Finance and Operations, 01/21/2022