Protect University Data
As a premier educational and research institution, we work with personal data about students, faculty, staff, alumni, parents, patients, research subjects, and visitors. We also work with health records, research data, financial records, and more. Being stewards of such information, it is critical that we properly use and safeguard information about individuals and assets.
Note: Click to expand.
Appropriate Use of UC Data
There are many different laws and policies that govern the collection, use, and protection of the various types of information that we have at the University.
- FERPA governs student educational records.
- Medical records are mainly covered under HIPAA.
- The California Information Practices Act (IPA) places specific requirements on our collection, use, maintenance, and dissemination of information relating to individuals.
- Consumers' finanancial information is regulated under the Gramm-Leach-Bliley Act.
- Payment Card Industry's Data Security Standard (PCI DSS) (pdf) sets forth the standards for the use and storage of credit/debit card information.
- The University of California Electronic Communications Policy (ECP) (pdf) and the UCI Implementation Guidelines both address when the University may examine or disclose electronic communications records, such as email.
- The disclosure of public records is governed under the California Public Records Act (CPRA) (pdf).
Eliminating Unnecessary Data
Collecting and keeping unnecessary information can lead to data breaches that are otherwise avoidable. Follow University document retention guidelines and properly delete or purge information that is no longer required for administrative operations, teaching, research, services, or other University-related functions.
- Unnecessary electronic files which contain sensitive data should be appropriately deleted, using methods which ensure the data is properly destroyed.
- Consider using Identity Finder to locate social security numbers, credit card data or other financial account numbers, drivers license/identification card numbers, or other sensitive data, which are stored electronically and that you may not know you have.
- Shred paper records with unnecessary sensitive information that you no longer need to keep.
- Take care to securely wipe existing sensitve data before disposal of computers, USB drives, and other devices. Contact UCI Equipment Management for proper disposal of computers and other devices. UCI Equipment Management will pick up the unused device(s), securely destroy them and provide a certificate of destruction.
For more information about sensitive data destruction, see Sensitive Data Destruction Guidelines.
Get Consent or Approval Before Accessing Data
The University recognizes that principles of academic freedom and shared governance, freedom of speech, and privacy hold important implications for the use of electronic communications (which includes email, network activity, and messaging systems. The UC Electronic Communications Policy (ECP) (pdf) affirms that the University does not examine or disclose electronic communications records without the holder's consent, with few exceptions under very limited circumstances as described in ECP section IV.B, "Access Without Consent".
Access Without Consent.An electronic communication holder's consent must be obtained by the University prior to any access for the purpose of examination or disclosure of the contents of University electronic communications records in the holder's possession, with few exceptions as described in ECP section IV. "Access Without Consent".
When the contents of electronic communications must be inspected, monitored, or disclosed WITHOUT the holder's consent, such actions must be first be authorized.
At UCI, access without consent must be approved by one of these authorized administrators (See UCI Implementation Guidelines.) This authority cannot be delegated.
- Faculty and Librarian records - Executive Vice Chancellor
- Staff records - Vice Chancellor - Administrative Business Services
- Student records - Vice Chancellor-Student Affairs
- Medical Center records - Chief Executive Officer, UCI Medical Center
Individuals who have been granted access to electronic communications records:
- Must not use the grant of access to obtain records other than those required to continue University business in the holder's absence.
- Must limit their inspection of records to the least perusal of contents and the least action necessary to obtain the needed records.
- Must not seek out, use, or disclose personal information contained in the records except for University business purposes.
- Must not violate the UCI Computer and Network Use Policy regarding use of false identity.
- Must take all necessary steps to protect the access and/or account from unauthorized use.
For questions regarding access to electronic communications (which include email, network activity and messaging systems), please contact Information Security Officer Isaac Straley (firstname.lastname@example.org) or Campus Privacy Official Tawny Luu (email@example.com).
Establish On/Off Boarding Procedures for New Hires/Separated Employees With Respect to Personal Information
Before an employee separates from the University, give the employee an opportunity to remove all personal information from University accounts and devices. For business continuity purposes, accounts may need to be accessed after the employee has separated from the Univeristy, so giving the employee an opportunity to remove all personal information ensures that private information is not accessable by others. Although not required, after the employee has removed all personal information from University accounts and devices, consider having the employee sign a form authorizing access to the account(s) for business contintuity needs.
Separate Work and Personal Emails
It is good practice to use a University email account for work-related matters only and a non-University email acount for personal emails. Athough the University respects the privacy of individuals, certain situations may require the disclosure of the content of email communications, such as in Public Records Act requests, subpoenas, legal proceedings, investigations, business continuity purposes and other situations. You may be required to hand over email communications so keeping business and personal accounts separate is a good idea.
Use Strong Security Protections
Information security is an important component of information privacy. Maintaining the security of information is critical in protecting the privacy of that information. See UCI Security Controls for tips on information security.
Evaluate Third Party Services
It seems new third party services are popping up each day that promise to make teaching, data storage, operations and services easier and faster. Many are free or offered at very low costs. However, putting University data in the hands of a third party supplier can create unintended risks for the University, including data loss and breaches, access by unauthorized individuals, service outages, inadequate technical support, and potential legal or regulatory non-compliance issues. Using third party services can have privacy implications where student data, health records, financial records, research and other data are involved.
When exploring a third party service, always first consider whether the University has an existing agreement with the service provider. Choosing a third party service provider with an existing University contract is a good idea because it usually means data security and privacy protections are consistent with UC policies, standards, and legal requirements. Be especially cautious of "click through" agreements as you may be agreeing to terms that are inconsistent with UC policies and standards.
For information on general third-party cloud services, see Guidance on the Use of Cloud Services. For more information about the evaluation of third party instructional tools, see http://sites.uci.edu/cloud/.
Think Privacy By Design
Privacy by Design (PbD) is an approach that integrates privacy into the design specifications of new projects, technologies, business practices, physical infrastructures or any new processes. The idea is to imbed privacy protections into the specifications and architecture of new projects or systems, business practices and processes from the beginning and throughout the process. PbD is privacy by default, as opposed to having privacy be an after-thought. For example, consider privacy in contract negotiations or partnerships. Contact Campus Privacy Official Tawny Luu (firstname.lastname@example.org) and Purchasing and Risk Services early in the negotiation process for help with privacy protections in contracts. Think through potential privacy risks when engaging with suppliers or partners who work with University data.
Consider using a Privacy Impact Assessment for any new initiative, project or activity, large or small, that involves the collection, use, or disclosure of personally identifiable information.
Privacy-related questions can be directed to Campus Privacy Official Tawny Luu (email@example.com).