Data Privacy Policy
Policy Area: IT
Policy Title: Data Privacy Policy
Submitted Date: 2/21/2021
Effective Date: Immediately
Submitted By: Eric Beadle
Approved By: CIO
Policy Owner: IT
Policy Statement: Albion College (“the College”) is committed to maintaining the privacy, integrity, security and availability of confidential information created, received, maintained and/or stored by the College, regardless of form.
Primary Impact On: All
Purpose and Scope: This Policy explains the obligations of all members of the College community to protect non-public information and records from unauthorized use or disclosure. It is designed to address applicable federal and state law governing privacy and confidentiality of information, as well as any applicable international privacy regulations.
Everyone with access to College information and records must comply with this Policy, including without limitation, students, faculty, staff, alumni, volunteers, contractors, vendors, consultants and other third-parties. It protects all proprietary and non-public information acquired by way of one’s relationship with the College, regardless of how it is stored or recorded. Student information is also governed by College FERPA policies relating to student records.
This Policy covers all “Confidential Information,” which means information that is obtained by way of one’s relationship with the College that is not a matter of public record or public knowledge. It includes, without limitation, personal information; College business and financial data, proprietary information and trade secrets; and any other information for which access, use, or disclosure is restricted by any applicable law, regulation or College policy. Confidential Information that is created, documented, received, maintained and/or stored for College business, regardless of its form, is a “Record” covered by this Policy. If uncertainty exists about whether something is covered by this Policy, users should treat the item(s) as private and confidential, until directed otherwise by the Office of Legal Affairs and/or appropriate College official.
Use of Confidential Information and Records:
The College limits collection and use of Confidential Information and Records to that required by and necessary to fulfill legitimate College purposes. The College prohibits selling, renting, giving away, loaning or otherwise disclosing any collected or stored personally identifiable information to any third party for commercial purposes. The College may use or share confidential Information internally or with third-parties, for authorized College purposes, such as: to provide and improve College services or communications to stakeholders and users; where necessary or appropriate as required by law; to prevent or address fraud, security or technical issues; or to protect the rights, property or safety of the College and its users.
Confidential information and records must never be accessed or disclosed without authorization, and all questions about applicable law must be directed to the Office of Legal Affairs. Those with access must maintain Confidential information and records as confidential, unless authorized by an appropriate College official. Confidential information and records also must be maintained and
secured according to these principles:
- Confidential information and records are to be accessed, used and disclosed only with explicit authorization, in accordance with applicable law, and on a need–to–know basis related to a College function. Such information must never be disclosed outside of the College without express authorization.
- Records must be maintained and disposed of according to the College’s Policies on Retention and Destruction of Records,, and any applicable law or regulation.
- Records may only be received, maintained, accessed or transmitted on College resources in accordance with the requirements and safeguards of the College’s Acceptable Use and other applicable policies.
- All users must safeguard any physical key, ID card or computer, network account or password that enables access to Confidential information and records.
- Upon conclusion of employment or service with the College, all originals and copies of confidential information and records, regardless of form, must be returned to the College and all access to and use of such information shall cease.
- Information that the College collects may be subject to disclosure under the Michigan Freedom of Information Act (“FOIA”) unless exempt; thus, all FOIA requests shall be directed immediately to the Office of Legal Affairs and processed under the FOIA Request Policy.
- Hiring units are responsible for informing individuals who work or volunteer for the college of their specific responsibilities under this Policy and related procedures.
- Any known or suspected misuse or inappropriate disclosure of Confidential information or records should be reported immediately to a supervisor, HR, or the Campus Conduct Hotline.
State of Michigan Data Standards:
To help users appropriately secure and manage Confidential information and records, the College
has adopted various Data Standards set by the State of Michigan (safecomputing.umich.edu) , that, among other things, categorizes data by sensitivity and risk level and designates roles and responsibilities for data use and management.
Contact [email protected] for any questions.